Changeset 171613 in webkit for trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

Timestamp:

Jul 25, 2014, 1:55:17 PM (11 years ago)

Author:

[email protected]

Message:

Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.

2014-06-17 Filip Pizlo <​[email protected]>

Source/JavaScriptCore:

[ftlopt] Fold constant Phis
​https://bugs.webkit.org/show_bug.cgi?id=133967

Reviewed by Mark Hahnenberg.

It's surprising but we didn't really do this before. Or, rather, we only did it
incidentally when we would likely crash if it ever happened.

Making this work required cleaning up the validater a bit, so I did that too. I also added
mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
the Phi header of basic blocks). But this required beefing up mayExit() a bit.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGAdjacencyList.h: (JSC::DFG::AdjacencyList::isEmpty):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::run): (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
• dfg/DFGInPlaceAbstractState.h:
• dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::run): (JSC::DFG::LICMPhase::attemptHoist):
• dfg/DFGMayExit.cpp: (JSC::DFG::mayExit):
• dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate): (JSC::DFG::Validate::validateSSA):

2014-06-17 Filip Pizlo <​[email protected]>

[ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
​https://bugs.webkit.org/show_bug.cgi?id=133985

Reviewed by Michael Saboff and Mark Hahnenberg.

Store elimination phase has never been very profitable, and now that LLVM can do dead
store elimination for us, this phase is just completely pointless.

This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
maintain.

This patch does introduce a new mayExit() calculator that is independent of the CFA and
should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
for assertions in the DFG backend, but we could use it if we ever brought back any of the
other optimizations that previously relied upon NodeDoesNotExit.

This is performance-neutral, except for SunSpider, where it's a speed-up.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::filterEdgeByUse): (JSC::DFG::AbstractInterpreter::filterByType):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::CSEPhase): (JSC::DFG::CSEPhase::invalidationPointElimination): (JSC::DFG::CSEPhase::setLocalStoreElimination): (JSC::DFG::CSEPhase::performNodeCSE): (JSC::DFG::CSEPhase::performBlockCSE): (JSC::DFG::performCSE): (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted. (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted. (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted. (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted. (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted. (JSC::DFG::performStoreElimination): Deleted.
• dfg/DFGCSEPhase.h:
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::resetExitStates): Deleted.
• dfg/DFGGraph.h:
• dfg/DFGMayExit.cpp: Added. (JSC::DFG::mayExit):
• dfg/DFGMayExit.h: Added.
• dfg/DFGNode.h: (JSC::DFG::Node::mergeFlags): (JSC::DFG::Node::filterFlags): (JSC::DFG::Node::setCanExit): Deleted. (JSC::DFG::Node::canExit): Deleted.
• dfg/DFGNodeFlags.cpp: (JSC::DFG::dumpNodeFlags):
• dfg/DFGNodeFlags.h:
• dfg/DFGNodeType.h:
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl):
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): (JSC::DFG::SpeculativeJIT::bail): (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile):

2014-06-15 Filip Pizlo <​[email protected]>

[ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
​https://bugs.webkit.org/show_bug.cgi?id=133931

Reviewed by Oliver Hunt.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.

2014-06-15 Filip Pizlo <​[email protected]>

[ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
​https://bugs.webkit.org/show_bug.cgi?id=133935

Reviewed by Oliver Hunt.

• bytecode/Operands.h: (JSC::Operands::Operands): (JSC::Operands::ensureLocals):
• dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
• dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::makeFullTop): Completeness. (JSC::DFG::AbstractValue::bytecodeTop): Completeness. (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
• dfg/DFGBasicBlock.cpp: (JSC::DFG::BasicBlock::BasicBlock): (JSC::DFG::BasicBlock::ensureLocals):
• dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
• dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): Compute the intersection.
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::dumpBlockHeader): Better dumping. (JSC::DFG::Graph::dump): Better dumping.
• dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.

2014-06-12 Filip Pizlo <​[email protected]>

[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
​https://bugs.webkit.org/show_bug.cgi?id=133821

Reviewed by Mark Hahnenberg.

This allows us to efficiently cache accesses that differ only in the prototypes on the path
from the base to the prototype that has the field.

It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
data structure.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/ConstantStructureCheck.cpp: Added. (JSC::ConstantStructureCheck::dumpInContext): (JSC::ConstantStructureCheck::dump): (JSC::structureFor): (JSC::areCompatible): (JSC::mergeInto):
• bytecode/ConstantStructureCheck.h: Added. (JSC::ConstantStructureCheck::ConstantStructureCheck): (JSC::ConstantStructureCheck::operator!): (JSC::ConstantStructureCheck::constant): (JSC::ConstantStructureCheck::structure):
• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeForStubInfo):
• bytecode/GetByIdVariant.cpp: (JSC::GetByIdVariant::GetByIdVariant): (JSC::GetByIdVariant::operator=): (JSC::GetByIdVariant::attemptToMerge): (JSC::GetByIdVariant::dumpInContext):
• bytecode/GetByIdVariant.h: (JSC::GetByIdVariant::constantChecks): (JSC::GetByIdVariant::alternateBase): (JSC::GetByIdVariant::GetByIdVariant): Deleted. (JSC::GetByIdVariant::chain): Deleted.
• bytecode/PutByIdVariant.cpp: (JSC::PutByIdVariant::dumpInContext):
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::transition): (JSC::PutByIdVariant::constantChecks): (JSC::PutByIdVariant::structureChain): Deleted.
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::emitChecks): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted. (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted. (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
• dfg/DFGDesiredStructureChains.cpp: Removed.
• dfg/DFGDesiredStructureChains.h: Removed.
• dfg/DFGGraph.h: (JSC::DFG::Graph::watchpoints): (JSC::DFG::Graph::chains): Deleted.
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::isStillValid): (JSC::DFG::Plan::checkLivenessAndVisitChildren): (JSC::DFG::Plan::cancel):
• dfg/DFGPlan.h:
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
• runtime/IntendedStructureChain.cpp: (JSC::IntendedStructureChain::gatherChecks):
• runtime/IntendedStructureChain.h: (JSC::IntendedStructureChain::at): (JSC::IntendedStructureChain::operator[]):

2014-06-12 Filip Pizlo <​[email protected]>

[ftlopt] Constant folding and strength reduction should work in SSA
​https://bugs.webkit.org/show_bug.cgi?id=133839

Reviewed by Oliver Hunt.

• dfg/DFGAtTailAbstractState.cpp: (JSC::DFG::AtTailAbstractState::AtTailAbstractState): (JSC::DFG::AtTailAbstractState::forNode):
• dfg/DFGAtTailAbstractState.h:
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::convertToConstant):
• dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
• dfg/DFGLICMPhase.cpp: (JSC::DFG::LICMPhase::LICMPhase):
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl):

2014-06-11 Filip Pizlo <​[email protected]>

[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
​https://bugs.webkit.org/show_bug.cgi?id=133751

Reviewed by Mark Hahnenberg.

• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::appendVariant): (JSC::GetByIdStatus::computeForStubInfo):
• bytecode/GetByIdVariant.cpp: (JSC::GetByIdVariant::attemptToMerge):
• bytecode/GetByIdVariant.h:
• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::emitPrototypeChecks): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::handlePutById):
• runtime/IntendedStructureChain.cpp: (JSC::IntendedStructureChain::IntendedStructureChain): (JSC::IntendedStructureChain::isStillValid): (JSC::IntendedStructureChain::isNormalized): (JSC::IntendedStructureChain::terminalPrototype): (JSC::IntendedStructureChain::operator==): (JSC::IntendedStructureChain::visitChildren): (JSC::IntendedStructureChain::dumpInContext): (JSC::IntendedStructureChain::chain): Deleted.
• runtime/IntendedStructureChain.h: (JSC::IntendedStructureChain::prototype): (JSC::IntendedStructureChain::operator!=): (JSC::IntendedStructureChain::head): Deleted.

2014-06-11 Matthew Mirman <​[email protected]>

Readded native calling to the FTL and Split the DFG nodes
Call and Construct into NativeCall and NativeConstruct
to better represent their semantics.
​https://bugs.webkit.org/show_bug.cgi?id=133660

Reviewed by Filip Pizlo.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Added NativeCall and NativeConstruct case
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. (JSC::DFG::ByteCodeParser::handleCall): set to return NativeCall or NativeConstruct instead of Call or Construct in the presence of a native function.
• dfg/DFGClobberize.h: (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
• dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
• dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case. (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct. (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
• dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
• dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): ditto (JSC::DFG::SpeculativeJIT::compile): ditto
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): ditto (JSC::DFG::SpeculativeJIT::compile): ditto
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile): ditto
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::lower): ditto (JSC::FTL::LowerDFGToLLVM::compileNode): ditto. (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added. (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality. (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
• runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.

2014-06-11 Matthew Mirman <​[email protected]>

Ensured Native Calls and Construct and associated checks
are only emitted during ftl mode.
​https://bugs.webkit.org/show_bug.cgi?id=133718

Reviewed by Filip Pizlo.

• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode before attaching the native function to Call or Construct.

2014-06-10 Filip Pizlo <​[email protected]>

[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
​https://bugs.webkit.org/show_bug.cgi?id=133426

Reviewed by Geoffrey Garen.

The impetus for this was to provide some sense and reason to race conditions arising from
cell constants having their structure changed on the main thread - this is harmess because
we defend against it, but when it goes wrong, it can be difficult to reproduce because it
requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.

