Changeset 103255 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Dec 19, 2011, 12:22:31 PM (13 years ago)

Author:

[email protected]

Message:

Unreviewed, rolling out r103250.
​http://trac.webkit.org/changeset/103250
​https://bugs.webkit.org/show_bug.cgi?id=74877

it still breaks codegen (Requested by olliej on #webkit).

Patch by Sheriff Bot <​[email protected]> on 2011-12-19

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGNode.h:
• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::propagateArithNodeFlags):
(JSC::DFG::Propagator::fixupNode):
(JSC::DFG::Propagator::byValIsPure):
(JSC::DFG::Propagator::clobbersWorld):
(JSC::DFG::Propagator::getByValLoadElimination):
(JSC::DFG::Propagator::checkStructureLoadElimination):
(JSC::DFG::Propagator::getByOffsetLoadElimination):
(JSC::DFG::Propagator::getPropertyStorageLoadElimination):
(JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
(JSC::DFG::Propagator::performNodeCSE):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGAbstractState.cpp (modified) (2 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGNode.h (modified) (2 diffs)
• dfg/DFGPropagator.cpp (modified) (17 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (6 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (19 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (14 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-12-19  Sheriff Bot  <[email protected]>
+
+        Unreviewed, rolling out r103250.
+        http://trac.webkit.org/changeset/103250
+        https://bugs.webkit.org/show_bug.cgi?id=74877
+
+        it still breaks codegen (Requested by olliej on #webkit).
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        * dfg/DFGPropagator.cpp:
+        (JSC::DFG::Propagator::propagateArithNodeFlags):
+        (JSC::DFG::Propagator::fixupNode):
+        (JSC::DFG::Propagator::byValIsPure):
+        (JSC::DFG::Propagator::clobbersWorld):
+        (JSC::DFG::Propagator::getByValLoadElimination):
+        (JSC::DFG::Propagator::checkStructureLoadElimination):
+        (JSC::DFG::Propagator::getByOffsetLoadElimination):
+        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
+        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
+        (JSC::DFG::Propagator::performNodeCSE):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2011-12-16  Oliver Hunt  <[email protected]>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -494 +494 @@
     case PutByVal:
     case PutByValAlias: {
-        NodeIndex child1 = m_graph.m_varArgChildren[node.firstChild()];
-        NodeIndex child2 = m_graph.m_varArgChildren[node.firstChild() + 1];
-        NodeIndex child3 = m_graph.m_varArgChildren[node.firstChild() + 2];
-        PredictedType indexPrediction = m_graph[child2].prediction();
+        PredictedType indexPrediction = m_graph[node.child2()].prediction();
         if (!(indexPrediction & PredictInt32) && indexPrediction) {
             clobberStructures(nodeIndex);
@@ -503 +500 @@
             break;
         }
-        if (m_graph[child1].shouldSpeculateByteArray()) {
-            forNode(child1).filter(PredictByteArray);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        
-        if (m_graph[child1].shouldSpeculateInt8Array()) {
-            forNode(child1).filter(PredictInt8Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        if (m_graph[child1].shouldSpeculateInt16Array()) {
-            forNode(child1).filter(PredictInt16Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        if (m_graph[child1].shouldSpeculateInt32Array()) {
-            forNode(child1).filter(PredictInt32Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        if (m_graph[child1].shouldSpeculateUint8Array()) {
-            forNode(child1).filter(PredictUint8Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        if (m_graph[child1].shouldSpeculateUint16Array()) {
-            forNode(child1).filter(PredictUint16Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        if (m_graph[child1].shouldSpeculateUint32Array()) {
-            forNode(child1).filter(PredictUint32Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        if (m_graph[child1].shouldSpeculateFloat32Array()) {
-            forNode(child1).filter(PredictFloat32Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-        if (m_graph[child1].shouldSpeculateFloat64Array()) {
-            forNode(child1).filter(PredictFloat64Array);
-            forNode(child2).filter(PredictInt32);
-            forNode(child3).filter(PredictNumber);
-            break;
-        }
-            
-        forNode(child1).filter(PredictArray);
-        forNode(child2).filter(PredictInt32);
+        if (m_graph[node.child1()].shouldSpeculateByteArray()) {
+            forNode(node.child1()).filter(PredictByteArray);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        
+        if (m_graph[node.child1()].shouldSpeculateInt8Array()) {
+            forNode(node.child1()).filter(PredictInt8Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        if (m_graph[node.child1()].shouldSpeculateInt16Array()) {
+            forNode(node.child1()).filter(PredictInt16Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        if (m_graph[node.child1()].shouldSpeculateInt32Array()) {
+            forNode(node.child1()).filter(PredictInt32Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        if (m_graph[node.child1()].shouldSpeculateUint8Array()) {
+            forNode(node.child1()).filter(PredictUint8Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        if (m_graph[node.child1()].shouldSpeculateUint16Array()) {
+            forNode(node.child1()).filter(PredictUint16Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        if (m_graph[node.child1()].shouldSpeculateUint32Array()) {
+            forNode(node.child1()).filter(PredictUint32Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        if (m_graph[node.child1()].shouldSpeculateFloat32Array()) {
+            forNode(node.child1()).filter(PredictFloat32Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+        if (m_graph[node.child1()].shouldSpeculateFloat64Array()) {
+            forNode(node.child1()).filter(PredictFloat64Array);
+            forNode(node.child2()).filter(PredictInt32);
+            forNode(node.child3()).filter(PredictNumber);
+            break;
+        }
+            
+        forNode(node.child1()).filter(PredictArray);
+        forNode(node.child2()).filter(PredictInt32);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1663 +1663 @@
             NodeIndex property = get(currentInstruction[2].u.operand);
             NodeIndex value = get(currentInstruction[3].u.operand);
-            NodeIndex propertyStorage = addToGraph(GetIndexedPropertyStorage, base, property);
-
-            addVarArgChild(base);
-            addVarArgChild(property);
-            addVarArgChild(value);
-            addVarArgChild(propertyStorage);
-            
-            addToGraph(Node::VarArg, PutByVal, OpInfo(0), OpInfo(0));
+
+            addToGraph(PutByVal, base, property, value);
 
