Changeset 171648 in webkit for trunk/Source/JavaScriptCore/dfg

Timestamp:

Jul 26, 2014, 12:06:44 PM (11 years ago)

Author:

[email protected]

Message:

Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
reland later.

Source/JavaScriptCore:

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.

• bytecode/CodeBlock.h:
• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):

• bytecode/GetByIdStatus.h:
• bytecode/GetByIdVariant.cpp:

(JSC::GetByIdVariant::dumpInContext):

• bytecode/GetByIdVariant.h:

(JSC::GetByIdVariant::structureSet):

• bytecode/Instruction.h:
• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::appendVariant):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):

• bytecode/PutByIdStatus.h:
• bytecode/PutByIdVariant.cpp:

(JSC::PutByIdVariant::dumpInContext):
(JSC::PutByIdVariant::oldStructureForTransition): Deleted.
(JSC::PutByIdVariant::writesStructures): Deleted.
(JSC::PutByIdVariant::reallocatesStorage): Deleted.
(JSC::PutByIdVariant::attemptToMerge): Deleted.
(JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.

• bytecode/PutByIdVariant.h:

(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
(JSC::PutByIdVariant::newStructure):
(JSC::PutByIdVariant::constantChecks):

• bytecode/StructureSet.cpp:

(JSC::StructureSet::filter): Deleted.
(JSC::StructureSet::filterArrayModes): Deleted.

• bytecode/StructureSet.h:

(JSC::StructureSet::onlyStructure):

• bytecode/ToThisStatus.cpp: Removed.
• bytecode/ToThisStatus.h: Removed.
• bytecode/TypeLocation.h: Removed.
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitPutByVal):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.

• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.

• bytecompiler/NodesCodegen.cpp:

(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode):

• debugger/DebuggerActivation.cpp: Added.

(JSC::DebuggerActivation::DebuggerActivation):
(JSC::DebuggerActivation::finishCreation):
(JSC::DebuggerActivation::visitChildren):
(JSC::DebuggerActivation::className):
(JSC::DebuggerActivation::getOwnPropertySlot):
(JSC::DebuggerActivation::put):
(JSC::DebuggerActivation::deleteProperty):
(JSC::DebuggerActivation::getOwnPropertyNames):
(JSC::DebuggerActivation::defineOwnProperty):

• debugger/DebuggerActivation.h: Added.

(JSC::DebuggerActivation::create):
(JSC::DebuggerActivation::createStructure):

• debugger/DebuggerScope.cpp: Removed.
• debugger/DebuggerScope.h: Removed.
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):

• dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::changeStructure): Deleted.
(JSC::DFG::AbstractValue::contains): Deleted.

• dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
(JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freezeStrong):

• dfg/DFGGraph.h:
• dfg/DFGNode.cpp:

(JSC::DFG::MultiPutByOffsetData::writesStructures):
(JSC::DFG::MultiPutByOffsetData::reallocatesStorage):

• dfg/DFGNode.h:

(JSC::DFG::Node::convertToPutByOffset):
(JSC::DFG::Node::hasTransition):
(JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
(JSC::DFG::Node::convertToMultiPutByOffset): Deleted.

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStructureAbstractValue.cpp:

(JSC::DFG::StructureAbstractValue::observeTransition):
(JSC::DFG::StructureAbstractValue::observeTransitions):

• dfg/DFGStructureAbstractValue.h:

(JSC::DFG::StructureAbstractValue::onlyStructure):
(JSC::DFG::StructureAbstractValue::operator=): Deleted.
(JSC::DFG::StructureAbstractValue::set): Deleted.

• dfg/DFGValidate.cpp:

(JSC::DFG::Validate::validate):

• dfg/DFGWatchableStructureWatchingPhase.cpp:

(JSC::DFG::WatchableStructureWatchingPhase::run):

• ftl/FTLAbbreviations.h:

(JSC::FTL::getLinkage): Deleted.

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):

• heap/Heap.cpp:

(JSC::Heap::collect):

• inspector/agents/InspectorRuntimeAgent.cpp:

(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.

• inspector/agents/InspectorRuntimeAgent.h:
• inspector/protocol/Runtime.json:
• jsc.cpp:

(GlobalObject::finishCreation):
(functionDumpTypesForAllVariables): Deleted.

• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::putToScopeCommon): Deleted.

• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/ArrayBufferNeuteringWatchpoint.cpp:

(JSC::ArrayBufferNeuteringWatchpoint::createStructure):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/Executable.h:

(JSC::ExecutableBase::createStructure):
(JSC::NativeExecutable::createStructure):

• runtime/HighFidelityLog.cpp: Removed.
• runtime/HighFidelityLog.h: Removed.
• runtime/HighFidelityTypeProfiler.cpp: Removed.
• runtime/HighFidelityTypeProfiler.h: Removed.
• runtime/JSObject.cpp:

(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::reifyStaticFunctionsForDelete):

• runtime/JSPromiseDeferred.h:

(JSC::JSPromiseDeferred::createStructure):

• runtime/JSPromiseReaction.h:

(JSC::JSPromiseReaction::createStructure):

• runtime/JSPropertyNameIterator.h:

(JSC::JSPropertyNameIterator::createStructure):

• runtime/JSType.h:
• runtime/JSTypeInfo.h:

(JSC::TypeInfo::TypeInfo):

• runtime/MapData.h:

(JSC::MapData::createStructure):

• runtime/Options.h:
• runtime/PropertyMapHashTable.h:

(JSC::PropertyTable::createStructure):

• runtime/RegExp.h:

(JSC::RegExp::createStructure):

• runtime/SparseArrayValueMap.cpp:

(JSC::SparseArrayValueMap::createStructure):

• runtime/Structure.cpp:

(JSC::StructureTransitionTable::contains):
(JSC::StructureTransitionTable::get):
(JSC::StructureTransitionTable::add):
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::freezeTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::pin):
(JSC::Structure::allocateRareData):
(JSC::Structure::cloneRareDataFrom):
(JSC::Structure::getConcurrently):
(JSC::Structure::putSpecificValue):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::visitChildren):
(JSC::Structure::checkConsistency):
(JSC::Structure::toStructureShape): Deleted.

• runtime/Structure.h:

(JSC::Structure::isExtensible):
(JSC::Structure::didTransition):
(JSC::Structure::isDictionary):
(JSC::Structure::isUncacheableDictionary):
(JSC::Structure::hasBeenFlattenedBefore):
(JSC::Structure::propertyAccessesAreCacheable):
(JSC::Structure::previousID):
(JSC::Structure::hasGetterSetterProperties):
(JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
(JSC::Structure::setHasGetterSetterProperties):
(JSC::Structure::hasCustomGetterSetterProperties):
(JSC::Structure::setHasCustomGetterSetterProperties):
(JSC::Structure::setContainsReadOnlyProperties):
(JSC::Structure::hasNonEnumerableProperties):
(JSC::Structure::disableSpecificFunctionTracking):
(JSC::Structure::objectToStringValue):
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::staticFunctionsReified):
(JSC::Structure::setStaticFunctionsReified):
(JSC::Structure::transitionWatchpointSet):
(JSC::Structure::setPreviousID):
(JSC::Structure::clearPreviousID):
(JSC::Structure::previous):
(JSC::Structure::rareData):
(JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
(JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.

• runtime/StructureChain.h:

(JSC::StructureChain::createStructure):

• runtime/StructureInlines.h:

(JSC::Structure::setEnumerationCache):
(JSC::Structure::enumerationCache):
(JSC::Structure::checkOffsetConsistency):

• runtime/StructureRareData.cpp:

(JSC::StructureRareData::createStructure):

• runtime/SymbolTable.cpp:

(JSC::SymbolTable::SymbolTable):
(JSC::SymbolTable::cloneCapturedNames):
(JSC::SymbolTable::uniqueIDForVariable): Deleted.
(JSC::SymbolTable::uniqueIDForRegister): Deleted.
(JSC::SymbolTable::globalTypeSetForRegister): Deleted.
(JSC::SymbolTable::globalTypeSetForVariable): Deleted.