But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
about constants. It no longer relies on the CodeBlock constant pool at all, which allows
for a more object-oriented approach: for example a Node that has a constant can tell you
what constant it has without needing a CodeBlock.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::computeExitSiteData):
• bytecode/ExitKind.cpp: (JSC::exitKindToString): (JSC::exitKindIsCountable):
• bytecode/ExitKind.h: (JSC::isWatchpoint): Deleted.
• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::hasExitSite):
• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::hasExitSite):
• dfg/DFGAbstractInterpreter.h: (JSC::DFG::AbstractInterpreter::filterByValue): (JSC::DFG::AbstractInterpreter::setBuiltInConstant): (JSC::DFG::AbstractInterpreter::setConstant):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
• dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::setOSREntryValue): (JSC::DFG::AbstractValue::set): (JSC::DFG::AbstractValue::filterByValue): (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
• dfg/DFGAbstractValue.h:
• dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run):
• dfg/DFGBackwardsPropagationPhase.cpp: (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): (JSC::DFG::BackwardsPropagationPhase::isNotPosZero): (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant): (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::ByteCodeParser): (JSC::DFG::ByteCodeParser::getDirect): (JSC::DFG::ByteCodeParser::get): (JSC::DFG::ByteCodeParser::getLocal): (JSC::DFG::ByteCodeParser::setLocal): (JSC::DFG::ByteCodeParser::setArgument): (JSC::DFG::ByteCodeParser::jsConstant): (JSC::DFG::ByteCodeParser::weakJSConstant): (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): (JSC::DFG::ByteCodeParser::handleCall): (JSC::DFG::ByteCodeParser::emitFunctionChecks): (JSC::DFG::ByteCodeParser::handleInlining): (JSC::DFG::ByteCodeParser::handleMinMax): (JSC::DFG::ByteCodeParser::handleIntrinsic): (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): (JSC::DFG::ByteCodeParser::handleGetById): (JSC::DFG::ByteCodeParser::prepareToParseBlock): (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): (JSC::DFG::ByteCodeParser::parseCodeBlock): (JSC::DFG::ByteCodeParser::addConstant): Deleted. (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted. (JSC::DFG::ByteCodeParser::getJSConstant): Deleted. (JSC::DFG::ByteCodeParser::isJSConstant): Deleted. (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted. (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted. (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted. (JSC::DFG::ByteCodeParser::constantUndefined): Deleted. (JSC::DFG::ByteCodeParser::constantNull): Deleted. (JSC::DFG::ByteCodeParser::one): Deleted. (JSC::DFG::ByteCodeParser::constantNaN): Deleted. (JSC::DFG::ByteCodeParser::cellConstant): Deleted. (JSC::DFG::ByteCodeParser::inferredConstant): Deleted. (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
• dfg/DFGCFGSimplificationPhase.cpp: (JSC::DFG::CFGSimplificationPhase::run):
• dfg/DFGCSEPhase.cpp: (JSC::DFG::CSEPhase::constantCSE): (JSC::DFG::CSEPhase::checkFunctionElimination): (JSC::DFG::CSEPhase::performNodeCSE): (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
• dfg/DFGClobberize.h: (JSC::DFG::clobberize):
• dfg/DFGCommon.h:
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
• dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC):
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixupMakeRope): (JSC::DFG::FixupPhase::truncateConstantToInt32): (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength): (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
• dfg/DFGFrozenValue.cpp: Added. (JSC::DFG::FrozenValue::emptySingleton): (JSC::DFG::FrozenValue::dumpInContext): (JSC::DFG::FrozenValue::dump):
• dfg/DFGFrozenValue.h: Added. (JSC::DFG::FrozenValue::FrozenValue): (JSC::DFG::FrozenValue::operator!): (JSC::DFG::FrozenValue::value): (JSC::DFG::FrozenValue::structure): (JSC::DFG::FrozenValue::strengthenTo): (JSC::DFG::FrozenValue::strength): (JSC::DFG::FrozenValue::freeze):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::Graph): (JSC::DFG::Graph::dump): (JSC::DFG::Graph::tryGetActivation): (JSC::DFG::Graph::tryGetFoldableView): (JSC::DFG::Graph::registerFrozenValues): (JSC::DFG::Graph::visitChildren): (JSC::DFG::Graph::freezeFragile): (JSC::DFG::Graph::freeze): (JSC::DFG::Graph::freezeStrong): (JSC::DFG::Graph::convertToConstant): (JSC::DFG::Graph::convertToStrongConstant): (JSC::DFG::Graph::assertIsWatched):
• dfg/DFGGraph.h: (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): (JSC::DFG::Graph::convertToConstant): Deleted. (JSC::DFG::Graph::constantRegisterForConstant): Deleted. (JSC::DFG::Graph::getJSConstantSpeculation): Deleted. (JSC::DFG::Graph::isConstant): Deleted. (JSC::DFG::Graph::isJSConstant): Deleted. (JSC::DFG::Graph::isInt32Constant): Deleted. (JSC::DFG::Graph::isDoubleConstant): Deleted. (JSC::DFG::Graph::isNumberConstant): Deleted. (JSC::DFG::Graph::isBooleanConstant): Deleted. (JSC::DFG::Graph::isCellConstant): Deleted. (JSC::DFG::Graph::isFunctionConstant): Deleted. (JSC::DFG::Graph::isInternalFunctionConstant): Deleted. (JSC::DFG::Graph::valueOfJSConstant): Deleted. (JSC::DFG::Graph::valueOfInt32Constant): Deleted. (JSC::DFG::Graph::valueOfNumberConstant): Deleted. (JSC::DFG::Graph::valueOfBooleanConstant): Deleted. (JSC::DFG::Graph::valueOfFunctionConstant): Deleted. (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
• dfg/DFGInPlaceAbstractState.cpp: (JSC::DFG::InPlaceAbstractState::initialize):
• dfg/DFGInsertionSet.h: (JSC::DFG::InsertionSet::insertConstant): (JSC::DFG::InsertionSet::insertConstantForUse):
• dfg/DFGIntegerCheckCombiningPhase.cpp: (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
• dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::link):
• dfg/DFGLazyJSValue.cpp: (JSC::DFG::LazyJSValue::getValue): (JSC::DFG::LazyJSValue::strictEqual): (JSC::DFG::LazyJSValue::dumpInContext):
• dfg/DFGLazyJSValue.h: (JSC::DFG::LazyJSValue::LazyJSValue): (JSC::DFG::LazyJSValue::tryGetValue): (JSC::DFG::LazyJSValue::value): (JSC::DFG::LazyJSValue::switchLookupValue):
• dfg/DFGMinifiedNode.cpp: (JSC::DFG::MinifiedNode::fromNode):
• dfg/DFGMinifiedNode.h: (JSC::DFG::belongsInMinifiedGraph): (JSC::DFG::MinifiedNode::hasConstant): (JSC::DFG::MinifiedNode::constant): (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted. (JSC::DFG::MinifiedNode::constantNumber): Deleted. (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted. (JSC::DFG::MinifiedNode::weakConstant): Deleted.
• dfg/DFGNode.h: (JSC::DFG::Node::hasConstant): (JSC::DFG::Node::constant): (JSC::DFG::Node::convertToConstant): (JSC::DFG::Node::asJSValue): (JSC::DFG::Node::isInt32Constant): (JSC::DFG::Node::asInt32): (JSC::DFG::Node::asUInt32): (JSC::DFG::Node::isDoubleConstant): (JSC::DFG::Node::isNumberConstant): (JSC::DFG::Node::asNumber): (JSC::DFG::Node::isMachineIntConstant): (JSC::DFG::Node::asMachineInt): (JSC::DFG::Node::isBooleanConstant): (JSC::DFG::Node::asBoolean): (JSC::DFG::Node::isCellConstant): (JSC::DFG::Node::asCell): (JSC::DFG::Node::dynamicCastConstant): (JSC::DFG::Node::function): (JSC::DFG::Node::isWeakConstant): Deleted. (JSC::DFG::Node::constantNumber): Deleted. (JSC::DFG::Node::convertToWeakConstant): Deleted. (JSC::DFG::Node::weakConstant): Deleted. (JSC::DFG::Node::valueOfJSConstant): Deleted.
• dfg/DFGNodeType.h:
• dfg/DFGOSRExitCompiler.cpp:
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate):
• dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute):
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): (JSC::DFG::SpeculativeJIT::silentFill): (JSC::DFG::SpeculativeJIT::compileIn): (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch): (JSC::DFG::SpeculativeJIT::compileCurrentBlock): (JSC::DFG::SpeculativeJIT::compileDoubleRep): (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): (JSC::DFG::SpeculativeJIT::compileAdd): (JSC::DFG::SpeculativeJIT::compileArithSub): (JSC::DFG::SpeculativeJIT::compileArithMod):
• dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64): (JSC::DFG::SpeculativeJIT::initConstantInfo): (JSC::DFG::SpeculativeJIT::isConstant): Deleted. (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted. (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted. (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted. (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted. (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted. (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted. (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted. (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted. (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted. (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGStrengthReductionPhase.cpp: (JSC::DFG::StrengthReductionPhase::handleNode):
• dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate):
• dfg/DFGValueStrength.cpp: Added. (WTF::printInternal):
• dfg/DFGValueStrength.h: Added. (JSC::DFG::merge):
• dfg/DFGVariableEventStream.cpp: (JSC::DFG::VariableEventStream::tryToSetConstantRecovery): (JSC::DFG::VariableEventStream::reconstruct):
• dfg/DFGVariableEventStream.h:
• dfg/DFGWatchableStructureWatchingPhase.cpp: (JSC::DFG::WatchableStructureWatchingPhase::run): (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
• dfg/DFGWatchpointCollectionPhase.cpp: (JSC::DFG::WatchpointCollectionPhase::handle):
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile):
• ftl/FTLLink.cpp: (JSC::FTL::link):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant): (JSC::FTL::LowerDFGToLLVM::compileInt52Constant): (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): (JSC::FTL::LowerDFGToLLVM::lowInt32): (JSC::FTL::LowerDFGToLLVM::lowCell): (JSC::FTL::LowerDFGToLLVM::lowBoolean): (JSC::FTL::LowerDFGToLLVM::lowJSValue): (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
• ftl/FTLOSRExitCompiler.cpp: (JSC::FTL::compileStub):
• runtime/JSCJSValue.cpp: (JSC::JSValue::dumpInContext): (JSC::JSValue::dumpInContextAssumingStructure):
• runtime/JSCJSValue.h:

LayoutTests:

[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
​https://bugs.webkit.org/show_bug.cgi?id=133821

Reviewed by Mark Hahnenberg.

• js/regress/poly-chain-access-different-prototypes-expected.txt: Added.
• js/regress/poly-chain-access-different-prototypes-simple-expected.txt: Added.
• js/regress/poly-chain-access-different-prototypes-simple.html: Added.
• js/regress/poly-chain-access-different-prototypes.html: Added.
• js/regress/script-tests/poly-chain-access-different-prototypes-simple.js: Added.
• js/regress/script-tests/poly-chain-access-different-prototypes.js: Added.

2014-06-11 Filip Pizlo <​[email protected]>

[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
​https://bugs.webkit.org/show_bug.cgi?id=133751

Reviewed by Mark Hahnenberg.

• js/regress/poly-chain-access-expected.txt: Added.
• js/regress/poly-chain-access-simpler-expected.txt: Added.
• js/regress/poly-chain-access-simpler.html: Added.
• js/regress/poly-chain-access.html: Added.
• js/regress/script-tests/poly-chain-access-simpler.js: Added.
• js/regress/script-tests/poly-chain-access.js: Added.