             NEXT_OPCODE(op_put_by_val);

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -227 +227 @@
     /* this must be the directly subsequent property put. */\
     macro(GetByVal, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
-    macro(PutByVal, NodeMustGenerate | NodeClobbersWorld | NodeHasVarArgs) \
-    macro(PutByValAlias, NodeMustGenerate | NodeClobbersWorld | NodeHasVarArgs) \
+    macro(PutByVal, NodeMustGenerate | NodeClobbersWorld) \
+    macro(PutByValAlias, NodeMustGenerate | NodeClobbersWorld) \
     macro(GetById, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
     macro(PutById, NodeMustGenerate | NodeClobbersWorld) \
@@ -235 +235 @@
     macro(PutStructure, NodeMustGenerate | NodeClobbersWorld) \
     macro(GetPropertyStorage, NodeResultStorage) \
-    macro(GetIndexedPropertyStorage, NodeResultStorage) \
+    macro(GetIndexedPropertyStorage, NodeMustGenerate | NodeResultStorage) \
     macro(GetByOffset, NodeResultJS) \
     macro(PutByOffset, NodeMustGenerate | NodeClobbersWorld) \

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -193 +193 @@
             
         case PutByVal: {
-            NodeIndex base = m_graph.m_varArgChildren[node.firstChild()];
-            NodeIndex property = m_graph.m_varArgChildren[node.firstChild() + 1];
-            NodeIndex value = m_graph.m_varArgChildren[node.firstChild() + 2];
-            changed |= m_graph[base].mergeArithNodeFlags(flags | NodeUsedAsNumber | NodeNeedsNegZero);
-            changed |= m_graph[property].mergeArithNodeFlags(flags | NodeUsedAsNumber);
-            changed |= m_graph[value].mergeArithNodeFlags(flags | NodeUsedAsNumber | NodeNeedsNegZero);
+            changed |= m_graph[node.child1()].mergeArithNodeFlags(flags | NodeUsedAsNumber | NodeNeedsNegZero);
+            changed |= m_graph[node.child2()].mergeArithNodeFlags(flags | NodeUsedAsNumber);
+            changed |= m_graph[node.child3()].mergeArithNodeFlags(flags | NodeUsedAsNumber | NodeNeedsNegZero);
             break;
         }
@@ -934 +931 @@
             break;
         }
-        case PutByVal:
-        case PutByValAlias: {
-            NodeIndex storage = m_graph.m_varArgChildren[node.firstChild() + 3];
-            if (m_graph[storage].op == Nop)
-                node.children.variable.numChildren = 3;
-            break;
-        }
-            
         case GetByVal:
         case StringCharAt:
@@ -1097 +1086 @@
     }
     
-    bool byValIndexIsPure(Node& node)
-    {
-        PredictedType prediction = node.prediction();
+    bool byValIsPure(Node& node)
+    {
+        PredictedType prediction = m_graph[node.child2()].prediction();
         return (prediction & PredictInt32) || !prediction;
     }
@@ -1121 +1110 @@
             return !logicalNotIsPure(node);
         case GetByVal:
-            return !byValIndexIsPure(m_graph[node.child2()]);
+            return !byValIsPure(node);
         default:
             ASSERT_NOT_REACHED();
@@ -1191 +1180 @@
             switch (node.op) {
             case GetByVal:
-                if (!byValIndexIsPure(m_graph[node.child2()]))
+                if (!byValIsPure(node))
                     return NoNode;
                 if (node.child1() == child1 && canonicalize(node.child2()) == canonicalize(child2))
@@ -1197 +1186 @@
                 break;
             case PutByVal:
-            case PutByValAlias: {
-                
-                NodeIndex base = m_graph.m_varArgChildren[node.firstChild()];
-                    NodeIndex property = m_graph.m_varArgChildren[node.firstChild() + 1];
-                if (!byValIndexIsPure(m_graph[property]))
+            case PutByValAlias:
+                if (!byValIsPure(node))
                     return NoNode;
-                if (base == child1 && canonicalize(property) == canonicalize(child2))
-                    return m_graph.m_varArgChildren[node.firstChild() + 2];
+                if (node.child1() == child1 && canonicalize(node.child2()) == canonicalize(child2))
+                    return node.child3();
                 // We must assume that the PutByVal will clobber the location we're getting from.
                 // FIXME: We can do better; if we know that the PutByVal is accessing an array of a
                 // different type than the GetByVal, then we know that they won't clobber each other.
                 return NoNode;
-            }
             case PutStructure:
             case PutByOffset:
@@ -1265 +1250 @@
                 