• runtime/SymbolTable.h:

(JSC::SymbolTable::createStructure):
(JSC::SymbolTable::add):
(JSC::SymbolTable::set):

• runtime/TypeSet.cpp: Removed.
• runtime/TypeSet.h: Removed.
• runtime/VM.cpp:

(JSC::VM::VM):
(JSC::VM::getTypesForVariableInRange): Deleted.
(JSC::VM::updateHighFidelityTypeProfileState): Deleted.
(JSC::VM::dumpHighFidelityProfilingTypes): Deleted.

• runtime/VM.h:

(JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
(JSC::VM::highFidelityLog): Deleted.
(JSC::VM::highFidelityTypeProfiler): Deleted.
(JSC::VM::nextLocation): Deleted.
(JSC::VM::getNextUniqueVariableID): Deleted.

• runtime/WeakMapData.h:

(JSC::WeakMapData::createStructure):

• tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
• tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
• tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.

Source/WebCore:

• ForwardingHeaders/debugger/DebuggerActivation.h: Added.

Source/WebKit/mac:

• WebView/WebScriptDebugDelegate.mm:

Source/WTF:

• wtf/text/WTFString.h:

LayoutTests:

• js/regress/fold-get-by-id-to-multi-get-by-offset-expected.txt: Removed.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int-expected.txt: Removed.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html: Removed.
• js/regress/fold-get-by-id-to-multi-get-by-offset.html: Removed.
• js/regress/fold-multi-get-by-offset-to-get-by-offset-expected.txt: Removed.
• js/regress/fold-multi-get-by-offset-to-get-by-offset.html: Removed.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset-expected.txt: Removed.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset.html: Removed.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset-expected.txt: Removed.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset.html: Removed.
• js/regress/fold-multi-put-by-offset-to-put-by-offset-expected.txt: Removed.
• js/regress/fold-multi-put-by-offset-to-put-by-offset.html: Removed.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset-expected.txt: Removed.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.html: Removed.
• js/regress/fold-put-by-id-to-multi-put-by-offset-expected.txt: Removed.
• js/regress/fold-put-by-id-to-multi-put-by-offset.html: Removed.
• js/regress/fold-put-structure-expected.txt: Removed.
• js/regress/fold-put-structure.html: Removed.
• js/regress/hoist-poly-check-structure-effectful-loop-expected.txt: Removed.
• js/regress/hoist-poly-check-structure-effectful-loop.html: Removed.
• js/regress/hoist-poly-check-structure-expected.txt: Removed.
• js/regress/hoist-poly-check-structure.html: Removed.
• js/regress/put-by-id-replace-and-transition-expected.txt: Removed.
• js/regress/put-by-id-replace-and-transition.html: Removed.
• js/regress/put-by-id-slightly-polymorphic-expected.txt: Removed.
• js/regress/put-by-id-slightly-polymorphic.html: Removed.
• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset-rare-int.js: Removed.
• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-get-by-offset-to-get-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-get-by-offset-to-poly-get-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-put-by-offset-to-poly-put-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-put-by-offset-to-put-by-offset.js: Removed.
• js/regress/script-tests/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.js: Removed.
• js/regress/script-tests/fold-put-by-id-to-multi-put-by-offset.js: Removed.
• js/regress/script-tests/fold-put-structure.js: Removed.
• js/regress/script-tests/hoist-poly-check-structure-effectful-loop.js: Removed.
• js/regress/script-tests/hoist-poly-check-structure.js: Removed.
• js/regress/script-tests/put-by-id-replace-and-transition.js: Removed.
• js/regress/script-tests/put-by-id-slightly-polymorphic.js: Removed.

Location:

trunk/Source/JavaScriptCore/dfg

Files:

• DFGAbstractInterpreterInlines.h (modified) (7 diffs)
• DFGAbstractValue.cpp (modified) (2 diffs)
• DFGAbstractValue.h (modified) (2 diffs)
• DFGByteCodeParser.cpp (modified) (5 diffs)
• DFGClobberize.h (modified) (1 diff)
• DFGConstantFoldingPhase.cpp (modified) (14 diffs)
• DFGDoesGC.cpp (modified) (1 diff)
• DFGFixupPhase.cpp (modified) (1 diff)
• DFGGraph.cpp (modified) (3 diffs)
• DFGGraph.h (modified) (1 diff)
• DFGNode.cpp (modified) (2 diffs)
• DFGNode.h (modified) (3 diffs)
• DFGNodeType.h (modified) (1 diff)
• DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• DFGSafeToExecute.h (modified) (1 diff)
• DFGSpeculativeJIT.cpp (modified) (1 diff)
• DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• DFGSpeculativeJIT64.cpp (modified) (43 diffs)
• DFGStructureAbstractValue.cpp (modified) (3 diffs)
• DFGStructureAbstractValue.h (modified) (3 diffs)
• DFGValidate.cpp (modified) (1 diff)
• DFGWatchableStructureWatchingPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1389 +1389 @@
             
     case GetById:
-    case GetByIdFlush: {
+    case GetByIdFlush:
         if (!node->prediction()) {
             m_state.setIsValid(false);
             break;
         }
-        
-        AbstractValue& value = forNode(node->child1());
-        if (!value.m_structure.isTop() && !value.m_structure.isClobbered()
-            && (node->child1().useKind() == CellUse || !(value.m_type & ~SpecCell))) {
-            GetByIdStatus status = GetByIdStatus::computeFor(
-                m_graph.m_vm, value.m_structure.set(),
-                m_graph.identifiers()[node->identifierNumber()]);
-            if (status.isSimple()) {
-                // Figure out what the result is going to be - is it TOP, a constant, or maybe
-                // something more subtle?
-                AbstractValue result;
-                for (unsigned i = status.numVariants(); i--;) {
-                    if (!status[i].specificValue()) {
-                        result.makeHeapTop();
-                        break;
-                    }
+        if (isCellSpeculation(node->child1()->prediction())) {
+            // This use of onlyStructure() should be replaced by giving GetByIdStatus the ability
+            // to compute things based on a StructureSet, and then to factor ByteCodeParser's
+            // ability to generate code based on a GetByIdStatus out of ByteCodeParser so that
+            // ConstantFoldingPhase can use it.
+            // https://bugs.webkit.org/show_bug.cgi?id=133229
+            if (Structure* structure = forNode(node->child1()).m_structure.onlyStructure()) {
+                GetByIdStatus status = GetByIdStatus::computeFor(
+                    m_graph.m_vm, structure,
+                    m_graph.identifiers()[node->identifierNumber()]);
+                if (status.isSimple() && status.numVariants() == 1) {
+                    // Assert things that we can't handle and that the computeFor() method
+                    // above won't be able to return.
+                    ASSERT(status[0].structureSet().size() == 1);
+                    ASSERT(status[0].constantChecks().isEmpty());
+                    ASSERT(!status[0].alternateBase());
                     