File:

• trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (62 diffs)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -133 +133 @@
         , m_currentBlock(0)
         , m_currentIndex(0)
-        , m_constantUndefined(UINT_MAX)
-        , m_constantNull(UINT_MAX)
-        , m_constantNaN(UINT_MAX)
-        , m_constant1(UINT_MAX)
-        , m_constants(m_codeBlock->numberOfConstantRegisters())
+        , m_constantUndefined(graph.freeze(jsUndefined()))
+        , m_constantNull(graph.freeze(jsNull()))
+        , m_constantNaN(graph.freeze(jsNumber(PNaN)))
+        , m_constantOne(graph.freeze(jsNumber(1)))
         , m_numArguments(m_codeBlock->numParameters())
         , m_numLocals(m_codeBlock->m_numCalleeRegisters)
@@ -144 +143 @@
         , m_inlineStackTop(0)
         , m_haveBuiltOperandMaps(false)
-        , m_emptyJSValueIndex(UINT_MAX)
         , m_currentInstruction(0)
     {
@@ -195 +193 @@
         Node* base, unsigned identifierNumber, Node* value, const PutByIdStatus&,
         bool isDirect);
-    Node* emitPrototypeChecks(Structure*, IntendedStructureChain*);
+    void emitChecks(const ConstantStructureCheckVector&);
 
     Node* getScope(bool skipTop, unsigned skipCount);
@@ -218 +216 @@
     Node* getDirect(VirtualRegister operand)
     {
-        // Is this a constant?
-        if (operand.isConstant()) {
-            unsigned constant = operand.toConstantIndex();
-            ASSERT(constant < m_constants.size());
-            return getJSConstant(constant);
-        }
+        ASSERT(!operand.isConstant());
 
         // Is this an argument?
@@ -235 +228 @@
     Node* get(VirtualRegister operand)
     {
+        if (operand.isConstant()) {
+            unsigned constantIndex = operand.toConstantIndex();
+            unsigned oldSize = m_constants.size();
+            if (constantIndex >= oldSize || !m_constants[constantIndex]) {
+                JSValue value = m_inlineStackTop->m_codeBlock->getConstant(operand.offset());
+                if (constantIndex >= oldSize) {
+                    m_constants.grow(constantIndex + 1);
+                    for (unsigned i = oldSize; i < m_constants.size(); ++i)
+                        m_constants[i] = nullptr;
+                }
+                m_constants[constantIndex] =
+                    addToGraph(JSConstant, OpInfo(m_graph.freezeStrong(value)));
+            }
+            ASSERT(m_constants[constantIndex]);
+            return m_constants[constantIndex];
+        }
+        
         if (inlineCallFrame()) {
             if (!inlineCallFrame()->isClosureCall) {
                 JSFunction* callee = inlineCallFrame()->calleeConstant();
                 if (operand.offset() == JSStack::Callee)
-                    return cellConstant(callee);
+                    return weakJSConstant(callee);
                 if (operand.offset() == JSStack::ScopeChain)
-                    return cellConstant(callee->scope());
+                    return weakJSConstant(callee->scope());
             }
         } else if (operand.offset() == JSStack::Callee)
@@ -310 +320 @@
                     addToGraph(FunctionReentryWatchpoint, OpInfo(m_codeBlock->symbolTable()));
                     addToGraph(VariableWatchpoint, OpInfo(set));
-                    // Note: this is very special from an OSR exit standpoint. We wouldn't be
-                    // able to do this for most locals, but it works here because we're dealing
-                    // with a flushed local. For most locals we would need to issue a GetLocal
-                    // here and ensure that we have uses in DFG IR wherever there would have
-                    // been uses in bytecode. Clearly this optimization does not do this. But
-                    // that's fine, because we don't need to track liveness for captured
-                    // locals, and this optimization only kicks in for captured locals.
-                    return inferredConstant(value);
+                    return weakJSConstant(value);
                 }
             }
@@ -368 +371 @@
         VariableAccessData* variableAccessData = newVariableAccessData(operand, isCaptured);
         variableAccessData->mergeStructureCheckHoistingFailed(
-            m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
-            || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint));
+            m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache));
         variableAccessData->mergeCheckArrayHoistingFailed(
             m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIndexingType));
@@ -425 +427 @@
         
         variableAccessData->mergeStructureCheckHoistingFailed(
-            m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
-            || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint));
+            m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache));
         variableAccessData->mergeCheckArrayHoistingFailed(
             m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIndexingType));
@@ -467 +468 @@
     }
 
-    void addConstant(JSValue value)
-    {
-        unsigned constantIndex = m_codeBlock->addConstantLazily();
-        initializeLazyWriteBarrierForConstant(
-            m_graph.m_plan.writeBarriers,
-            m_codeBlock->constants()[constantIndex],
-            m_codeBlock,
-            constantIndex,
-            m_codeBlock->ownerExecutable(), 
-            value);
-    }
-    
     void flush(VirtualRegister operand)
     {
@@ -555 +544 @@
     }
 
-    // NOTE: Only use this to construct constants that arise from non-speculative
-    // constant folding. I.e. creating constants using this if we had constant
-    // field inference would be a bad idea, since the bytecode parser's folding
-    // doesn't handle liveness preservation.
-    Node* getJSConstantForValue(JSValue constantValue)
-    {
-        unsigned constantIndex;
-        if (!m_codeBlock->findConstant(constantValue, constantIndex)) {
-            addConstant(constantValue);
-            m_constants.append(ConstantRecord());
-        }
-        
-        ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
-        
-        return getJSConstant(constantIndex);
-    }
-
-    Node* getJSConstant(unsigned constant)
-    {
-        Node* node = m_constants[constant].asJSValue;
-        if (node)
-            return node;
-
-        Node* result = addToGraph(JSConstant, OpInfo(constant));
-        m_constants[constant].asJSValue = result;
-        return result;
+    // Assumes that the constant should be strongly marked.
+    Node* jsConstant(JSValue constantValue)
+    {
+        return addToGraph(JSConstant, OpInfo(m_graph.freezeStrong(constantValue)));
+    }
+
+    Node* weakJSConstant(JSValue constantValue)
+    {
+        return addToGraph(JSConstant, OpInfo(m_graph.freeze(constantValue)));
     }
 