             case PutByVal:
-            case PutByValAlias: {
-                NodeIndex property = m_graph.m_varArgChildren[node.firstChild() + 1];
-                if (byValIndexIsPure(m_graph[property])) {
+            case PutByValAlias:
+                if (byValIsPure(node)) {
                     // If PutByVal speculates that it's accessing an array with an
                     // integer index, then it's impossible for it to cause a structure
@@ -1274 +1258 @@
                 }
                 return false;
-            }
-
+                
             default:
                 if (clobbersWorld(index))
@@ -1310 +1293 @@
                 
             case PutByVal:
-            case PutByValAlias: {
-                NodeIndex property = m_graph.m_varArgChildren[node.firstChild() + 1];
-                if (byValIndexIsPure(m_graph[property])) {
+            case PutByValAlias:
+                if (byValIsPure(node)) {
                     // If PutByVal speculates that it's accessing an array with an
                     // integer index, then it's impossible for it to cause a structure
@@ -1319 +1301 @@
                 }
                 return NoNode;
-            }
-
+                
             default:
                 if (clobbersWorld(index))
@@ -1348 +1329 @@
                 
             case PutByVal:
-            case PutByValAlias: {
-                NodeIndex property = m_graph.m_varArgChildren[node.firstChild() + 1];
-                if (byValIndexIsPure(m_graph[property])) {
+            case PutByValAlias:
+                if (byValIsPure(node)) {
                     // If PutByVal speculates that it's accessing an array with an
                     // integer index, then it's impossible for it to cause a structure
@@ -1357 +1337 @@
                 }
                 return NoNode;
-            }
-
+                
             default:
                 if (clobbersWorld(index))
@@ -1368 +1347 @@
     }
 
-    NodeIndex getIndexedPropertyStorageLoadElimination(NodeIndex child1)
+    NodeIndex getIndexedPropertyStorageLoadElimination(NodeIndex child1, bool hasIntegerIndexPrediction)
     {
         NodeIndex start = startIndexForChildren(child1);
@@ -1377 +1356 @@
                 PredictedType basePrediction = m_graph[node.child2()].prediction();
                 bool nodeHasIntegerIndexPrediction = !(!(basePrediction & PredictInt32) && basePrediction);
-                if (node.child1() == child1 && nodeHasIntegerIndexPrediction)
+                if (node.child1() == child1 && hasIntegerIndexPrediction == nodeHasIntegerIndexPrediction)
                     return index;
                 break;
@@ -1392 +1371 @@
                 break;
                 
-            case PutByVal: {
-                NodeIndex base = m_graph.m_varArgChildren[node.firstChild()];
-                NodeIndex property = m_graph.m_varArgChildren[node.firstChild() + 1];
-                if (isFixedIndexedStorageObjectPrediction(m_graph[base].prediction()) && byValIndexIsPure(m_graph[property]))
+            case PutByVal:
+                if (isFixedIndexedStorageObjectPrediction(m_graph[node.child1()].prediction()) && byValIsPure(node))
                     break;
                 return NoNode;
-            }
 
             default:
@@ -1579 +1555 @@
             
         case GetByVal:
-            if (byValIndexIsPure(m_graph[node.child2()]))
+            if (byValIsPure(node))
                 setReplacement(getByValLoadElimination(node.child1(), node.child2()));
             break;
             
-        case PutByVal: {
-            NodeIndex base = m_graph.m_varArgChildren[node.firstChild()];
-            NodeIndex property = m_graph.m_varArgChildren[node.firstChild() + 1];
-            if (byValIndexIsPure(m_graph[property]) && getByValLoadElimination(base, property) != NoNode)
+        case PutByVal:
+            if (byValIsPure(node) && getByValLoadElimination(node.child1(), node.child2()) != NoNode)
                 node.op = PutByValAlias;
             break;
-        }
             
         case CheckStructure:
@@ -1604 +1577 @@
             PredictedType basePrediction = m_graph[node.child2()].prediction();
             bool nodeHasIntegerIndexPrediction = !(!(basePrediction & PredictInt32) && basePrediction);
-            if (nodeHasIntegerIndexPrediction)
-                setReplacement(getIndexedPropertyStorageLoadElimination(node.child1()));
+            setReplacement(getIndexedPropertyStorageLoadElimination(node.child1(), nodeHasIntegerIndexPrediction));
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1554 +1554 @@
 }
 