-                    AbstractValue thisResult;
-                    thisResult.set(
-                        m_graph, *m_graph.freeze(status[i].specificValue()),
-                        m_state.structureClobberState());
-                    result.merge(thisResult);
-                }
-                if (status.numVariants() == 1 || isFTL(m_graph.m_plan.mode))
+                    if (status[0].specificValue()) {
+                        if (status[0].specificValue().isCell()) {
+                            Structure* structure = status[0].specificValue().asCell()->structure();
+                            m_graph.watchpoints().consider(structure);
+                        }
+                        setConstant(node, *m_graph.freeze(status[0].specificValue()));
+                    } else
+                        forNode(node).makeHeapTop();
+                    filter(node->child1(), status[0].structureSet());
+                    
                     m_state.setFoundConstants(true);
-                forNode(node) = result;
-                break;
-            }
-        }
-
+                    break;
+                }
+            }
+        }
         clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).makeHeapTop();
         break;
-    }
             
     case GetArrayLength:
@@ -1462 +1463 @@
         
     case PutStructure:
+    case PhantomPutStructure:
         if (!forNode(node->child1()).m_structure.isClear()) {
-            if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next)
-                m_state.setFoundConstants(true);
-            else {
-                observeTransition(
-                    clobberLimit, node->transition()->previous, node->transition()->next);
-                forNode(node->child1()).changeStructure(m_graph, node->transition()->next);
-            }
+            observeTransition(
+                clobberLimit, node->transition()->previous, node->transition()->next);
+            forNode(node->child1()).set(m_graph, node->transition()->next);
         }
         break;
@@ -1598 +1596 @@
         
     case MultiGetByOffset: {
-        // This code will filter the base value in a manner that is possibly different (either more
-        // or less precise) than the way it would be filtered if this was strength-reduced to a
-        // CheckStructure. This is fine. It's legal for different passes over the code to prove
-        // different things about the code, so long as all of them are sound. That even includes
-        // one guy proving that code should never execute (due to a contradiction) and another guy
-        // not finding that contradiction. If someone ever proved that there would be a
-        // contradiction then there must always be a contradiction even if subsequent passes don't
-        // realize it. This is the case here.
-        
-        // Ordinarily you have to be careful with calling setFoundConstants()
-        // because of the effect on compile times, but this node is FTL-only.
-        m_state.setFoundConstants(true);
-        
-        AbstractValue base = forNode(node->child1());
-        StructureSet baseSet;
-        AbstractValue result;
-        for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
-            GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
-            StructureSet set = variant.structureSet();
-            set.filter(base);
-            if (set.isEmpty())
-                continue;
-            baseSet.merge(set);
-            if (!variant.specificValue()) {
-                result.makeHeapTop();
-                continue;
-            }
-            AbstractValue thisResult;
-            thisResult.set(
-                m_graph,
-                *m_graph.freeze(variant.specificValue()),
-                m_state.structureClobberState());
-            result.merge(thisResult);
-        }
-        
-        if (forNode(node->child1()).changeStructure(m_graph, baseSet) == Contradiction)
-            m_state.setIsValid(false);
-        
-        forNode(node) = result;
+        AbstractValue& value = forNode(node->child1());
+        ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
+
+        // This should just filter down the cases in MultiGetByOffset. If that results in all
+        // cases having the same offset then we should strength reduce it to a CheckStructure +
+        // GetByOffset.
+        // https://bugs.webkit.org/show_bug.cgi?id=133229
+        if (Structure* structure = value.m_structure.onlyStructure()) {
+            bool done = false;
+            for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
+                const GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
+                if (!variant.structureSet().contains(structure))
+                    continue;
+                
+                if (variant.alternateBase())
+                    break;
+                
+                filter(value, structure);
+                forNode(node).makeHeapTop();
+                m_state.setFoundConstants(true);
+                done = true;
+                break;
+            }
+            if (done)
+                break;
+        }
+        
+        StructureSet set;
+        for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;)
+            set.merge(node->multiGetByOffsetData().variants[i].structureSet());
+        
+        filter(node->child1(), set);
+        forNode(node).makeHeapTop();
         break;
     }
@@ -1645 +1637 @@
         
     case MultiPutByOffset: {
+        AbstractValue& value = forNode(node->child1());
+        ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
+
+        // This should just filter down the cases in MultiPutByOffset. If that results in either
+        // one case, or nothing but replace cases and they have the same offset, then we should
+        // just strength reduce it to the appropriate combination of CheckStructure,
+        // [Re]AllocatePropertyStorage, PutStructure, and PutByOffset.
+        // https://bugs.webkit.org/show_bug.cgi?id=133229
+        if (Structure* structure = value.m_structure.onlyStructure()) {
+            bool done = false;
+            for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
+                const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
+                if (variant.oldStructure() != structure)
+                    continue;
+                
+                if (variant.kind() == PutByIdVariant::Replace) {
+                    filter(node->child1(), structure);
+                    m_state.setFoundConstants(true);
+                    done = true;
+                    break;
+                }
+                
+                ASSERT(variant.kind() == PutByIdVariant::Transition);
+                clobberStructures(clobberLimit);
+                forNode(node->child1()).set(m_graph, variant.newStructure());
+                m_state.setFoundConstants(true);
+                done = true;
+                break;
+            }
+            if (done)
+                break;
+        }
+        
+        StructureSet oldSet;
         StructureSet newSet;
         TransitionVector transitions;
-        
-        // Ordinarily you have to be careful with calling setFoundConstants()
-        // because of the effect on compile times, but this node is FTL-only.
-        m_state.setFoundConstants(true);
-        
-        AbstractValue base = forNode(node->child1());
-        
         for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
             const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
-            StructureSet thisSet = variant.oldStructure();
-            thisSet.filter(base);
-            if (thisSet.isEmpty())
-                continue;
+            oldSet.add(variant.oldStructure());
             if (variant.kind() == PutByIdVariant::Transition) {
-                if (thisSet.onlyStructure() != variant.newStructure()) {
-                    transitions.append(
-                        Transition(variant.oldStructureForTransition(), variant.newStructure()));
-                } // else this is really a replace.
+                transitions.append(Transition(variant.oldStructure(), variant.newStructure()));
                 newSet.add(variant.newStructure());
             } else {
                 ASSERT(variant.kind() == PutByIdVariant::Replace);
-                newSet.merge(thisSet);
-            }
-        }
-        
+                newSet.add(variant.oldStructure());
+            }
+        }
+        
+        filter(node->child1(), oldSet);
         observeTransitions(clobberLimit, transitions);
-        if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
-            m_state.setIsValid(false);
+        forNode(node->child1()).set(m_graph, newSet);
         break;
     }
@@ -1703 +1716 @@
     case PutById:
     case PutByIdFlush:
-    case PutByIdDirect: {
-        AbstractValue& value = forNode(node->child1());
-        if (!value.m_structure.isTop() && !value.m_structure.isClobbered()) {
+    case PutByIdDirect:
+        // This use of onlyStructure() should be replaced by giving PutByIdStatus the ability
+        // to compute things based on a StructureSet, and then to factor ByteCodeParser's
+        // ability to generate code based on a PutByIdStatus out of ByteCodeParser so that
+        // ConstantFoldingPhase can use it.
+        // https://bugs.webkit.org/show_bug.cgi?id=133229
+        if (Structure* structure = forNode(node->child1()).m_structure.onlyStructure()) {
             PutByIdStatus status = PutByIdStatus::computeFor(
                 m_graph.m_vm,
                 m_graph.globalObjectFor(node->origin.semantic),
-                value.m_structure.set(),
+                structure,
                 m_graph.identifiers()[node->identifierNumber()],
                 node->op() == PutByIdDirect);
-            
-            if (status.isSimple()) {
-                StructureSet newSet;
-                TransitionVector transitions;
-                
-                for (unsigned i = status.numVariants(); i--;) {
-                    const PutByIdVariant& variant = status[i];
-                    if (variant.kind() == PutByIdVariant::Transition) {
-                        transitions.append(
-                            Transition(
-                                variant.oldStructureForTransition(), variant.newStructure()));
-                        m_graph.watchpoints().consider(variant.newStructure());
-                        newSet.add(variant.newStructure());
-                    } else {
-                        ASSERT(variant.kind() == PutByIdVariant::Replace);
-                        newSet.merge(variant.oldStructure());
-                    }
-                }
-                
-                if (status.numVariants() == 1 || isFTL(m_graph.m_plan.mode))
+            if (status.isSimple() && status.numVariants() == 1) {
+                if (status[0].kind() == PutByIdVariant::Replace) {
+                    filter(node->child1(), structure);
                     m_state.setFoundConstants(true);
-                
-                observeTransitions(clobberLimit, transitions);
-                if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
-                    m_state.setIsValid(false);
-                break;
-            }
-        }
-        
+                    break;
+                }
+                if (status[0].kind() == PutByIdVariant::Transition
+                    && structure->transitionWatchpointSetHasBeenInvalidated()) {
+                    m_graph.watchpoints().consider(status[0].newStructure());
+                    clobberStructures(clobberLimit);
+                    forNode(node->child1()).set(m_graph, status[0].newStructure());
+                    m_state.setFoundConstants(true);
+                    break;
+                }
+            }
+        }
         clobberWorld(node->origin.semantic, clobberLimit);
         break;
-    }
         