@@ -594 +566 @@
     }
 
-    // Convenience methods for checking nodes for constants.
-    bool isJSConstant(Node* node)
-    {
-        return node->op() == JSConstant;
-    }
-    bool isInt32Constant(Node* node)
-    {
-        return isJSConstant(node) && valueOfJSConstant(node).isInt32();
-    }
-    // Convenience methods for getting constant values.
-    JSValue valueOfJSConstant(Node* node)
-    {
-        ASSERT(isJSConstant(node));
-        return m_codeBlock->getConstant(FirstConstantRegisterIndex + node->constantNumber());
-    }
-    int32_t valueOfInt32Constant(Node* node)
-    {
-        ASSERT(isInt32Constant(node));
-        return valueOfJSConstant(node).asInt32();
-    }
-    
-    // This method returns a JSConstant with the value 'undefined'.
-    Node* constantUndefined()
-    {
-        // Has m_constantUndefined been set up yet?
-        if (m_constantUndefined == UINT_MAX) {
-            // Search the constant pool for undefined, if we find it, we can just reuse this!
-            unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
-            for (m_constantUndefined = 0; m_constantUndefined < numberOfConstants; ++m_constantUndefined) {
-                JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantUndefined);
-                if (testMe.isUndefined())
-                    return getJSConstant(m_constantUndefined);
-            }
-
-            // Add undefined to the CodeBlock's constants, and add a corresponding slot in m_constants.
-            ASSERT(m_constants.size() == numberOfConstants);
-            addConstant(jsUndefined());
-            m_constants.append(ConstantRecord());
-            ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
-        }
-
-        // m_constantUndefined must refer to an entry in the CodeBlock's constant pool that has the value 'undefined'.
-        ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantUndefined).isUndefined());
-        return getJSConstant(m_constantUndefined);
-    }
-
-    // This method returns a JSConstant with the value 'null'.
-    Node* constantNull()
-    {
-        // Has m_constantNull been set up yet?
-        if (m_constantNull == UINT_MAX) {
-            // Search the constant pool for null, if we find it, we can just reuse this!
-            unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
-            for (m_constantNull = 0; m_constantNull < numberOfConstants; ++m_constantNull) {
-                JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNull);
-                if (testMe.isNull())
-                    return getJSConstant(m_constantNull);
-            }
-
-            // Add null to the CodeBlock's constants, and add a corresponding slot in m_constants.
-            ASSERT(m_constants.size() == numberOfConstants);
-            addConstant(jsNull());
-            m_constants.append(ConstantRecord());
-            ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
-        }
-
-        // m_constantNull must refer to an entry in the CodeBlock's constant pool that has the value 'null'.
-        ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNull).isNull());
-        return getJSConstant(m_constantNull);
-    }
-
-    // This method returns a DoubleConstant with the value 1.
-    Node* one()
-    {
-        // Has m_constant1 been set up yet?
-        if (m_constant1 == UINT_MAX) {
-            // Search the constant pool for the value 1, if we find it, we can just reuse this!
-            unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
-            for (m_constant1 = 0; m_constant1 < numberOfConstants; ++m_constant1) {
-                JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constant1);
-                if (testMe.isInt32() && testMe.asInt32() == 1)
-                    return getJSConstant(m_constant1);
-            }
-
-            // Add the value 1 to the CodeBlock's constants, and add a corresponding slot in m_constants.
-            ASSERT(m_constants.size() == numberOfConstants);
-            addConstant(jsNumber(1));
-            m_constants.append(ConstantRecord());
-            ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
-        }
-
-        // m_constant1 must refer to an entry in the CodeBlock's constant pool that has the integer value 1.
-        ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constant1).isInt32());
-        ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constant1).asInt32() == 1);
-        return getJSConstant(m_constant1);
-    }
-    
-    // This method returns a DoubleConstant with the value NaN.
-    Node* constantNaN()
-    {
-        JSValue nan = jsNaN();
-        
-        // Has m_constantNaN been set up yet?
-        if (m_constantNaN == UINT_MAX) {
-            // Search the constant pool for the value NaN, if we find it, we can just reuse this!
-            unsigned numberOfConstants = m_codeBlock->numberOfConstantRegisters();
-            for (m_constantNaN = 0; m_constantNaN < numberOfConstants; ++m_constantNaN) {
-                JSValue testMe = m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNaN);
-                if (JSValue::encode(testMe) == JSValue::encode(nan))
-                    return getJSConstant(m_constantNaN);
-            }
-
-            // Add the value nan to the CodeBlock's constants, and add a corresponding slot in m_constants.
-            ASSERT(m_constants.size() == numberOfConstants);
-            addConstant(nan);
-            m_constants.append(ConstantRecord());
-            ASSERT(m_constants.size() == m_codeBlock->numberOfConstantRegisters());
-        }
-
-        // m_constantNaN must refer to an entry in the CodeBlock's constant pool that has the value nan.
-        ASSERT(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNaN).isDouble());
-        ASSERT(std::isnan(m_codeBlock->getConstant(FirstConstantRegisterIndex + m_constantNaN).asDouble()));
-        return getJSConstant(m_constantNaN);
-    }
-    
-    Node* cellConstant(JSCell* cell)
-    {
-        HashMap<JSCell*, Node*>::AddResult result = m_cellConstantNodes.add(cell, nullptr);
-        if (result.isNewEntry) {
-            ASSERT(!Heap::isZombified(cell));
-            result.iterator->value = addToGraph(WeakJSConstant, OpInfo(cell));
-        }
-        
-        return result.iterator->value;
-    }
-    
-    Node* inferredConstant(JSValue value)
-    {
-        if (value.isCell())
-            return cellConstant(value.asCell());
-        return getJSConstantForValue(value);
-    }
-    
     InlineCallFrame* inlineCallFrame()
     {
@@ -821 +650 @@
             m_parameterSlots = parameterSlots;
 
-        int dummyThisArgument = op == Call ? 0 : 1;
+        int dummyThisArgument = op == Call || op == NativeCall ? 0 : 1;
         for (int i = 0 + dummyThisArgument; i < argCount; ++i)
             addVarArgChild(get(virtualRegisterForArgument(i, registerOffset)));
@@ -832 +661 @@
     Node* cellConstantWithStructureCheck(JSCell* object, Structure* structure)
     {
-        Node* objectNode = cellConstant(object);
+        Node* objectNode = weakJSConstant(object);
         addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(structure)), objectNode);
         return objectNode;
     }
     
-    Node* cellConstantWithStructureCheck(JSCell* object)
-    {
-        return cellConstantWithStructureCheck(object, object->structure());
-    }
-
     SpeculatedType getPredictionWithoutOSRExit(unsigned bytecodeIndex)
     {
@@ -972 +796 @@
     }
     
-    bool structureChainIsStillValid(bool direct, Structure* previousStructure, StructureChain* chain)
-    {
-        if (direct)
-            return true;
-        
-        if (!previousStructure->storedPrototype().isNull() && previousStructure->storedPrototype().asCell()->structure() != chain->head()->get())
-            return false;
-        
-        for (WriteBarrier<Structure>* it = chain->head(); *it; ++it) {
-            if (!(*it)->storedPrototype().isNull() && (*it)->storedPrototype().asCell()->structure() != it[1].get())
-                return false;
-        }
-        
-        return true;
-    }
-    
     void buildOperandMapsIfNecessary();
     
@@ -1000 +808 @@
     unsigned m_currentIndex;
 
-    // We use these values during code generation, and to avoid the need for
-    // special handling we make sure they are available as constants in the
-    // CodeBlock's constant pool. These variables are initialized to
-    // UINT_MAX, and lazily updated to hold an index into the CodeBlock's
-    // constant pool, as necessary.
-    unsigned m_constantUndefined;
-    unsigned m_constantNull;
-    unsigned m_constantNaN;
-    unsigned m_constant1;
-    HashMap<JSCell*, unsigned> m_cellConstants;
-    HashMap<JSCell*, Node*> m_cellConstantNodes;
-
-    // A constant in the constant pool may be represented by more than one
-    // node in the graph, depending on the context in which it is being used.
-    struct ConstantRecord {
-        ConstantRecord()
-            : asInt32(0)
-            , asNumeric(0)
-            , asJSValue(0)
-        {
-        }
-
-        Node* asInt32;
-        Node* asNumeric;
-        Node* asJSValue;
-    };
-
-    // Track the index of the node whose result is the current value for every
-    // register value in the bytecode - argument, local, and temporary.
-    Vector<ConstantRecord, 16> m_constants;
+    FrozenValue* m_constantUndefined;
+    FrozenValue* m_constantNull;
+    FrozenValue* m_constantNaN;
+    FrozenValue* m_constantOne;
+    Vector<Node*, 16> m_constants;
 