-void SpeculativeJIT::compilePutByValForByteArray(Node& node)
-{
-    NodeIndex baseIndex = m_jit.graph().m_varArgChildren[node.firstChild()];
-    NodeIndex propertyIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
-    NodeIndex valueIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
-    NodeIndex storageIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
-    
-    if (!isByteArrayPrediction(m_state.forNode(baseIndex).m_type)) {
-        SpeculateCellOperand base(this, baseIndex);
-        speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr(), JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSByteArray::s_info)));
-    }
+void SpeculativeJIT::compilePutByValForByteArray(GPRReg base, GPRReg property, Node& node)
+{
+    NodeIndex baseIndex = node.child1();
+    NodeIndex valueIndex = node.child3();
+    
+    if (!isByteArrayPrediction(m_state.forNode(baseIndex).m_type))
+        speculationCheck(BadType, JSValueSource::unboxedCell(base), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSByteArray::s_info)));
     GPRTemporary value;
     GPRReg valueGPR;
@@ -1611 +1607 @@
         valueGPR = gpr;
     }
-    StorageOperand storage(this, storageIndex);
-    SpeculateIntegerOperand property(this, propertyIndex);
+    ASSERT_UNUSED(valueGPR, valueGPR != property);
+    ASSERT(valueGPR != base);
+    GPRTemporary storage(this);
     GPRReg storageReg = storage.gpr();
-    MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property.gpr(), MacroAssembler::Address(storageReg, ByteArray::offsetOfSize()));
-    m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, property.gpr(), MacroAssembler::TimesOne, ByteArray::offsetOfData()));
+    ASSERT(valueGPR != storageReg);
+    m_jit.loadPtr(MacroAssembler::Address(base, JSByteArray::offsetOfStorage()), storageReg);
+    MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(storageReg, ByteArray::offsetOfSize()));
+    m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesOne, ByteArray::offsetOfData()));
     outOfBounds.link(&m_jit);
     noResult(m_compileIndex);
@@ -1712 +1711 @@
 }
 
-void SpeculativeJIT::compilePutByValForIntTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements, TypedArraySignedness signedness)
-{
-    NodeIndex baseIndex = m_jit.graph().m_varArgChildren[node.firstChild()];
-    NodeIndex propertyIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
-    NodeIndex valueIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
-    NodeIndex storageIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
-
-    if (speculationRequirements != NoTypedArrayTypeSpecCheck) {
-        SpeculateCellOperand base(this, baseIndex);
-        speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
-    }
-    
-    StorageOperand storage(this, storageIndex);
-    GPRReg storageReg = storage.gpr();
-    SpeculateIntegerOperand property(this, propertyIndex);
-    GPRReg propertyReg = property.gpr();
-    MacroAssembler::Jump outOfBounds;
-    if (speculationRequirements != NoTypedArrayTypeSpecCheck || speculationRequirements != NoTypedArraySpecCheck) {
-        SpeculateCellOperand base(this, baseIndex);
-        if (speculationRequirements != NoTypedArrayTypeSpecCheck)
-            speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr(), JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
-        if (speculationRequirements != NoTypedArraySpecCheck)
-            outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(base.gpr(), descriptor.m_lengthOffset));
-    }
+void SpeculativeJIT::compilePutByValForIntTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements, TypedArraySignedness signedness)
+{
+    NodeIndex baseIndex = node.child1();
+    NodeIndex valueIndex = node.child3();
+    
+    if (speculationRequirements != NoTypedArrayTypeSpecCheck)
+        speculationCheck(BadType, JSValueSource::unboxedCell(base), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
     GPRTemporary value;
     GPRReg valueGPR;
@@ -1777 +1759 @@
         valueGPR = gpr;
     }
+    ASSERT_UNUSED(valueGPR, valueGPR != property);
+    ASSERT(valueGPR != base);
+    GPRTemporary storage(this);
+    GPRReg storageReg = storage.gpr();
+    ASSERT(valueGPR != storageReg);
+    m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
+    MacroAssembler::Jump outOfBounds;
+    if (speculationRequirements != NoTypedArraySpecCheck)
+        outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(base, descriptor.m_lengthOffset));
 
     switch (elementSize) {
     case 1:
-        m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesOne));
+        m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesOne));
         break;
     case 2:
-        m_jit.store16(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesTwo));
+        m_jit.store16(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesTwo));
         break;
     case 4:
-        m_jit.store32(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour));
+        m_jit.store32(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesFour));
         break;
     default:
@@ -1841 +1832 @@
 }
 
-void SpeculativeJIT::compilePutByValForFloatTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements)
-{
-    NodeIndex baseIndex = m_jit.graph().m_varArgChildren[node.firstChild()];
-    NodeIndex propertyIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
-    NodeIndex valueIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
-    NodeIndex storageIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
+void SpeculativeJIT::compilePutByValForFloatTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements)
+{
+    NodeIndex baseIndex = node.child1();
+    NodeIndex valueIndex = node.child3();
     
     SpeculateDoubleOperand valueOp(this, valueIndex);
-    SpeculateStrictInt32Operand property(this, propertyIndex);
-    StorageOperand storage(this, storageIndex);
+    
+    if (speculationRequirements != NoTypedArrayTypeSpecCheck)
+        speculationCheck(BadType, JSValueSource::unboxedCell(base), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
+    
+    GPRTemporary result(this);
+    
+    GPRTemporary storage(this);
     GPRReg storageReg = storage.gpr();
-    GPRReg propertyReg = property.gpr();
-    
+    
+    m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
     MacroAssembler::Jump outOfBounds;
-    if (speculationRequirements != NoTypedArrayTypeSpecCheck || speculationRequirements != NoTypedArraySpecCheck) {
-        SpeculateCellOperand base(this, baseIndex);
-        if (speculationRequirements != NoTypedArrayTypeSpecCheck)
-            speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr(), JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
-        if (speculationRequirements != NoTypedArraySpecCheck)
-            outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(base.gpr(), descriptor.m_lengthOffset));
-    }
-    
-
+    if (speculationRequirements != NoTypedArraySpecCheck)
+        outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(base, descriptor.m_lengthOffset));
     
     switch (elementSize) {
@@ -1870 +1857 @@
         m_jit.moveDouble(valueOp.fpr(), scratch.fpr());
         m_jit.convertDoubleToFloat(valueOp.fpr(), scratch.fpr());
-        m_jit.storeFloat(scratch.fpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour));
+        m_jit.storeFloat(scratch.fpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesFour));
         break;
     }
     case 8:
-        m_jit.storeDouble(valueOp.fpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
+        m_jit.storeDouble(valueOp.fpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesEight));
         break;
     default:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1971 +1971 @@
     void compileUInt32ToNumber(Node&);
     void compileGetByValOnByteArray(Node&);
-    void compilePutByValForByteArray(Node&);
+    void compilePutByValForByteArray(GPRReg base, GPRReg property, Node&);
     void compileArithMul(Node&);
     void compileArithMod(Node&);
@@ -1987 +1987 @@
     void compileGetIndexedPropertyStorage(Node&);
     void compileGetByValOnIntTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySpeculationRequirements, TypedArraySignedness);
-    void compilePutByValForIntTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySpeculationRequirements, TypedArraySignedness);
+    void compilePutByValForIntTypedArray(const TypedArrayDescriptor&, GPRReg base, GPRReg property, Node&, size_t elementSize, TypedArraySpeculationRequirements, TypedArraySignedness);
     void compileGetByValOnFloatTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySpeculationRequirements);
-    void compilePutByValForFloatTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySpeculationRequirements);
+    void compilePutByValForFloatTypedArray(const TypedArrayDescriptor&, GPRReg base, GPRReg property, Node&, size_t elementSize, TypedArraySpeculationRequirements);
     
     // It is acceptable to have structure be equal to scratch, so long as you're fine

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -2694 +2694 @@
 
     case PutByVal: {
-        NodeIndex child1 = m_jit.graph().m_varArgChildren[node.firstChild()];
-        NodeIndex child2 = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
-        NodeIndex child3 = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
-        NodeIndex child4 = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
-
-        PredictedType basePrediction = at(child2).prediction();
+        PredictedType basePrediction = at(node.child2()).prediction();
         if (!(basePrediction & PredictInt32) && basePrediction) {
-            SpeculateCellOperand base(this, child1); // Save a register, speculate cell. We'll probably be right.
-            JSValueOperand property(this, child2);
-            JSValueOperand value(this, child3);
+            SpeculateCellOperand base(this, node.child1()); // Save a register, speculate cell. We'll probably be right.
+            JSValueOperand property(this, node.child2());
+            JSValueOperand value(this, node.child3());
             GPRReg baseGPR = base.gpr();
             GPRReg propertyTagGPR = property.tagGPR();
@@ -2717 +2712 @@
         }
 
-        if (at(child1).shouldSpeculateByteArray()) {
-            compilePutByValForByteArray(node);
+        SpeculateCellOperand base(this, node.child1());
+        SpeculateStrictInt32Operand property(this, node.child2());
+        if (at(node.child1()).shouldSpeculateByteArray()) {
+            compilePutByValForByteArray(base.gpr(), property.gpr(), node);
             break;
         }
-        
-        if (at(child1).shouldSpeculateInt8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), isInt8ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateByteArray()) {
+            compilePutByValForByteArray(base.gpr(), property.gpr(), node);
+            break;
+        }
+        
+        if (at(node.child1()).shouldSpeculateInt8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), isInt8ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2729 +2730 @@
         }
         
-        if (at(child1).shouldSpeculateInt16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), isInt16ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), isInt16ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2736 +2737 @@
         }
         
-        if (at(child1).shouldSpeculateInt32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), isInt32ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), isInt32ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2743 +2744 @@
         }
         
-        if (at(child1).shouldSpeculateUint8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), isUint8ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), isUint8ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2750 +2751 @@
         }
         
-        if (at(child1).shouldSpeculateUint16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), isUint16ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), isUint16ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2757 +2758 @@
         }
         
-        if (at(child1).shouldSpeculateUint32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), isUint32ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), isUint32ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2764 +2765 @@
         }
         
-        if (at(child1).shouldSpeculateFloat32Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float), isFloat32ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
+        if (at(node.child1()).shouldSpeculateFloat32Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), isFloat32ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
             if (!m_compileOkay)
                 return;
@@ -2771 +2772 @@
         }
         
-        if (at(child1).shouldSpeculateFloat64Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double), isFloat64ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
+        if (at(node.child1()).shouldSpeculateFloat64Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), isFloat64ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
             if (!m_compileOkay)
                 return;
@@ -2778 +2779 @@
         }
 
-        SpeculateCellOperand base(this, child1);
-        SpeculateStrictInt32Operand property(this, child2);
-        JSValueOperand value(this, child3);
+        JSValueOperand value(this, node.child3());
+        GPRTemporary scratch(this);
 
         // Map base, property & value into registers, allocate a scratch register.
@@ -2787 +2787 @@
         GPRReg valueTagReg = value.tagGPR();
         GPRReg valuePayloadReg = value.payloadGPR();
+        GPRReg scratchReg = scratch.gpr();
         
         if (!m_compileOkay)
             return;
-
-        {
-            GPRTemporary scratch(this);
-            writeBarrier(baseReg, valueTagReg, child3, WriteBarrierForPropertyAccess, scratch.gpr());
-        }
+        
+        writeBarrier(baseReg, valueTagReg, node.child3(), WriteBarrierForPropertyAccess, scratchReg);
 
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
         // If we have predicted the base to be type array, we can skip the check.
-        if (!isArrayPrediction(m_state.forNode(child1).m_type))
-            speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), child1, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSArray::s_info)));
-
-        StorageOperand storage(this, child4);
-        GPRReg storageReg = storage.gpr();
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
+            speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSArray::s_info)));
 
         base.use();
         property.use();
         value.use();
-        storage.use();
         
         MacroAssembler::Jump withinArrayBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()));
 
         // Code to handle put beyond array bounds.
-        silentSpillAllRegisters(InvalidGPRReg);
+        silentSpillAllRegisters(scratchReg);
         callOperation(operationPutByValBeyondArrayBounds, baseReg, propertyReg, valueTagReg, valuePayloadReg);
-        silentFillAllRegisters(InvalidGPRReg);
+        silentFillAllRegisters(scratchReg);
         JITCompiler::Jump wasBeyondArrayBounds = m_jit.jump();
 
         withinArrayBounds.link(&m_jit);
+
+        // Get the array storage.
+        GPRReg storageReg = scratchReg;
+        m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
 
         // Check if we're writing to a hole; if so increment m_numValuesInVector.
@@ -2843 +2841 @@
 
     case PutByValAlias: {
-        NodeIndex child1 = m_jit.graph().m_varArgChildren[node.firstChild()];
-        NodeIndex child2 = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
-        NodeIndex child3 = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
-        NodeIndex child4 = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
-
-        if (at(child1).shouldSpeculateByteArray()) {
-            compilePutByValForByteArray(node);
+        SpeculateCellOperand base(this, node.child1());
+        SpeculateStrictInt32Operand property(this, node.child2());
+
+        if (at(node.child1()).shouldSpeculateByteArray()) {
+            compilePutByValForByteArray(base.gpr(), property.gpr(), node);
             break;
         }
         
-        if (at(child1).shouldSpeculateInt8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), NoTypedArraySpecCheck, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), NoTypedArraySpecCheck, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2860 +2856 @@
         }
         
-        if (at(child1).shouldSpeculateInt16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), NoTypedArraySpecCheck, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), NoTypedArraySpecCheck, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2867 +2863 @@
         }
         
-        if (at(child1).shouldSpeculateInt32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), NoTypedArraySpecCheck, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), NoTypedArraySpecCheck, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2874 +2870 @@
         }
         
-        if (at(child1).shouldSpeculateUint8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2881 +2877 @@
         }
         
-        if (at(child1).shouldSpeculateUint16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), NoTypedArraySpecCheck, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), NoTypedArraySpecCheck, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2888 +2884 @@
         }
         
-        if (at(child1).shouldSpeculateUint32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), NoTypedArraySpecCheck, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), NoTypedArraySpecCheck, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2895 +2891 @@
         }
         
-        if (at(child1).shouldSpeculateFloat32Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float), NoTypedArraySpecCheck);
+        if (at(node.child1()).shouldSpeculateFloat32Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), NoTypedArraySpecCheck);
             if (!m_compileOkay)
                 return;
@@ -2902 +2898 @@
         }
         
-        if (at(child1).shouldSpeculateFloat64Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double), NoTypedArraySpecCheck);
+        if (at(node.child1()).shouldSpeculateFloat64Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), NoTypedArraySpecCheck);
             if (!m_compileOkay)
                 return;
             break;            
         }
-        
-        JSValueOperand value(this, child3);
-        {
-            SpeculateCellOperand base(this, child1);
-            GPRTemporary scratch(this, base);
-            GPRReg baseReg = base.gpr();
-            GPRReg scratchReg = scratch.gpr();
-            writeBarrier(baseReg, value.tagGPR(), child3, WriteBarrierForPropertyAccess, scratchReg);
-        }
-    
-        SpeculateStrictInt32Operand property(this, child2);
-        StorageOperand storage(this, child4);
+
+        JSValueOperand value(this, node.child3());
+        GPRTemporary scratch(this, base);
+        
+        GPRReg baseReg = base.gpr();
+        GPRReg scratchReg = scratch.gpr();
+
+        writeBarrier(baseReg, value.tagGPR(), node.child3(), WriteBarrierForPropertyAccess, scratchReg);
+
+        // Get the array storage.
+        GPRReg storageReg = scratchReg;
+        m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+
         // Store the value to the array.
         GPRReg propertyReg = property.gpr();
-        m_jit.store32(value.tagGPR(), MacroAssembler::BaseIndex(storage.gpr(), propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-        m_jit.store32(value.payloadGPR(), MacroAssembler::BaseIndex(storage.gpr(), propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
+        m_jit.store32(value.tagGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+        m_jit.store32(value.payloadGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
 
         noResult(m_compileIndex);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2598 +2598 @@
             break;
         }
-        ASSERT(node.child3() != NoNode);
+        
         if (at(node.child1()).prediction() == PredictString) {
             compileGetByValOnString(node);
@@ -2696 +2696 @@
 
     case PutByVal: {
-        NodeIndex child1 = m_jit.graph().m_varArgChildren[node.firstChild()];
-        NodeIndex child2 = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
-        NodeIndex child3 = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
-
-        PredictedType basePrediction = at(child2).prediction();
+        PredictedType basePrediction = at(node.child2()).prediction();
         if (!(basePrediction & PredictInt32) && basePrediction) {
-            JSValueOperand arg1(this, child1);
-            JSValueOperand arg2(this, child2);
-            JSValueOperand arg3(this, child3);
+            JSValueOperand arg1(this, node.child1());
+            JSValueOperand arg2(this, node.child2());
+            JSValueOperand arg3(this, node.child3());
             GPRReg arg1GPR = arg1.gpr();
             GPRReg arg2GPR = arg2.gpr();
@@ -2716 +2712 @@
         }
 
-        if (at(child1).shouldSpeculateByteArray()) {
-            compilePutByValForByteArray(node);
+        SpeculateCellOperand base(this, node.child1());
+        SpeculateStrictInt32Operand property(this, node.child2());
+        if (at(node.child1()).shouldSpeculateByteArray()) {
+            compilePutByValForByteArray(base.gpr(), property.gpr(), node);
             break;
         }
         
-        if (at(child1).shouldSpeculateInt8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), isInt8ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), isInt8ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2728 +2726 @@
         }
         
-        if (at(child1).shouldSpeculateInt16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), isInt16ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), isInt16ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2735 +2733 @@
         }
 
-        if (at(child1).shouldSpeculateInt32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), isInt32ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), isInt32ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, SignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2742 +2740 @@
         }
         
-        if (at(child1).shouldSpeculateUint8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), isUint8ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), isUint8ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2749 +2747 @@
         }
         
-        if (at(child1).shouldSpeculateUint16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), isUint16ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), isUint16ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2756 +2754 @@
         }
         
-        if (at(child1).shouldSpeculateUint32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), isUint32ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
+        if (at(node.child1()).shouldSpeculateUint32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), isUint32ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
@@ -2763 +2761 @@
         }
         
-        if (at(child1).shouldSpeculateFloat32Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float), isFloat32ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
+        if (at(node.child1()).shouldSpeculateFloat32Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), isFloat32ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
             if (!m_compileOkay)
                 return;
@@ -2770 +2768 @@
         }
         
-        if (at(child1).shouldSpeculateFloat64Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double), isFloat64ArrayPrediction(m_state.forNode(child1).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
+        if (at(node.child1()).shouldSpeculateFloat64Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), isFloat64ArrayPrediction(m_state.forNode(node.child1()).m_type) ? NoTypedArrayTypeSpecCheck : AllTypedArraySpecChecks);
             if (!m_compileOkay)
                 return;
             break;            
         }
-        
-        SpeculateCellOperand base(this, child1);
-        SpeculateStrictInt32Operand property(this, child2);
-        JSValueOperand value(this, child3);
-        NodeIndex child4 = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
-        StorageOperand storage(this, child4);
+
+        JSValueOperand value(this, node.child3());
         GPRTemporary scratch(this);
-        
+
         // Map base, property & value into registers, allocate a scratch register.
         GPRReg baseReg = base.gpr();
         GPRReg propertyReg = property.gpr();
         GPRReg valueReg = value.gpr();
-        GPRReg storageReg = storage.gpr();
         GPRReg scratchReg = scratch.gpr();
         
@@ -2794 +2787 @@
             return;
         
-        writeBarrier(baseReg, value.gpr(), child3, WriteBarrierForPropertyAccess, scratchReg);
+        writeBarrier(baseReg, value.gpr(), node.child3(), WriteBarrierForPropertyAccess, scratchReg);
 
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
         // If we have predicted the base to be type array, we can skip the check.
-        if (!isArrayPrediction(m_state.forNode(child1).m_type))
-            speculationCheck(BadType, JSValueRegs(baseReg), child1, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSArray::s_info)));
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
+            speculationCheck(BadType, JSValueRegs(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSArray::s_info)));
 
         base.use();
         property.use();
         value.use();
-        storage.use();
-
+        
         MacroAssembler::Jump withinArrayBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()));
 
@@ -2816 +2808 @@
         withinArrayBounds.link(&m_jit);
 
+        // Get the array storage.
+        GPRReg storageReg = scratchReg;
+        m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
+
         // Check if we're writing to a hole; if so increment m_numValuesInVector.
         MacroAssembler::Jump notHoleValue = m_jit.branchTestPtr(MacroAssembler::NonZero, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])));
@@ -2839 +2835 @@
 
     case PutByValAlias: {
-        NodeIndex child1 = m_jit.graph().m_varArgChildren[node.firstChild()];
-        NodeIndex child2 = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
-        NodeIndex child3 = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
-        NodeIndex child4 = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
-
-        PredictedType basePrediction = at(child2).prediction();
+        PredictedType basePrediction = at(node.child2()).prediction();
         ASSERT_UNUSED(basePrediction, (basePrediction & PredictInt32) || !basePrediction);
 
-        if (at(child1).shouldSpeculateByteArray()) {
-            compilePutByValForByteArray(node);
+        SpeculateCellOperand base(this, node.child1());
+        SpeculateStrictInt32Operand property(this, node.child2());
+        if (at(node.child1()).shouldSpeculateByteArray()) {
+            compilePutByValForByteArray(base.gpr(), property.gpr(), node);
             break;
         }
 
-        if (at(child1).shouldSpeculateInt8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), node, sizeof(int8_t), NoTypedArraySpecCheck, SignedTypedArray);
+        if (at(node.child1()).shouldSpeculateInt8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int8_t), NoTypedArraySpecCheck, SignedTypedArray);
             if (!m_compileOkay)
                 return;
             break;            
         }
-    
-        if (at(child1).shouldSpeculateInt16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), node, sizeof(int16_t), NoTypedArraySpecCheck, SignedTypedArray);
+        
+        if (at(node.child1()).shouldSpeculateInt16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int16_t), NoTypedArraySpecCheck, SignedTypedArray);
             if (!m_compileOkay)
                 return;
             break;            
         }
-    
-        if (at(child1).shouldSpeculateInt32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), node, sizeof(int32_t), NoTypedArraySpecCheck, SignedTypedArray);
+        
+        if (at(node.child1()).shouldSpeculateInt32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->int32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(int32_t), NoTypedArraySpecCheck, SignedTypedArray);
             if (!m_compileOkay)
                 return;
             break;            
         }
-    
-        if (at(child1).shouldSpeculateUint8Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray);
+        
+        if (at(node.child1()).shouldSpeculateUint8Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint8ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint8_t), NoTypedArraySpecCheck, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
             break;            
         }
-    
-        if (at(child1).shouldSpeculateUint16Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), node, sizeof(uint16_t), NoTypedArraySpecCheck, UnsignedTypedArray);
+        
+        if (at(node.child1()).shouldSpeculateUint16Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint16ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint16_t), NoTypedArraySpecCheck, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
             break;            
         }
-    
-        if (at(child1).shouldSpeculateUint32Array()) {
-            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), node, sizeof(uint32_t), NoTypedArraySpecCheck, UnsignedTypedArray);
+        
+        if (at(node.child1()).shouldSpeculateUint32Array()) {
+            compilePutByValForIntTypedArray(m_jit.globalData()->uint32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(uint32_t), NoTypedArraySpecCheck, UnsignedTypedArray);
             if (!m_compileOkay)
                 return;
             break;            
         }
-    
-        if (at(child1).shouldSpeculateFloat32Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), node, sizeof(float), NoTypedArraySpecCheck);
+        
+        if (at(node.child1()).shouldSpeculateFloat32Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float32ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(float), NoTypedArraySpecCheck);
             if (!m_compileOkay)
                 return;
             break;            
         }
-    
-        if (at(child1).shouldSpeculateFloat64Array()) {
-            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), node, sizeof(double), NoTypedArraySpecCheck);
+        
+        if (at(node.child1()).shouldSpeculateFloat64Array()) {
+            compilePutByValForFloatTypedArray(m_jit.globalData()->float64ArrayDescriptor(), base.gpr(), property.gpr(), node, sizeof(double), NoTypedArraySpecCheck);
             if (!m_compileOkay)
                 return;
@@ -2908 +2901 @@
         }
 
-        SpeculateCellOperand base(this, child1);
-        SpeculateStrictInt32Operand property(this, child2);
-        JSValueOperand value(this, child3);
-
-        {
-            GPRTemporary scratch(this);
-            GPRReg scratchReg = scratch.gpr();
-            writeBarrier(base.gpr(), value.gpr(), child3, WriteBarrierForPropertyAccess, scratchReg);
-        }
-        StorageOperand storage(this, child4);
+        JSValueOperand value(this, node.child3());
+        GPRTemporary scratch(this);
+        
+        GPRReg baseReg = base.gpr();
+        GPRReg scratchReg = scratch.gpr();
+
+        writeBarrier(base.gpr(), value.gpr(), node.child3(), WriteBarrierForPropertyAccess, scratchReg);
+
         // Get the array storage.
-        GPRReg storageReg = storage.gpr();
+        GPRReg storageReg = scratchReg;
+        m_jit.loadPtr(MacroAssembler::Address(baseReg, JSArray::storageOffset()), storageReg);
 
         // Store the value to the array.