     case In:
@@ -1946 +1949 @@
     AbstractValue::TransitionObserver transitionObserver(from, to);
     forAllValues(clobberLimit, transitionObserver);
-    
-    ASSERT(!from->dfgShouldWatch()); // We don't need to claim to be in a clobbered state because 'from' was never watchable (during the time we were compiling), hence no constants ever introduced into the DFG IR that ever had a watchable structure would ever have the same structure as from.
+    setDidClobber();
 }
 
@@ -1956 +1958 @@
     AbstractValue::TransitionsObserver transitionsObserver(vector);
     forAllValues(clobberLimit, transitionsObserver);
-    
-    if (!ASSERT_DISABLED) {
-        // We don't need to claim to be in a clobbered state because none of the Transition::previous structures are watchable.
-        for (unsigned i = vector.size(); i--;)
-            ASSERT(!vector[i].previous->dfgShouldWatch());
-    }
+    setDidClobber();
 }
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

@@ -192 +192 @@
 }
 
-FiltrationResult AbstractValue::changeStructure(Graph& graph, const StructureSet& other)
-{
-    m_type &= other.speculationFromStructures();
-    m_arrayModes = other.arrayModesFromStructures();
-    m_structure = other;
-    
-    filterValueByType();
-    
-    return normalizeClarity(graph);
-}
-
 FiltrationResult AbstractValue::filterArrayModes(ArrayModes arrayModes)
 {
@@ -253 +242 @@
 }
 
-bool AbstractValue::contains(Structure* structure) const
-{
-    return couldBeType(speculationFromStructure(structure))
-        && (m_arrayModes & arrayModeFromStructure(structure))
-        && m_structure.contains(structure);
-}
-
 FiltrationResult AbstractValue::filter(const AbstractValue& other)
 {

trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h

@@ -268 +268 @@
     }
     
-    bool couldBeType(SpeculatedType desiredType) const
+    bool couldBeType(SpeculatedType desiredType)
     {
         return !!(m_type & desiredType);
     }
     
-    bool isType(SpeculatedType desiredType) const
+    bool isType(SpeculatedType desiredType)
     {
         return !(m_type & ~desiredType);
@@ -283 +283 @@
     FiltrationResult filterByValue(const FrozenValue& value);
     FiltrationResult filter(const AbstractValue&);
-    
-    FiltrationResult changeStructure(Graph&, const StructureSet&);
-    
-    bool contains(Structure*) const;
     
     bool validate(JSValue value) const

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1892 +1892 @@
     emitChecks(variant.constantChecks());
 
-    ASSERT(variant.oldStructureForTransition()->transitionWatchpointSetHasBeenInvalidated());
+    ASSERT(variant.oldStructure()->transitionWatchpointSetHasBeenInvalidated());
     
     Node* propertyStorage;
     Transition* transition = m_graph.m_transitions.add(
-        variant.oldStructureForTransition(), variant.newStructure());
-
-    if (variant.reallocatesStorage()) {
+        variant.oldStructure(), variant.newStructure());
+
+    if (variant.oldStructure()->outOfLineCapacity()
+        != variant.newStructure()->outOfLineCapacity()) {
 
         // If we're growing the property storage then it must be because we're
@@ -1904 +1905 @@
         ASSERT(!isInlineOffset(variant.offset()));
 
-        if (!variant.oldStructureForTransition()->outOfLineCapacity()) {
+        if (!variant.oldStructure()->outOfLineCapacity()) {
             propertyStorage = addToGraph(
                 AllocatePropertyStorage, OpInfo(transition), base);
@@ -2036 +2037 @@
             if (op1->op() != ToThis) {
                 Structure* cachedStructure = currentInstruction[2].u.structure.get();
-                if (currentInstruction[2].u.toThisStatus != ToThisOK
-                    || !cachedStructure
+                if (!cachedStructure
                     || cachedStructure->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis
                     || m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
@@ -2887 +2887 @@
                 SpeculatedType prediction = getPrediction();
                 GetByIdStatus status = GetByIdStatus::computeFor(*m_vm, structure, uid);
-                if (status.state() != GetByIdStatus::Simple
-                    || status.numVariants() != 1
-                    || status[0].structureSet().size() != 1) {
+                if (status.state() != GetByIdStatus::Simple || status.numVariants() != 1) {
                     set(VirtualRegister(dst), addToGraph(GetByIdFlush, OpInfo(identifierNumber), OpInfo(prediction), get(VirtualRegister(scope))));
                     break;
@@ -2974 +2972 @@
             case GlobalPropertyWithVarInjectionChecks: {
                 PutByIdStatus status = PutByIdStatus::computeFor(*m_vm, globalObject, structure, uid, false);
-                if (status.numVariants() != 1
-                    || status[0].kind() != PutByIdVariant::Replace
-                    || status[0].structure().size() != 1) {
+                if (status.numVariants() != 1 || status[0].kind() != PutByIdVariant::Replace) {
                     addToGraph(PutById, OpInfo(identifierNumber), get(VirtualRegister(scope)), get(VirtualRegister(value)));
                     break;
                 }
-                ASSERT(status[0].structure().onlyStructure() == structure);
-                Node* base = cellConstantWithStructureCheck(globalObject, structure);
+                Node* base = cellConstantWithStructureCheck(globalObject, status[0].structure());
                 addToGraph(Phantom, get(VirtualRegister(scope)));
                 handlePutByOffset(base, identifierNumber, static_cast<PropertyOffset>(operand), get(VirtualRegister(value)));

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -441 +441 @@
         
     case PutStructure:
+    case PhantomPutStructure:
         write(JSCell_structureID);
         write(JSCell_typeInfoType);

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -133 +133 @@
             }
                 
-            case PutStructure: {
-                if (m_state.forNode(node->child1()).m_structure.onlyStructure() != node->transition()->next)
-                    break;
-                
-                node->convertToPhantom();
-                eliminated = true;
-                break;
-            }
-                
             case CheckFunction: {
                 if (m_state.forNode(node->child1()).value() != node->function()->value())
@@ -164 +155 @@
                 
             case MultiGetByOffset: {
-                Edge baseEdge = node->child1();
-                Node* base = baseEdge.node();
+                Edge childEdge = node->child1();
+                Node* child = childEdge.node();
                 MultiGetByOffsetData& data = node->multiGetByOffsetData();
 