     // The number of arguments passed to the function.
@@ -1064 +847 @@
         // direct, caller).
         Vector<unsigned> m_identifierRemap;
-        Vector<unsigned> m_constantRemap;
         Vector<unsigned> m_constantBufferRemap;
         Vector<unsigned> m_switchRemap;
@@ -1135 +917 @@
                 return operand;
             
-            if (operand.isConstant()) {
-                VirtualRegister result = VirtualRegister(m_constantRemap[operand.toConstantIndex()]);
-                ASSERT(result.isConstant());
-                return result;
-            }
+            ASSERT(!operand.isConstant());
 
             return VirtualRegister(operand.offset() + m_inlineCallFrame->stackOffset);
@@ -1173 +951 @@
     // Mapping between identifier names and numbers.
     BorrowedIdentifierMap m_identifierMap;
-    // Mapping between values and constant numbers.
-    JSValueMap m_jsValueMap;
-    // Index of the empty value, or UINT_MAX if there is no mapping. This is a horrible
-    // work-around for the fact that JSValueMap can't handle "empty" values.
-    unsigned m_emptyJSValueIndex;
     
     CodeBlock* m_dfgCodeBlock;
@@ -1225 +998 @@
     CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
     
-    if (m_graph.isConstant(callTarget)) {
-        callLinkStatus = CallLinkStatus(
-            m_graph.valueOfJSConstant(callTarget)).setIsProved(true);
-    }
+    if (callTarget->hasConstant())
+        callLinkStatus = CallLinkStatus(callTarget->asJSValue()).setIsProved(true);
     
     if (!callLinkStatus.canOptimize()) {
@@ -1274 +1045 @@
             m_graph.compilation()->noticeInlinedCall();
         return;
-    } else if (JSFunction* function = callLinkStatus.function())
-        if (function->isHostFunction()) {
+    } else if (isFTL(m_graph.m_plan.mode)) {
+        JSFunction* function = callLinkStatus.function();
+        if (function && function->isHostFunction()) {
             emitFunctionChecks(callLinkStatus, callTarget, registerOffset, specializationKind);
             knownFunction = function;
-        }
-    
-    addCall(result, op, callTarget, argumentCountIncludingThis, registerOffset)->giveKnownFunction(knownFunction);
+
+            if (op == Call) 
+                op = NativeCall;
+            else {
+                ASSERT(op == Construct);
+                op = NativeConstruct;
+            }
+        }
+    }
+    Node* call = addCall(result, op, callTarget, argumentCountIncludingThis, registerOffset);
+
+    if (knownFunction) 
+        call->giveKnownFunction(knownFunction);
 }
 
@@ -1299 +1081 @@
     
     if (JSFunction* function = callLinkStatus.function())
-        addToGraph(CheckFunction, OpInfo(function), callTarget, thisArgument);
+        addToGraph(CheckFunction, OpInfo(m_graph.freeze(function)), callTarget, thisArgument);
     else {
         ASSERT(callLinkStatus.structure());
@@ -1456 +1238 @@
     
     parseCodeBlock();
+    prepareToParseBlock(); // Reset our state now that we're back to the outer code.
     
     m_currentIndex = oldIndex;
@@ -1545 +1328 @@
 {
     if (argumentCountIncludingThis == 1) { // Math.min()
-        set(VirtualRegister(resultOperand), constantNaN());
+        set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantNaN)));
         return true;
     }
@@ -1570 +1353 @@
     case AbsIntrinsic: {
         if (argumentCountIncludingThis == 1) { // Math.abs()
-            set(VirtualRegister(resultOperand), constantNaN());
+            set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantNaN)));
             return true;
         }
@@ -1594 +1377 @@
     case SinIntrinsic: {
         if (argumentCountIncludingThis == 1) {
-            set(VirtualRegister(resultOperand), constantNaN());
+            set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantNaN)));
             return true;
         }
@@ -1741 +1524 @@
         
     case DFGTrueIntrinsic: {
-        set(VirtualRegister(resultOperand), getJSConstantForValue(jsBoolean(true)));
+        set(VirtualRegister(resultOperand), jsConstant(jsBoolean(true)));
         return true;
     }
@@ -1747 +1530 @@
     case OSRExitIntrinsic: {
         addToGraph(ForceOSRExit);
-        set(VirtualRegister(resultOperand), constantUndefined());
+        set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantUndefined)));
         return true;
     }
@@ -1753 +1536 @@
     case IsFinalTierIntrinsic: {
         set(VirtualRegister(resultOperand),
-            getJSConstantForValue(jsBoolean(Options::useFTLJIT() ? isFTL(m_graph.m_plan.mode) : true)));
+            jsConstant(jsBoolean(Options::useFTLJIT() ? isFTL(m_graph.m_plan.mode) : true)));
         return true;
     }
@@ -1763 +1546 @@
                 node->setHeapPrediction(SpecInt32);
         }
-        set(VirtualRegister(resultOperand), constantUndefined());
+        set(VirtualRegister(resultOperand), addToGraph(JSConstant, OpInfo(m_constantUndefined)));
         return true;
     }
@@ -1869 +1652 @@
         
         if (argumentCountIncludingThis <= 1)
-            result = cellConstant(m_vm->smallStrings.emptyString());
+            result = jsConstant(m_vm->smallStrings.emptyString());
         else
             result = addToGraph(ToString, get(virtualRegisterForArgument(1, registerOffset)));
@@ -1925 +1708 @@
 }
 
-Node* ByteCodeParser::emitPrototypeChecks(
-    Structure* structure, IntendedStructureChain* chain)
+void ByteCodeParser::emitChecks(const ConstantStructureCheckVector& vector)
 {
-    ASSERT(structure);
-    Node* base = 0;
-    m_graph.chains().addLazily(chain);
-    Structure* currentStructure = structure;
-    JSObject* currentObject = 0;
-    for (unsigned i = 0; i < chain->size(); ++i) {
-        currentObject = asObject(currentStructure->prototypeForLookup(m_inlineStackTop->m_codeBlock));
-        currentStructure = chain->at(i);
-        base = cellConstantWithStructureCheck(currentObject, currentStructure);
-    }
-    return base;
+    for (unsigned i = 0; i < vector.size(); ++i)
+        cellConstantWithStructureCheck(vector[i].constant(), vector[i].structure());
 }
 
@@ -1967 +1740 @@
         //    optimal, if there is some rarely executed case in the chain that requires a lot
         //    of checks and those checks are not watchpointable.
-        for (unsigned variantIndex = getByIdStatus.numVariants(); variantIndex--;) {
-            if (getByIdStatus[variantIndex].chain()) {
-                emitPrototypeChecks(
-                    getByIdStatus[variantIndex].structureSet().onlyStructure(),
-                    getByIdStatus[variantIndex].chain());
-            }
-        }
+        for (unsigned variantIndex = getByIdStatus.numVariants(); variantIndex--;)
+            emitChecks(getByIdStatus[variantIndex].constantChecks());
         
         // 2) Emit a MultiGetByOffset
@@ -1994 +1762 @@
     addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.structureSet())), base);
     