-                // First prune the variants, then check if the MultiGetByOffset can be
-                // strength-reduced to a GetByOffset.
-                
-                AbstractValue baseValue = m_state.forNode(base);
-                
-                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
-                
-                for (unsigned i = 0; i < data.variants.size(); ++i) {
-                    GetByIdVariant& variant = data.variants[i];
-                    variant.structureSet().filter(baseValue);
-                    if (variant.structureSet().isEmpty()) {
-                        data.variants[i--] = data.variants.last();
-                        data.variants.removeLast();
-                    }
+                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
+                if (!structure)
+                    break;
+                
+                for (unsigned i = data.variants.size(); i--;) {
+                    const GetByIdVariant& variant = data.variants[i];
+                    if (!variant.structureSet().contains(structure))
+                        continue;
+                    
+                    if (variant.alternateBase())
+                        break;
+                    
+                    emitGetByOffset(indexInBlock, node, structure, variant, data.identifierNumber);
+                    eliminated = true;
+                    break;
                 }
-                
-                if (data.variants.size() != 1)
-                    break;
-                
-                emitGetByOffset(
-                    indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
                 break;
             }
                 
             case MultiPutByOffset: {
-                Edge baseEdge = node->child1();
-                Node* base = baseEdge.node();
+                Edge childEdge = node->child1();
+                Node* child = childEdge.node();
                 MultiPutByOffsetData& data = node->multiPutByOffsetData();
-                
-                AbstractValue baseValue = m_state.forNode(base);
-
-                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
-                
-
-                for (unsigned i = 0; i < data.variants.size(); ++i) {
-                    PutByIdVariant& variant = data.variants[i];
-                    variant.oldStructure().filter(baseValue);
+
+                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
+                if (!structure)
+                    break;
+                
+                for (unsigned i = data.variants.size(); i--;) {
+                    const PutByIdVariant& variant = data.variants[i];
+                    if (variant.oldStructure() != structure)
+                        continue;
                     
-                    if (variant.oldStructure().isEmpty()) {
-                        data.variants[i--] = data.variants.last();
-                        data.variants.removeLast();
-                        continue;
-                    }
-                    
-                    if (variant.kind() == PutByIdVariant::Transition
-                        && variant.oldStructure().onlyStructure() == variant.newStructure()) {
-                        variant = PutByIdVariant::replace(
-                            variant.oldStructure(),
-                            variant.offset());
-                    }
+                    emitPutByOffset(indexInBlock, node, structure, variant, data.identifierNumber);
+                    eliminated = true;
+                    break;
                 }
-
-                if (data.variants.size() != 1)
-                    break;
-                
-                emitPutByOffset(
-                    indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
                 break;
             }
@@ -236 +205 @@
                 unsigned identifierNumber = node->identifierNumber();
                 
-                AbstractValue baseValue = m_state.forNode(child);
-
-                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
-
-                if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered()
-                    || (node->child1().useKind() == UntypedUse || (baseValue.m_type & ~SpecCell)))
-                    break;
-                
+                if (childEdge.useKind() != CellUse)
+                    break;
+                
+                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
+                if (!structure)
+                    break;
+
                 GetByIdStatus status = GetByIdStatus::computeFor(
-                    vm(), baseValue.m_structure.set(), m_graph.identifiers()[identifierNumber]);
-                if (!status.isSimple())
-                    break;
-                
-                for (unsigned i = status.numVariants(); i--;) {
-                    if (!status[i].constantChecks().isEmpty()
-                        || status[i].alternateBase()) {
-                        // FIXME: We could handle prototype cases.
-                        // https://bugs.webkit.org/show_bug.cgi?id=110386
-                        break;
-                    }
+                    vm(), structure, m_graph.identifiers()[identifierNumber]);
+                
+                if (!status.isSimple() || status.numVariants() != 1 ||
+                    !status[0].constantChecks().isEmpty() || status[0].alternateBase()) {
+                    // FIXME: We could handle prototype cases.
+                    // https://bugs.webkit.org/show_bug.cgi?id=110386
+                    break;
                 }
                 
-                if (status.numVariants() == 1) {
-                    emitGetByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
-                    break;
-                }
-                
-                if (!isFTL(m_graph.m_plan.mode))
-                    break;
-                
-                MultiGetByOffsetData* data = m_graph.m_multiGetByOffsetData.add();
-                data->variants = status.variants();
-                data->identifierNumber = identifierNumber;
-                node->convertToMultiGetByOffset(data);
+                emitGetByOffset(indexInBlock, node, structure, status[0], identifierNumber);
+                eliminated = true;
                 break;
             }
                 
             case PutById:
-            case PutByIdDirect:
-            case PutByIdFlush: {
+            case PutByIdDirect: {
                 NodeOrigin origin = node->origin;
                 Edge childEdge = node->child1();
@@ -284 +236 @@
                 ASSERT(childEdge.useKind() == CellUse);
                 
-                AbstractValue baseValue = m_state.forNode(child);
-
-                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
-
-                if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered())
+                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
+                if (!structure)
                     break;
                 
@@ -295 +243 @@
                     vm(),
                     m_graph.globalObjectFor(origin.semantic),
-                    baseValue.m_structure.set(),
+                    structure,
                     m_graph.identifiers()[identifierNumber],
                     node->op() == PutByIdDirect);
@@ -301 +249 @@
                 if (!status.isSimple())
                     break;
-                
-                for (unsigned i = status.numVariants(); i--;)
-                    addChecks(origin, indexInBlock, status[i].constantChecks());
-                
-                if (status.numVariants() == 1) {
-                    emitPutByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
-                    break;
-                }
-                
-                if (!isFTL(m_graph.m_plan.mode))
-                    break;
-
-                MultiPutByOffsetData* data = m_graph.m_multiPutByOffsetData.add();
-                data->variants = status.variants();
-                data->identifierNumber = identifierNumber;
-                node->convertToMultiPutByOffset(data);
+                if (status.numVariants() != 1)
+                    break;
+                
+                emitPutByOffset(indexInBlock, node, structure, status[0], identifierNumber);
+                eliminated = true;
                 break;
             }
@@ -407 +344 @@
     }
         
-    void emitGetByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const GetByIdVariant& variant, unsigned identifierNumber)
+    void emitGetByOffset(unsigned indexInBlock, Node* node, Structure* structure, const GetByIdVariant& variant, unsigned identifierNumber)
     {
         NodeOrigin origin = node->origin;
@@ -413 +350 @@
         Node* child = childEdge.node();
 
-        addBaseCheck(indexInBlock, node, baseValue, variant.structureSet());
+        bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
+        
+        ASSERT(!variant.alternateBase());
+        ASSERT_UNUSED(structure, variant.structureSet().contains(structure));
+        
+        // Now before we do anything else, push the CFA forward over the GetById
+        // and make sure we signal to the loop that it should continue and not
+        // do any eliminations.
+        m_interpreter.execute(indexInBlock);
+        
+        if (needsCellCheck) {
+            m_insertionSet.insertNode(
+                indexInBlock, SpecNone, Phantom, origin, childEdge);
+        }
         
         if (variant.specificValue()) {
@@ -420 +370 @@
         }
         
-        if (variant.alternateBase()) {
-            child = m_insertionSet.insertConstant(indexInBlock, origin, variant.alternateBase());
-            childEdge = Edge(child, KnownCellUse);
-        } else
-            childEdge.setUseKind(KnownCellUse);
+        childEdge.setUseKind(KnownCellUse);
         
         Edge propertyStorage;
@@ -443 +389 @@
     }
 
-    void emitPutByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const PutByIdVariant& variant, unsigned identifierNumber)
+    void emitPutByOffset(unsigned indexInBlock, Node* node, Structure* structure, const PutByIdVariant& variant, unsigned identifierNumber)
     {
         NodeOrigin origin = node->origin;
         Edge childEdge = node->child1();
-        
-        addBaseCheck(indexInBlock, node, baseValue, variant.oldStructure());
+        Node* child = childEdge.node();
+
+        ASSERT(variant.oldStructure() == structure);
+        
+        bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
+        
+        // Now before we do anything else, push the CFA forward over the PutById
+        // and make sure we signal to the loop that it should continue and not
+        // do any eliminations.
+        m_interpreter.execute(indexInBlock);
+
+        if (needsCellCheck) {
+            m_insertionSet.insertNode(
+                indexInBlock, SpecNone, Phantom, origin, childEdge);
+        }
 
         childEdge.setUseKind(KnownCellUse);
@@ -454 +413 @@
         Transition* transition = 0;
         if (variant.kind() == PutByIdVariant::Transition) {
-            transition = m_graph.m_transitions.add(
-                variant.oldStructureForTransition(), variant.newStructure());
+            transition = m_graph.m_transitions.add(structure, variant.newStructure());
+
+            for (unsigned i = 0; i < variant.constantChecks().size(); ++i) {
+                addStructureTransitionCheck(
+                    origin, indexInBlock,
+                    variant.constantChecks()[i].constant(),
+                    variant.constantChecks()[i].structure());
+            }
         }
 
@@ -462 +427 @@
         if (isInlineOffset(variant.offset()))
             propertyStorage = childEdge;
-        else if (!variant.reallocatesStorage()) {
+        else if (
+            variant.kind() == PutByIdVariant::Replace
+            || structure->outOfLineCapacity() == variant.newStructure()->outOfLineCapacity()) {
             propertyStorage = Edge(m_insertionSet.insertNode(
                 indexInBlock, SpecNone, GetButterfly, origin, childEdge));
-        } else if (!variant.oldStructureForTransition()->outOfLineCapacity()) {
+        } else if (!structure->outOfLineCapacity()) {
             ASSERT(variant.newStructure()->outOfLineCapacity());
             ASSERT(!isInlineOffset(variant.offset()));
@@ -474 +441 @@
             propertyStorage = Edge(allocatePropertyStorage);
         } else {
-            ASSERT(variant.oldStructureForTransition()->outOfLineCapacity());
-            ASSERT(variant.newStructure()->outOfLineCapacity() > variant.oldStructureForTransition()->outOfLineCapacity());
+            ASSERT(structure->outOfLineCapacity());
+            ASSERT(variant.newStructure()->outOfLineCapacity() > structure->outOfLineCapacity());
             ASSERT(!isInlineOffset(variant.offset()));
 
@@ -503 +470 @@
         m_graph.m_storageAccessData.append(storageAccessData);
     }
-    
-    void addBaseCheck(
-        unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const StructureSet& set)
-    {
-        if (!baseValue.m_structure.isSubsetOf(set)) {
-            // Arises when we prune MultiGetByOffset. We could have a
-            // MultiGetByOffset with a single variant that checks for structure S,
-            // and the input has structures S and T, for example.
-            m_insertionSet.insertNode(
-                indexInBlock, SpecNone, CheckStructure, node->origin,
-                OpInfo(m_graph.addStructureSet(set)), node->child1());
-            return;
-        }
-        
-        if (baseValue.m_type & ~SpecCell) {
-            m_insertionSet.insertNode(
-                indexInBlock, SpecNone, Phantom, node->origin, node->child1());
-        }
-    }
-    
-    void addChecks(
-        NodeOrigin origin, unsigned indexInBlock, const ConstantStructureCheckVector& checks)
-    {
-        for (unsigned i = 0; i < checks.size(); ++i) {
-            addStructureTransitionCheck(
-                origin, indexInBlock, checks[i].constant(), checks[i].structure());
-        }
-    }
 
     void addStructureTransitionCheck(NodeOrigin origin, unsigned indexInBlock, JSCell* cell, Structure* structure)

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -187 +187 @@
     case PutByValAlias:
     case PutStructure:
+    case PhantomPutStructure:
     case GetByOffset:
     case GetGetterSetterByOffset:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -981 +981 @@
         case Upsilon:
         case GetArgument:
+        case PhantomPutStructure:
         case GetIndexedPropertyStorage:
         case GetTypedArrayByteOffset:

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -890 +890 @@
                 
             case PutStructure:
+            case PhantomPutStructure:
             case AllocatePropertyStorage:
             case ReallocatePropertyStorage:
@@ -917 +918 @@
                 for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
                     PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
-                    const StructureSet& set = variant.oldStructure();
-                    for (unsigned j = set.size(); j--;)
-                        visitor.appendUnbarrieredReadOnlyPointer(set[j]);
+                    visitor.appendUnbarrieredReadOnlyPointer(variant.oldStructure());
                     if (variant.kind() == PutByIdVariant::Transition)
                         visitor.appendUnbarrieredReadOnlyPointer(variant.newStructure());
@@ -953 +952 @@
 FrozenValue* Graph::freezeStrong(JSValue value)
 {
-    FrozenValue* result = freezeFragile(value);
+    FrozenValue* result = freeze(value);
     result->strengthenTo(StrongValue);
     return result;

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -148 +148 @@
     
     FrozenValue* freezeFragile(JSValue value);
-    FrozenValue* freeze(JSValue value); // We use weak freezing by default. Shorthand for freezeFragile(value)->strengthenTo(WeakValue);
-    FrozenValue* freezeStrong(JSValue value); // Shorthand for freezeFragile(value)->strengthenTo(StrongValue).
+    FrozenValue* freeze(JSValue value); // We use weak freezing by default.
+    FrozenValue* freezeStrong(JSValue value); // Shorthand for freeze(value)->markStrongly().
     
     void convertToConstant(Node* node, FrozenValue* value);

trunk/Source/JavaScriptCore/dfg/DFGNode.cpp

@@ -38 +38 @@
 {
     for (unsigned i = variants.size(); i--;) {
-        if (variants[i].writesStructures())
+        if (variants[i].kind() == PutByIdVariant::Transition)
             return true;
     }
@@ -47 +47 @@
 {
     for (unsigned i = variants.size(); i--;) {
-        if (variants[i].reallocatesStorage())
-            return true;
+        if (variants[i].kind() != PutByIdVariant::Transition)
+            continue;
+        
+        if (variants[i].oldStructure()->outOfLineCapacity() ==
+            variants[i].newStructure()->outOfLineCapacity())
+            continue;
+        
+        return true;
     }
     return false;

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -459 +459 @@
     }
     
-    void convertToMultiGetByOffset(MultiGetByOffsetData* data)
-    {
-        ASSERT(m_op == GetById || m_op == GetByIdFlush);
-        m_opInfo = bitwise_cast<intptr_t>(data);
-        child1().setUseKind(CellUse);
-        m_op = MultiGetByOffset;
-        m_flags &= ~NodeClobbersWorld;
-    }
-    
     void convertToPutByOffset(unsigned storageAccessDataIndex, Edge storage)
     {
-        ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == PutByIdFlush || m_op == MultiPutByOffset);
+        ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == MultiPutByOffset);
         m_opInfo = storageAccessDataIndex;
         children.setChild3(children.child2());
@@ -476 +467 @@
         children.setChild1(storage);
         m_op = PutByOffset;
-        m_flags &= ~NodeClobbersWorld;
-    }
-    
-    void convertToMultiPutByOffset(MultiPutByOffsetData* data)
-    {
-        ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == PutByIdFlush);
-        m_opInfo = bitwise_cast<intptr_t>(data);
-        m_op = MultiPutByOffset;
         m_flags &= ~NodeClobbersWorld;
     }
@@ -1125 +1108 @@
         switch (op()) {
         case PutStructure:
+        case PhantomPutStructure:
         case AllocatePropertyStorage:
         case ReallocatePropertyStorage:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -156 +156 @@
     macro(CheckExecutable, NodeMustGenerate) \
     macro(PutStructure, NodeMustGenerate) \
+    macro(PhantomPutStructure, NodeMustGenerate) \
     macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
     macro(ReallocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -541 +541 @@
         case GetMyArgumentsLength:
         case GetMyArgumentByVal:
+        case PhantomPutStructure:
         case PhantomArguments:
         case CheckArray:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -284 +284 @@
 