-    if (variant.chain()) {
-        base = emitPrototypeChecks(
-            variant.structureSet().onlyStructure(), variant.chain());
-    }
+    emitChecks(variant.constantChecks());
+
+    if (variant.alternateBase())
+        base = weakJSConstant(variant.alternateBase());
     
     // Unless we want bugs like https://bugs.webkit.org/show_bug.cgi?id=88783, we need to
@@ -2010 +1778 @@
     Node* loadedValue;
     if (variant.specificValue())
-        loadedValue = cellConstant(variant.specificValue().asCell());
+        loadedValue = weakJSConstant(variant.specificValue());
     else {
         loadedValue = handleGetByOffset(
@@ -2094 +1862 @@
                 if (putByIdStatus[variantIndex].kind() != PutByIdVariant::Transition)
                     continue;
-                if (!putByIdStatus[variantIndex].structureChain())
-                    continue;
-                emitPrototypeChecks(
-                    putByIdStatus[variantIndex].oldStructure(),
-                    putByIdStatus[variantIndex].structureChain());
+                emitChecks(putByIdStatus[variantIndex].constantChecks());
             }
         }
@@ -2125 +1889 @@
     }
 
-    if (variant.structureChain() && !variant.structureChain()->isStillValid()) {
-        emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);
-        return;
-    }
-    
-    m_graph.chains().addLazily(variant.structureChain());
-                
     addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.oldStructure())), base);
-    if (!isDirect)
-        emitPrototypeChecks(variant.oldStructure(), variant.structureChain());
+    emitChecks(variant.constantChecks());
 
     ASSERT(variant.oldStructure()->transitionWatchpointSetHasBeenInvalidated());
@@ -2184 +1940 @@
 void ByteCodeParser::prepareToParseBlock()
 {
-    for (unsigned i = 0; i < m_constants.size(); ++i)
-        m_constants[i] = ConstantRecord();
-    m_cellConstantNodes.clear();
+    m_constants.resize(0);
 }
 
@@ -2218 +1972 @@
                 virtualRegisterForArgument(argument), m_codeBlock->isCaptured(virtualRegisterForArgument(argument)));
             variable->mergeStructureCheckHoistingFailed(
-                m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
-                || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint));
+                m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache));
             variable->mergeCheckArrayHoistingFailed(
                 m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIndexingType));
@@ -2265 +2018 @@
         // === Function entry opcodes ===
 
-        case op_enter:
+        case op_enter: {
+            Node* undefined = addToGraph(JSConstant, OpInfo(m_constantUndefined));
             // Initialize all locals to undefined.
             for (int i = 0; i < m_inlineStackTop->m_codeBlock->m_numVars; ++i)
-                set(virtualRegisterForLocal(i), constantUndefined(), ImmediateNakedSet);
+                set(virtualRegisterForLocal(i), undefined, ImmediateNakedSet);
             if (m_inlineStackTop->m_codeBlock->specializationKind() == CodeForConstruct)
-                set(virtualRegisterForArgument(0), constantUndefined(), ImmediateNakedSet);
+                set(virtualRegisterForArgument(0), undefined, ImmediateNakedSet);
             NEXT_OPCODE(op_enter);
+        }
             
         case op_touch_entry:
@@ -2286 +2041 @@
                     || m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
                     || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
-                    || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCacheWatchpoint)
                     || (op1->op() == GetLocal && op1->variableAccessData()->structureCheckHoistingFailed())) {
                     setThis(addToGraph(ToThis, op1));
@@ -2303 +2057 @@
             Node* callee = get(VirtualRegister(calleeOperand));
             bool alreadyEmitted = false;
-            if (callee->op() == WeakJSConstant) {
-                JSCell* cell = callee->weakConstant();
-                ASSERT(cell->inherits(JSFunction::info()));
-                
-                JSFunction* function = jsCast<JSFunction*>(cell);
+            if (JSFunction* function = callee->dynamicCastConstant<JSFunction*>()) {
                 if (Structure* structure = function->allocationStructure()) {
-                    addToGraph(AllocationProfileWatchpoint, OpInfo(function));
+                    addToGraph(AllocationProfileWatchpoint, OpInfo(m_graph.freeze(function)));
                     // The callee is still live up to this point.
                     addToGraph(Phantom, callee);
@@ -2381 +2131 @@
                 set(VirtualRegister(currentInstruction[1].u.operand), get(VirtualRegister(JSStack::Callee)));
             } else {
+                FrozenValue* frozen = m_graph.freeze(cachedFunction);
                 ASSERT(cachedFunction->inherits(JSFunction::info()));
                 Node* actualCallee = get(VirtualRegister(JSStack::Callee));
-                addToGraph(CheckFunction, OpInfo(cachedFunction), actualCallee);
-                set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(WeakJSConstant, OpInfo(cachedFunction)));
+                addToGraph(CheckFunction, OpInfo(frozen), actualCallee);
+                set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(JSConstant, OpInfo(frozen)));
             }
             NEXT_OPCODE(op_get_callee);
@@ -2448 +2199 @@
             VirtualRegister srcDstVirtualRegister = VirtualRegister(srcDst);
             Node* op = get(srcDstVirtualRegister);
-            set(srcDstVirtualRegister, makeSafe(addToGraph(ArithAdd, op, one())));
+            set(srcDstVirtualRegister, makeSafe(addToGraph(ArithAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne)))));
             NEXT_OPCODE(op_inc);
         }
@@ -2456 +2207 @@
             VirtualRegister srcDstVirtualRegister = VirtualRegister(srcDst);
             Node* op = get(srcDstVirtualRegister);
-            set(srcDstVirtualRegister, makeSafe(addToGraph(ArithSub, op, one())));
+            set(srcDstVirtualRegister, makeSafe(addToGraph(ArithSub, op, addToGraph(JSConstant, OpInfo(m_constantOne)))));
             NEXT_OPCODE(op_dec);
         }
@@ -2673 +2424 @@
         case op_eq_null: {
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(CompareEqConstant, value, constantNull()));
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull))));
             NEXT_OPCODE(op_eq_null);
         }
@@ -2693 +2444 @@
         case op_neq_null: {
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(LogicalNot, addToGraph(CompareEqConstant, value, constantNull())));
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(LogicalNot, addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull)))));
             NEXT_OPCODE(op_neq_null);
         }
@@ -2818 +2569 @@
             unsigned relativeOffset = currentInstruction[2].u.operand;
             Node* value = get(VirtualRegister(currentInstruction[1].u.operand));
-            Node* condition = addToGraph(CompareEqConstant, value, constantNull());
+            Node* condition = addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull)));
             addToGraph(Branch, OpInfo(branchData(m_currentIndex + relativeOffset, m_currentIndex + OPCODE_LENGTH(op_jeq_null))), condition);
             LAST_OPCODE(op_jeq_null);
@@ -2826 +2577 @@
             unsigned relativeOffset = currentInstruction[2].u.operand;
             Node* value = get(VirtualRegister(currentInstruction[1].u.operand));
-            Node* condition = addToGraph(CompareEqConstant, value, constantNull());
+            Node* condition = addToGraph(CompareEqConstant, value, addToGraph(JSConstant, OpInfo(m_constantNull)));
             addToGraph(Branch, OpInfo(branchData(m_currentIndex + OPCODE_LENGTH(op_jneq_null), m_currentIndex + relativeOffset)), condition);
             LAST_OPCODE(op_jneq_null);
@@ -2915 +2666 @@
                 if (target == data.fallThrough.bytecodeIndex())
                     continue;
-                data.cases.append(SwitchCase::withBytecodeIndex(jsNumber(static_cast<int32_t>(table.min + i)), target));
+                data.cases.append(SwitchCase::withBytecodeIndex(m_graph.freeze(jsNumber(static_cast<int32_t>(table.min + i))), target));
             }
             flushIfTerminal(data);
@@ -3066 +2817 @@
             addToGraph(
                 CheckFunction,
-                OpInfo(actualPointerFor(m_inlineStackTop->m_codeBlock, currentInstruction[2].u.specialPointer)),
+                OpInfo(m_graph.freeze(static_cast<JSCell*>(actualPointerFor(
+                    m_inlineStackTop->m_codeBlock, currentInstruction[2].u.specialPointer)))),
                 get(VirtualRegister(currentInstruction[1].u.operand)));
             addToGraph(Jump, OpInfo(m_currentIndex + OPCODE_LENGTH(op_jneq_ptr)));
@@ -3085 +2837 @@
             case GlobalPropertyWithVarInjectionChecks:
             case GlobalVarWithVarInjectionChecks:
-                set(VirtualRegister(dst), cellConstant(m_inlineStackTop->m_codeBlock->globalObject()));
+                set(VirtualRegister(dst), weakJSConstant(m_inlineStackTop->m_codeBlock->globalObject()));
                 break;
             case ClosureVar:
@@ -3093 +2845 @@
                     && activation->symbolTable()->m_functionEnteredOnce.isStillValid()) {
                     addToGraph(FunctionReentryWatchpoint, OpInfo(activation->symbolTable()));
-                    set(VirtualRegister(dst), cellConstant(activation));
+                    set(VirtualRegister(dst), weakJSConstant(activation));
                     break;
                 }
@@ -3142 +2894 @@
                 addToGraph(Phantom, get(VirtualRegister(scope)));
                 if (JSValue specificValue = status[0].specificValue())
-                    set(VirtualRegister(dst), cellConstant(specificValue.asCell()));
+                    set(VirtualRegister(dst), weakJSConstant(specificValue.asCell()));
                 else
                     set(VirtualRegister(dst), handleGetByOffset(prediction, base, identifierNumber, operand));
@@ -3161 +2913 @@
                 