     case PutStructure:
+    case PhantomPutStructure:
     case AllocatePropertyStorage:
     case ReallocatePropertyStorage:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -344 +344 @@
         ASSERT(info.gpr() == source);
         if (node->hasConstant()) {
+            DFG_ASSERT(m_jit.graph(), m_currentNode, node->isCellConstant());
             node->asCell(); // To get the assertion.
             fillAction = SetCellConstant;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -868 +868 @@
     VirtualRegister virtualRegister = edge->virtualRegister();
     GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
+    
+    if (edge->hasConstant() && !edge->isCellConstant()) {
+        // Protect the silent spill/fill logic by failing early. If we "speculate" on
+        // the constant then the silent filler may think that we have a cell and a
+        // constant, so it will try to fill this as an cell constant. Bad things will
+        // happen.
+        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+        return allocate();
+    }
 
     switch (info.registerFormat()) {
@@ -879 +888 @@
             JSValue jsValue = edge->asJSValue();
             GPRReg gpr = allocate();
-            if (jsValue.isCell()) {
-                m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-                m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
-                info.fillCell(*m_stream, gpr);
-                return gpr;
-            }
-            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+            m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
+            info.fillCell(*m_stream, gpr);
             return gpr;
         }
@@ -3735 +3740 @@
     }
         
+    case PhantomPutStructure: {
+        ASSERT(isKnownCell(node->child1().node()));
+        m_jit.jitCode()->common.notifyCompilingStructureTransition(m_jit.graph().m_plan, m_jit.codeBlock(), node);
+        noResult(node);
+        break;
+    }
+
     case PutStructure: {
         Structure* oldStructure = node->transition()->previous;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -98 +98 @@
             default:
                 m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-                DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat & DataFormatJS);
+                RELEASE_ASSERT(spillFormat & DataFormatJS);
                 break;
             }
@@ -138 +138 @@
     case DataFormatInt52:
         // this type currently never occurs
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
+        RELEASE_ASSERT_NOT_REACHED();
         
     default:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
+        RELEASE_ASSERT_NOT_REACHED();
         return InvalidGPRReg;
     }
@@ -312 +312 @@
         Node* branchNode = m_block->at(branchIndexInBlock);
 
-        DFG_ASSERT(m_jit.graph(), node, node->adjustedRefCount() == 1);
+        RELEASE_ASSERT(node->adjustedRefCount() == 1);
         
         nonSpeculativePeepholeBranchNull(operand, branchNode, invert);
@@ -629 +629 @@
     bool isCall = node->op() == Call;
     if (!isCall)
-        DFG_ASSERT(m_jit.graph(), node, node->op() == Construct);
-    
+        RELEASE_ASSERT(node->op() == Construct);
+
     // For constructors, the this argument is not passed but we have to make space
     // for it.
@@ -742 +742 @@
         DataFormat spillFormat = info.spillFormat();
         
-        DFG_ASSERT(m_jit.graph(), m_currentNode, (spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
+        RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
         
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -772 +772 @@
 
     case DataFormatJS: {
-        DFG_ASSERT(m_jit.graph(), m_currentNode, !(type & SpecInt52));
+        RELEASE_ASSERT(!(type & SpecInt52));
         // Check the value is an integer.
         GPRReg gpr = info.gpr();
@@ -835 +835 @@
     case DataFormatInt52:
     case DataFormatStrictInt52:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
+        RELEASE_ASSERT_NOT_REACHED();
         
     default:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
+        RELEASE_ASSERT_NOT_REACHED();
         return InvalidGPRReg;
     }
@@ -855 +855 @@
     DataFormat mustBeDataFormatInt32;
     GPRReg result = fillSpeculateInt32Internal<true>(edge, mustBeDataFormatInt32);
-    DFG_ASSERT(m_jit.graph(), m_currentNode, mustBeDataFormatInt32 == DataFormatInt32);
+    RELEASE_ASSERT(mustBeDataFormatInt32 == DataFormatInt32);
     return result;
 }
@@ -890 +890 @@
         DataFormat spillFormat = info.spillFormat();
         
-        DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
+        RELEASE_ASSERT(spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
         
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -942 +942 @@
 
     default:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
+        RELEASE_ASSERT_NOT_REACHED();
         return InvalidGPRReg;
     }
@@ -973 +973 @@
         
         DataFormat spillFormat = info.spillFormat();
-        DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat == DataFormatDouble);
+        RELEASE_ASSERT(spillFormat == DataFormatDouble);
         FPRReg fpr = fprAllocate();
         m_jit.loadDouble(JITCompiler::addressFor(virtualRegister), fpr);
@@ -981 +981 @@
     }
 
-    DFG_ASSERT(m_jit.graph(), m_currentNode, info.registerFormat() == DataFormatDouble);
+    RELEASE_ASSERT(info.registerFormat() == DataFormatDouble);
     FPRReg fpr = info.fpr();
     m_fprs.lock(fpr);
@@ -996 +996 @@
     GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
 
+    if (edge->hasConstant() && !edge->isCellConstant()) {
+        // Better to fail early on constants.
+        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+        return allocate();
+    }
+
     switch (info.registerFormat()) {
     case DataFormatNone: {
@@ -1002 +1008 @@
         if (edge->hasConstant()) {
             JSValue jsValue = edge->asJSValue();
-            if (jsValue.isCell()) {
-                m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-                m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
-                info.fillJSValue(*m_stream, gpr, DataFormatJSCell);
-                return gpr;
-            }
-            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+            m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
+            info.fillJSValue(*m_stream, gpr, DataFormatJSCell);
             return gpr;
         }
@@ -1061 +1063 @@
     case DataFormatInt52:
     case DataFormatStrictInt52:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
+        RELEASE_ASSERT_NOT_REACHED();
         
     default:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
+        RELEASE_ASSERT_NOT_REACHED();
         return InvalidGPRReg;
     }
@@ -1097 +1099 @@
             return gpr;
         }
-        DFG_ASSERT(m_jit.graph(), m_currentNode, info.spillFormat() & DataFormatJS);
+        RELEASE_ASSERT(info.spillFormat() & DataFormatJS);
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
         m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
@@ -1142 +1144 @@
     case DataFormatInt52:
     case DataFormatStrictInt52:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
+        RELEASE_ASSERT_NOT_REACHED();
         
     default:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
+        RELEASE_ASSERT_NOT_REACHED();
         return InvalidGPRReg;
     }
@@ -1609 +1611 @@
 
     default:
-        DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+        RELEASE_ASSERT_NOT_REACHED();
         break;
     }
@@ -1764 +1766 @@
         
     default:
-        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad use kind");
+        RELEASE_ASSERT_NOT_REACHED();
     }
 }
@@ -1789 +1791 @@
     case Identity: {
         // CSE should always eliminate this.
-        DFG_CRASH(m_jit.graph(), node, "Unexpected Identity node");
+        RELEASE_ASSERT_NOT_REACHED();
         break;
     }
@@ -1870 +1872 @@
     case ZombieHint:
     case Check: {
-        DFG_CRASH(m_jit.graph(), node, "Unexpected node");
+        RELEASE_ASSERT_NOT_REACHED();
         break;
     }
@@ -1930 +1932 @@
             
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad flush format");
+            RELEASE_ASSERT_NOT_REACHED();
             break;
         }
@@ -2068 +2070 @@
             