                 addToGraph(VariableWatchpoint, OpInfo(watchpointSet));
-                set(VirtualRegister(dst), inferredConstant(specificValue));
+                set(VirtualRegister(dst), weakJSConstant(specificValue));
                 break;
             }
@@ -3177 +2929 @@
                             addToGraph(Phantom, scopeNode);
                             addToGraph(VariableWatchpoint, OpInfo(watchpointSet));
-                            set(VirtualRegister(dst), inferredConstant(value));
+                            set(VirtualRegister(dst), weakJSConstant(value));
                             break;
                         }
@@ -3278 +3030 @@
             
         case op_init_lazy_reg: {
-            set(VirtualRegister(currentInstruction[1].u.operand), getJSConstantForValue(JSValue()));
+            set(VirtualRegister(currentInstruction[1].u.operand), jsConstant(JSValue()));
             ASSERT(operandIsLocal(currentInstruction[1].u.operand));
             m_graph.m_lazyVars.set(VirtualRegister(currentInstruction[1].u.operand).toLocal());
@@ -3433 +3185 @@
     for (size_t i = 0; i < m_codeBlock->numberOfIdentifiers(); ++i)
         m_identifierMap.add(m_codeBlock->identifier(i).impl(), i);
-    for (size_t i = 0; i < m_codeBlock->numberOfConstantRegisters(); ++i) {
-        JSValue value = m_codeBlock->getConstant(i + FirstConstantRegisterIndex);
-        if (!value)
-            m_emptyJSValueIndex = i + FirstConstantRegisterIndex;
-        else
-            m_jsValueMap.add(JSValue::encode(value), i + FirstConstantRegisterIndex);
-    }
     
     m_haveBuiltOperandMaps = true;
@@ -3537 +3282 @@
         
         m_identifierRemap.resize(codeBlock->numberOfIdentifiers());
-        m_constantRemap.resize(codeBlock->numberOfConstantRegisters());
         m_constantBufferRemap.resize(codeBlock->numberOfConstantBuffers());
         m_switchRemap.resize(codeBlock->numberOfSwitchJumpTables());
@@ -3547 +3291 @@
                 byteCodeParser->m_graph.identifiers().addLazily(rep);
             m_identifierRemap[i] = result.iterator->value;
-        }
-        for (size_t i = 0; i < codeBlock->numberOfConstantRegisters(); ++i) {
-            JSValue value = codeBlock->getConstant(i + FirstConstantRegisterIndex);
-            if (!value) {
-                if (byteCodeParser->m_emptyJSValueIndex == UINT_MAX) {
-                    byteCodeParser->m_emptyJSValueIndex = byteCodeParser->m_codeBlock->numberOfConstantRegisters() + FirstConstantRegisterIndex;
-                    byteCodeParser->addConstant(JSValue());
-                    byteCodeParser->m_constants.append(ConstantRecord());
-                }
-                m_constantRemap[i] = byteCodeParser->m_emptyJSValueIndex;
-                continue;
-            }
-            JSValueMap::AddResult result = byteCodeParser->m_jsValueMap.add(JSValue::encode(value), byteCodeParser->m_codeBlock->numberOfConstantRegisters() + FirstConstantRegisterIndex);
-            if (result.isNewEntry) {
-                byteCodeParser->addConstant(value);
-                byteCodeParser->m_constants.append(ConstantRecord());
-            }
-            m_constantRemap[i] = result.iterator->value;
         }
         for (unsigned i = 0; i < codeBlock->numberOfConstantBuffers(); ++i) {
@@ -3596 +3322 @@
 
         m_identifierRemap.resize(codeBlock->numberOfIdentifiers());
-        m_constantRemap.resize(codeBlock->numberOfConstantRegisters());
         m_constantBufferRemap.resize(codeBlock->numberOfConstantBuffers());
         m_switchRemap.resize(codeBlock->numberOfSwitchJumpTables());
         for (size_t i = 0; i < codeBlock->numberOfIdentifiers(); ++i)
             m_identifierRemap[i] = i;
-        for (size_t i = 0; i < codeBlock->numberOfConstantRegisters(); ++i)
-            m_constantRemap[i] = i + FirstConstantRegisterIndex;
         for (size_t i = 0; i < codeBlock->numberOfConstantBuffers(); ++i)
             m_constantBufferRemap[i] = i;
@@ -3610 +3333 @@
     }
     
-    for (size_t i = 0; i < m_constantRemap.size(); ++i)
-        ASSERT(m_constantRemap[i] >= static_cast<unsigned>(FirstConstantRegisterIndex));
-    
     byteCodeParser->m_inlineStackTop = this;
 }
@@ -3618 +3338 @@
 void ByteCodeParser::parseCodeBlock()
 {
+    prepareToParseBlock();
+    
     CodeBlock* codeBlock = m_inlineStackTop->m_codeBlock;