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+            RELEASE_ASSERT_NOT_REACHED();
         }
         break;
@@ -2148 +2150 @@
             
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+            RELEASE_ASSERT_NOT_REACHED();
             break;
         }
@@ -2215 +2217 @@
             
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+            RELEASE_ASSERT_NOT_REACHED();
             break;
         }
@@ -2337 +2339 @@
         case Array::SelectUsingPredictions:
         case Array::ForceExit:
-            DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
+            RELEASE_ASSERT_NOT_REACHED();
+            terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
             break;
         case Array::Generic: {
@@ -2538 +2541 @@
         case Array::SelectUsingPredictions:
         case Array::ForceExit:
-            DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
+            RELEASE_ASSERT_NOT_REACHED();
+            terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
+            alreadyHandled = true;
             break;
         case Array::Generic: {
-            DFG_ASSERT(m_jit.graph(), node, node->op() == PutByVal);
+            RELEASE_ASSERT(node->op() == PutByVal);
             
             JSValueOperand arg1(this, child1);
@@ -3114 +3119 @@
             
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+            RELEASE_ASSERT_NOT_REACHED();
             break;
         }
@@ -3121 +3126 @@
         
     case ToPrimitive: {
-        DFG_ASSERT(m_jit.graph(), node, node->child1().useKind() == UntypedUse);
+        RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
         JSValueOperand op1(this, node->child1());
         GPRTemporary result(this, Reuse, op1);
@@ -3188 +3193 @@
         if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(node->indexingType())) {
             Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType());
-            DFG_ASSERT(m_jit.graph(), node, structure->indexingType() == node->indexingType());
+            RELEASE_ASSERT(structure->indexingType() == node->indexingType());
             ASSERT(
                 hasUndecided(structure->indexingType())
@@ -3439 +3444 @@
             emitAllocateJSArray(resultGPR, globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType), storageGPR, numElements);
             
-            DFG_ASSERT(m_jit.graph(), node, indexingType & IsArray);
+            RELEASE_ASSERT(indexingType & IsArray);
             JSValue* data = m_jit.codeBlock()->constantBuffer(node->startConstant());
             if (indexingType == ArrayWithDouble) {
@@ -3493 +3498 @@
         }
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+            RELEASE_ASSERT_NOT_REACHED();
             break;
         }
@@ -3723 +3728 @@
             
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+            RELEASE_ASSERT_NOT_REACHED();
             break;
         }
@@ -3773 +3778 @@
             
         default:
-            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+            RELEASE_ASSERT_NOT_REACHED();
             break;
         }
@@ -3829 +3834 @@
         }
         
+        noResult(node);
+        break;
+    }
+        
+    case PhantomPutStructure: {
+        ASSERT(isKnownCell(node->child1().node()));
+        m_jit.jitCode()->common.notifyCompilingStructureTransition(m_jit.graph().m_plan, m_jit.codeBlock(), node);
         noResult(node);
         break;
@@ -4237 +4249 @@
 
     case CreateActivation: {
-        DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
+        RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
         
         JSValueOperand value(this, node->child1());
@@ -4310 +4322 @@
 
     case TearOffActivation: {
-        DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
+        RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
 
         JSValueOperand activationValue(this, node->child1());
@@ -4382 +4394 @@
         }
         
-        DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
+        RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
         m_jit.load32(JITCompiler::payloadFor(JSStack::ArgumentCount), resultGPR);
         m_jit.sub32(TrustedImm32(1), resultGPR);
@@ -4458 +4470 @@
         JITCompiler::JumpList slowArgumentOutOfBounds;
         if (m_jit.symbolTableFor(node->origin.semantic)->slowArguments()) {
-            DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
+            RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
             const SlowArgument* slowArguments = m_jit.graph().m_slowArguments.get();
             
@@ -4525 +4537 @@
         JITCompiler::JumpList slowArgumentOutOfBounds;
         if (m_jit.symbolTableFor(node->origin.semantic)->slowArguments()) {
-            DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
+            RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
             const SlowArgument* slowArguments = m_jit.graph().m_slowArguments.get();
 
@@ -4660 +4672 @@
 
     case Unreachable:
-        DFG_CRASH(m_jit.graph(), node, "Unexpected Unreachable node");
+        RELEASE_ASSERT_NOT_REACHED();
         break;
 
@@ -4728 +4740 @@
     case CheckTierUpAtReturn:
     case CheckTierUpAndOSREnter:
-        DFG_CRASH(m_jit.graph(), node, "Unexpected tier-up node");
+        RELEASE_ASSERT_NOT_REACHED();
         break;
 #endif // ENABLE(FTL_JIT)
@@ -4744 +4756 @@
     case MultiPutByOffset:
     case FiatInt52:
-        DFG_CRASH(m_jit.graph(), node, "Unexpected FTL node");
+        RELEASE_ASSERT_NOT_REACHED();
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp

@@ -84 +84 @@
 {
     SAMPLE("StructureAbstractValue observeTransition");
-    
-    ASSERT(!from->dfgShouldWatch());
 
     if (isTop())
@@ -92 +90 @@
     if (!m_set.contains(from))
         return;
+    
+    if (from->dfgShouldWatch()) {
+        setClobbered(true);
+        return;
+    }
     
     if (!m_set.add(to))
@@ -109 +112 @@
     StructureSet newStructures;
     for (unsigned i = vector.size(); i--;) {
-        ASSERT(!vector[i].previous->dfgShouldWatch());
-
         if (!m_set.contains(vector[i].previous))
             continue;
         
-        newStructures.add(vector[i].next);
+        if (vector[i].previous->dfgShouldWatch())
+            setClobbered(true);
+        else
+            newStructures.add(vector[i].next);
     }
     

trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h

@@ -56 +56 @@
     }
     
-    ALWAYS_INLINE StructureAbstractValue& operator=(Structure* structure)
-    {
-        m_set = structure;
-        setClobbered(false);
-        return *this;
-    }
-    ALWAYS_INLINE StructureAbstractValue& operator=(const StructureSet& other)
-    {
-        m_set = other;
-        setClobbered(false);
-        return *this;
-    }
     ALWAYS_INLINE StructureAbstractValue& operator=(const StructureAbstractValue& other)
     {
@@ -162 +150 @@
     }
     
-    const StructureSet& set() const
-    {
-        ASSERT(!isTop());
-        return m_set;
-    }
-    
     size_t size() const
     {
@@ -182 +164 @@
     Structure* operator[](size_t i) const { return at(i); }
     
-    // In most cases, what you really want to do is verify whether the set is top or clobbered, and
-    // if not, enumerate the set of structures. Use this only in cases where the singleton case is
-    // meaningfully special, like for transitions.
+    // FIXME: Eliminate all uses of this method. There shouldn't be any
+    // special-casing for the one-structure case.
+    // https://bugs.webkit.org/show_bug.cgi?id=133229
     Structure* onlyStructure() const
     {
-        if (isTop() || isClobbered())
+        if (isTop() || size() != 1)
             return nullptr;
-        return m_set.onlyStructure();
+        return at(0);
     }
     

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -234 +234 @@
                     VALIDATE((node), !!node->child2());
                     break;
-                case PutStructure:
-                    VALIDATE((node), !node->transition()->previous->dfgShouldWatch());
-                    break;
-                case MultiPutByOffset:
-                    for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
-                        const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
-                        if (variant.kind() != PutByIdVariant::Transition)
-                            continue;
-                        VALIDATE((node), !variant.oldStructureForTransition()->dfgShouldWatch());
-                    }
-                    break;
                 default:
                     break;

trunk/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp

@@ -78 +78 @@
                 
                 case PutStructure:
+                case PhantomPutStructure:
                 case AllocatePropertyStorage:
                 case ReallocatePropertyStorage: