Changeset 171660 in webkit for trunk/Source/JavaScriptCore/dfg

Timestamp:

Jul 27, 2014, 4:14:40 PM (11 years ago)

Author:

[email protected]

Message:

Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.

Source/JavaScriptCore:

This fixes the previous mismerge and adds test coverage for the thing that went wrong.

Additional changes listed here:

• jsc.cpp:

(functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!

• runtime/Structure.cpp:

(JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.

• tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.

2014-06-27 Michael Saboff <​[email protected]>

Unreviewed build fix after r169795.

Fixed ASSERT for 32 bit build.

• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

2014-06-24 Saam Barati <​[email protected]>

Web Inspector: debugger should be able to show variable types
​https://bugs.webkit.org/show_bug.cgi?id=133395

Reviewed by Filip Pizlo.

Increase the amount of type information the VM gathers when directed
to do so. This initial commit is working towards the goal of
capturing, and then showing (via the Web Inspector) type information for all
assignment and load operations. This patch doesn't have the feature fully
implemented, but it ensures the VM has no performance regressions
unless the feature is specifically turned on.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset):
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::finalizeUnconditionally):
• bytecode/CodeBlock.h:
• bytecode/Instruction.h:
• bytecode/TypeLocation.h: Added. (JSC::TypeLocation::TypeLocation):
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitMove): (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): (JSC::BytecodeGenerator::emitPutToScope): (JSC::BytecodeGenerator::emitPutById): (JSC::BytecodeGenerator::emitPutByVal):
• bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
• bytecompiler/NodesCodegen.cpp: (JSC::PostfixNode::emitResolve): (JSC::PrefixNode::emitResolve): (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::ConstDeclNode::emitCodeSingle): (JSC::ForInNode::emitBytecode):
• heap/Heap.cpp: (JSC::Heap::collect):
• inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
• inspector/agents/InspectorRuntimeAgent.h:
• inspector/protocol/Runtime.json:
• jsc.cpp: (GlobalObject::finishCreation): (functionDumpTypesForAllVariables):
• llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): (JSC::LLInt::putToScopeCommon):
• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• runtime/HighFidelityLog.cpp: Added. (JSC::HighFidelityLog::initializeHighFidelityLog): (JSC::HighFidelityLog::~HighFidelityLog): (JSC::HighFidelityLog::recordTypeInformationForLocation): (JSC::HighFidelityLog::processHighFidelityLog): (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
• runtime/HighFidelityLog.h: Added. (JSC::HighFidelityLog::HighFidelityLog):
• runtime/HighFidelityTypeProfiler.cpp: Added. (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): (JSC::HighFidelityTypeProfiler::insertNewLocation): (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
• runtime/HighFidelityTypeProfiler.h: Added.
• runtime/Options.h:
• runtime/Structure.cpp: (JSC::Structure::toStructureShape):
• runtime/Structure.h:
• runtime/SymbolTable.cpp: (JSC::SymbolTable::SymbolTable): (JSC::SymbolTable::cloneCapturedNames): (JSC::SymbolTable::uniqueIDForVariable): (JSC::SymbolTable::uniqueIDForRegister): (JSC::SymbolTable::globalTypeSetForRegister): (JSC::SymbolTable::globalTypeSetForVariable):
• runtime/SymbolTable.h: (JSC::SymbolTable::add): (JSC::SymbolTable::set):
• runtime/TypeSet.cpp: Added. (JSC::TypeSet::TypeSet): (JSC::TypeSet::getRuntimeTypeForValue): (JSC::TypeSet::addTypeForValue): (JSC::TypeSet::removeDuplicatesInStructureHistory): (JSC::TypeSet::seenTypes): (JSC::TypeSet::dumpSeenTypes): (JSC::StructureShape::StructureShape): (JSC::StructureShape::markAsFinal): (JSC::StructureShape::addProperty): (JSC::StructureShape::propertyHash): (JSC::StructureShape::leastUpperBound): (JSC::StructureShape::stringRepresentation):
• runtime/TypeSet.h: Added. (JSC::StructureShape::create): (JSC::TypeSet::create):
• runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::getTypesForVariableInRange): (JSC::VM::updateHighFidelityTypeProfileState): (JSC::VM::dumpHighFidelityProfilingTypes):
• runtime/VM.h: (JSC::VM::isProfilingTypesWithHighFidelity): (JSC::VM::highFidelityLog): (JSC::VM::highFidelityTypeProfiler): (JSC::VM::nextLocation): (JSC::VM::getNextUniqueVariableID):

2014-06-26 Mark Lam <​[email protected]>

Remove unused instantiation of the WithScope structure.
<​https://webkit.org/b/134331>

Reviewed by Oliver Hunt.

The WithScope structure instance is the VM is unused, and is now removed.

• runtime/VM.cpp: (JSC::VM::VM):
• runtime/VM.h:

2014-06-25 Mark Hahnenberg <​[email protected]>

Structure bit fields should have a consistent format
​https://bugs.webkit.org/show_bug.cgi?id=134307

Reviewed by Filip Pizlo.

Currently we use C-style bit fields for a number of member variables in Structure to save space.
This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
format to make it easy to load and test these variables in JIT code.

• runtime/JSObject.cpp: (JSC::JSObject::putDirectNonIndexAccessor): (JSC::JSObject::reifyStaticFunctionsForDelete):
• runtime/Structure.cpp: (JSC::StructureTransitionTable::contains): (JSC::StructureTransitionTable::get): (JSC::StructureTransitionTable::add): (JSC::Structure::Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransition): (JSC::Structure::despecifyFunctionTransition): (JSC::Structure::toDictionaryTransition): (JSC::Structure::freezeTransition): (JSC::Structure::preventExtensionsTransition): (JSC::Structure::takePropertyTableOrCloneIfPinned): (JSC::Structure::nonPropertyTransition): (JSC::Structure::flattenDictionaryStructure): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::pin): (JSC::Structure::allocateRareData): (JSC::Structure::cloneRareDataFrom): (JSC::Structure::getConcurrently): (JSC::Structure::putSpecificValue): (JSC::Structure::getPropertyNamesFromStructure): (JSC::Structure::visitChildren): (JSC::Structure::checkConsistency):
• runtime/Structure.h: (JSC::Structure::isExtensible): (JSC::Structure::isDictionary): (JSC::Structure::isUncacheableDictionary): (JSC::Structure::propertyAccessesAreCacheable): (JSC::Structure::previousID): (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): (JSC::Structure::setContainsReadOnlyProperties): (JSC::Structure::disableSpecificFunctionTracking): (JSC::Structure::objectToStringValue): (JSC::Structure::setObjectToStringValue): (JSC::Structure::setPreviousID): (JSC::Structure::clearPreviousID): (JSC::Structure::previous): (JSC::Structure::rareData): (JSC::Structure::didTransition): Deleted. (JSC::Structure::hasGetterSetterProperties): Deleted. (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted. (JSC::Structure::setHasGetterSetterProperties): Deleted. (JSC::Structure::hasNonEnumerableProperties): Deleted. (JSC::Structure::staticFunctionsReified): Deleted. (JSC::Structure::setStaticFunctionsReified): Deleted.
• runtime/StructureInlines.h: (JSC::Structure::setEnumerationCache): (JSC::Structure::enumerationCache): (JSC::Structure::checkOffsetConsistency):

2014-06-24 Mark Lam <​[email protected]>

[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<​https://webkit.org/b/134273>

Reviewed by Michael Saboff.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• debugger/DebuggerActivation.cpp: Removed.
• debugger/DebuggerActivation.h: Removed.
• debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp. (JSC::DebuggerScope::DebuggerScope): (JSC::DebuggerScope::finishCreation): (JSC::DebuggerScope::visitChildren): (JSC::DebuggerScope::className): (JSC::DebuggerScope::getOwnPropertySlot): (JSC::DebuggerScope::put): (JSC::DebuggerScope::deleteProperty): (JSC::DebuggerScope::getOwnPropertyNames): (JSC::DebuggerScope::defineOwnProperty): (JSC::DebuggerActivation::DebuggerActivation): Deleted. (JSC::DebuggerActivation::finishCreation): Deleted. (JSC::DebuggerActivation::visitChildren): Deleted. (JSC::DebuggerActivation::className): Deleted. (JSC::DebuggerActivation::getOwnPropertySlot): Deleted. (JSC::DebuggerActivation::put): Deleted. (JSC::DebuggerActivation::deleteProperty): Deleted. (JSC::DebuggerActivation::getOwnPropertyNames): Deleted. (JSC::DebuggerActivation::defineOwnProperty): Deleted.
• debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h. (JSC::DebuggerScope::create): (JSC::DebuggerActivation::create): Deleted.
• runtime/VM.cpp: (JSC::VM::VM):
• runtime/VM.h:

2014-06-24 Filip Pizlo <​[email protected]>

[ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
​https://bugs.webkit.org/show_bug.cgi?id=134265

Reviewed by Geoffrey Garen.

More assertion fallout from the PutById folding work.

• dfg/DFGNode.h: (JSC::DFG::Node::convertToPutByOffset):

2014-06-24 Filip Pizlo <​[email protected]>

[ftlopt] GC should notify us if it resets to_this
​https://bugs.webkit.org/show_bug.cgi?id=128231

Reviewed by Geoffrey Garen.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::finalizeUnconditionally):
• bytecode/Instruction.h:
• bytecode/ToThisStatus.cpp: Added. (JSC::merge): (WTF::printInternal):
• bytecode/ToThisStatus.h: Added.
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock):
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL):

2014-06-24 Filip Pizlo <​[email protected]>

[ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
​https://bugs.webkit.org/show_bug.cgi?id=134256

Reviewed by Michael Saboff.

This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
point is to be able to precisely model what goes on in the snippets of code between a
side-effect and an InvalidationPoint.

This patch also cleans up onlyStructure() by delegating more work to
StructureSet::onlyStructure().

• dfg/DFGStructureAbstractValue.h: (JSC::DFG::StructureAbstractValue::onlyStructure):

2014-06-24 Filip Pizlo <​[email protected]>

[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
​https://bugs.webkit.org/show_bug.cgi?id=134260

Reviewed by Geoffrey Garen.

This was causing loads of assertion failures in debug builds.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2014-06-21 Filip Pizlo <​[email protected]>

[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
​https://bugs.webkit.org/show_bug.cgi?id=134090

Reviewed by Oliver Hunt.

This pretty much finishes off the work to eliminate the special-casing of singleton
structure sets by making it possible to fold GetById and PutById to various polymorphic
forms of the ByOffset nodes.

• bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeForStubInfo): (JSC::GetByIdStatus::computeFor):
• bytecode/GetByIdStatus.h:
• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::computeFor):
• bytecode/PutByIdStatus.h:
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::constantChecks):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): (JSC::DFG::ConstantFoldingPhase::addChecks):
• dfg/DFGNode.h: (JSC::DFG::Node::convertToMultiGetByOffset): (JSC::DFG::Node::convertToMultiPutByOffset):
• dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging. (JSC::DFG::SpeculativeJIT::fillJSValue): (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): (JSC::DFG::SpeculativeJIT::emitCall): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): (JSC::DFG::SpeculativeJIT::fillSpeculateCell): (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): (JSC::DFG::SpeculativeJIT::compileLogicalNot): (JSC::DFG::SpeculativeJIT::emitBranch): (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGStructureAbstractValue.h: (JSC::DFG::StructureAbstractValue::set):

2014-06-19 Filip Pizlo <​[email protected]>

[ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
​https://bugs.webkit.org/show_bug.cgi?id=134077

Reviewed by Sam Weinig.

This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
in the abstract interpreter.

• bytecode/StructureSet.h: (JSC::StructureSet::onlyStructure):

2014-06-18 Filip Pizlo <​[email protected]>

DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
​https://bugs.webkit.org/show_bug.cgi?id=133918

Reviewed by Mark Hahnenberg.

This also adds pruning of PutStructure, since I basically had no choice but
to implement such logic within MultiPutByOffset.

Also adds a bunch of PutById cache status dumping to bytecode dumping.

• bytecode/GetByIdVariant.cpp: (JSC::GetByIdVariant::dumpInContext):
• bytecode/GetByIdVariant.h: (JSC::GetByIdVariant::structureSet):
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::oldStructure):
• bytecode/StructureSet.cpp: (JSC::StructureSet::filter): (JSC::StructureSet::filterArrayModes):
• bytecode/StructureSet.h:
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGAbstractValue.cpp: (JSC::DFG::AbstractValue::changeStructure): (JSC::DFG::AbstractValue::contains):
• dfg/DFGAbstractValue.h: (JSC::DFG::AbstractValue::couldBeType): (JSC::DFG::AbstractValue::isType):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::freezeStrong):
• dfg/DFGGraph.h:
• dfg/DFGStructureAbstractValue.h: (JSC::DFG::StructureAbstractValue::operator=):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
• tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added. (foo): (fu): (bar): (baz): (.bar): (.baz):
• tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added. (foo): (fu): (bar): (baz): (.bar): (.baz):
• tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added. (foo): (fu): (bar): (baz): (.bar): (.baz):

2014-06-18 Mark Hahnenberg <​[email protected]>

Remove CompoundType and LeafType
​https://bugs.webkit.org/show_bug.cgi?id=134037

Reviewed by Filip Pizlo.

We don't use them for anything. We'll replace them with a generic CellType type for all
the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
their JSType at runtime.

• llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions):
• runtime/ArrayBufferNeuteringWatchpoint.cpp: (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
• runtime/Executable.h: (JSC::ExecutableBase::createStructure): (JSC::NativeExecutable::createStructure):
• runtime/JSPromiseDeferred.h: (JSC::JSPromiseDeferred::createStructure):
• runtime/JSPromiseReaction.h: (JSC::JSPromiseReaction::createStructure):
• runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::createStructure):
• runtime/JSType.h:
• runtime/JSTypeInfo.h: (JSC::TypeInfo::TypeInfo):
• runtime/MapData.h: (JSC::MapData::createStructure):
• runtime/PropertyMapHashTable.h: (JSC::PropertyTable::createStructure):
• runtime/RegExp.h: (JSC::RegExp::createStructure):
• runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayValueMap::createStructure):
• runtime/Structure.cpp: (JSC::Structure::Structure):
• runtime/StructureChain.h: (JSC::StructureChain::createStructure):
• runtime/StructureRareData.cpp: (JSC::StructureRareData::createStructure):
• runtime/SymbolTable.h: (JSC::SymbolTable::createStructure):
• runtime/WeakMapData.h: (JSC::WeakMapData::createStructure):

2014-06-17 Filip Pizlo <​[email protected]>

[ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
​https://bugs.webkit.org/show_bug.cgi?id=134002

Reviewed by Mark Hahnenberg.

The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
of the structure if that structure was watchable.

Also kill PhantomPutStructure.

• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
• dfg/DFGClobberize.h: (JSC::DFG::clobberize):
• dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC):
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::visitChildren):
• dfg/DFGNode.h: (JSC::DFG::Node::hasTransition):
• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate):
• dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute):
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGStructureAbstractValue.cpp: (JSC::DFG::StructureAbstractValue::observeTransition): (JSC::DFG::StructureAbstractValue::observeTransitions):
• dfg/DFGValidate.cpp: (JSC::DFG::Validate::validate):
• dfg/DFGWatchableStructureWatchingPhase.cpp: (JSC::DFG::WatchableStructureWatchingPhase::run):
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.

2014-06-17 Filip Pizlo <​[email protected]>

[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
​https://bugs.webkit.org/show_bug.cgi?id=133964

Reviewed by Mark Hahnenberg.

• bytecode/PutByIdStatus.cpp: (JSC::PutByIdStatus::appendVariant): (JSC::PutByIdStatus::computeForStubInfo):
• bytecode/PutByIdVariant.cpp: (JSC::PutByIdVariant::oldStructureForTransition): (JSC::PutByIdVariant::writesStructures): (JSC::PutByIdVariant::reallocatesStorage): (JSC::PutByIdVariant::attemptToMerge): (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): (JSC::PutByIdVariant::dumpInContext):
• bytecode/PutByIdVariant.h: (JSC::PutByIdVariant::PutByIdVariant): (JSC::PutByIdVariant::replace): (JSC::PutByIdVariant::transition): (JSC::PutByIdVariant::structure): (JSC::PutByIdVariant::oldStructure):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handlePutById): (JSC::DFG::ByteCodeParser::parseBlock):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
• dfg/DFGGraph.cpp: (JSC::DFG::Graph::visitChildren):
• dfg/DFGNode.cpp: (JSC::DFG::MultiPutByOffsetData::writesStructures): (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
• ftl/FTLAbbreviations.h: (JSC::FTL::getLinkage):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):

Source/WebCore:

This fixes the previous mismerge and adds test coverage for the thing that went wrong.
Also, this adds some helpers for making it easier to inspect JavaScript values.

• testing/Internals.cpp:

(WebCore::Internals::description):

• testing/Internals.h:
• testing/Internals.idl:

2014-07-25 Mark Lam <​[email protected]>

[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<​https://webkit.org/b/134273>

Reviewed by Michael Saboff.

No new tests.

• ForwardingHeaders/debugger/DebuggerActivation.h: Removed.
• Removed because this is not used.

Source/WebKit/mac:

2014-07-25 Mark Lam <​[email protected]>

[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<​https://webkit.org/b/134273>

Reviewed by Michael Saboff.

• WebView/WebScriptDebugDelegate.mm:
• Removed unneeded #include.

Source/WTF:

• wtf/text/WTFString.h:

LayoutTests:

• js/regress/fold-get-by-id-to-multi-get-by-offset-expected.txt: Added.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int-expected.txt: Added.
• js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html: Added.
• js/regress/fold-get-by-id-to-multi-get-by-offset.html: Added.
• js/regress/fold-multi-get-by-offset-to-get-by-offset-expected.txt: Added.
• js/regress/fold-multi-get-by-offset-to-get-by-offset.html: Added.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset-expected.txt: Added.
• js/regress/fold-multi-get-by-offset-to-poly-get-by-offset.html: Added.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset-expected.txt: Added.
• js/regress/fold-multi-put-by-offset-to-poly-put-by-offset.html: Added.
• js/regress/fold-multi-put-by-offset-to-put-by-offset-expected.txt: Added.
• js/regress/fold-multi-put-by-offset-to-put-by-offset.html: Added.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset-expected.txt: Added.
• js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.html: Added.
• js/regress/fold-put-by-id-to-multi-put-by-offset-expected.txt: Added.
• js/regress/fold-put-by-id-to-multi-put-by-offset.html: Added.
• js/regress/fold-put-structure-expected.txt: Added.
• js/regress/fold-put-structure.html: Added.
• js/regress/hoist-poly-check-structure-effectful-loop-expected.txt: Added.
• js/regress/hoist-poly-check-structure-effectful-loop.html: Added.
• js/regress/hoist-poly-check-structure-expected.txt: Added.
• js/regress/hoist-poly-check-structure.html: Added.
• js/regress/put-by-id-replace-and-transition-expected.txt: Added.
• js/regress/put-by-id-replace-and-transition.html: Added.
• js/regress/put-by-id-slightly-polymorphic-expected.txt: Added.
• js/regress/put-by-id-slightly-polymorphic.html: Added.
• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset-rare-int.js: Added.

(foo):
(fu):
(bar):
(.bar):
(Number):

• js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset.js: Added.

(foo):
(fu):
(bar):
(.bar):
(Number):

• js/regress/script-tests/fold-multi-get-by-offset-to-get-by-offset.js: Added.

(foo):
(fu):
(bar):
(.bar):

• js/regress/script-tests/fold-multi-get-by-offset-to-poly-get-by-offset.js: Added.

(foo):
(fu):
(bar):
(.bar):

• js/regress/script-tests/fold-multi-put-by-offset-to-poly-put-by-offset.js: Added.

(foo):
(fu):
(bar):
(.bar):

• js/regress/script-tests/fold-multi-put-by-offset-to-put-by-offset.js: Added.

(foo):
(fu):
(bar):
(.bar):

• js/regress/script-tests/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.js: Added.

(foo):
(fu):
(bar):
(.bar):

• js/regress/script-tests/fold-put-by-id-to-multi-put-by-offset.js: Added.

(foo):
(fu):
(bar):
(.bar):

• js/regress/script-tests/fold-put-structure.js: Added.

(foo):
(fu):
(bar):
(.bar):

• js/regress/script-tests/hoist-poly-check-structure-effectful-loop.js: Added.

(foo):
(test):

• js/regress/script-tests/hoist-poly-check-structure.js: Added.

(foo):
(test):

• js/regress/script-tests/put-by-id-replace-and-transition.js: Added.
• js/regress/script-tests/put-by-id-slightly-polymorphic.js: Added.

Location:

trunk/Source/JavaScriptCore/dfg

Files:

• DFGAbstractInterpreterInlines.h (modified) (7 diffs)
• DFGAbstractValue.cpp (modified) (2 diffs)
• DFGAbstractValue.h (modified) (2 diffs)
• DFGByteCodeParser.cpp (modified) (5 diffs)
• DFGClobberize.h (modified) (1 diff)
• DFGConstantFoldingPhase.cpp (modified) (14 diffs)
• DFGDoesGC.cpp (modified) (1 diff)
• DFGFixupPhase.cpp (modified) (1 diff)
• DFGGraph.cpp (modified) (3 diffs)
• DFGGraph.h (modified) (1 diff)
• DFGNode.cpp (modified) (2 diffs)
• DFGNode.h (modified) (3 diffs)
• DFGNodeType.h (modified) (1 diff)
• DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• DFGSafeToExecute.h (modified) (1 diff)
• DFGSpeculativeJIT.cpp (modified) (1 diff)
• DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• DFGSpeculativeJIT64.cpp (modified) (43 diffs)
• DFGStructureAbstractValue.cpp (modified) (3 diffs)
• DFGStructureAbstractValue.h (modified) (3 diffs)
• DFGValidate.cpp (modified) (1 diff)
• DFGWatchableStructureWatchingPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1389 +1389 @@
             
     case GetById:
-    case GetByIdFlush:
+    case GetByIdFlush: {
         if (!node->prediction()) {
             m_state.setIsValid(false);
             break;
         }
-        if (isCellSpeculation(node->child1()->prediction())) {
-            // This use of onlyStructure() should be replaced by giving GetByIdStatus the ability
-            // to compute things based on a StructureSet, and then to factor ByteCodeParser's
-            // ability to generate code based on a GetByIdStatus out of ByteCodeParser so that
-            // ConstantFoldingPhase can use it.
-            // https://bugs.webkit.org/show_bug.cgi?id=133229
-            if (Structure* structure = forNode(node->child1()).m_structure.onlyStructure()) {
-                GetByIdStatus status = GetByIdStatus::computeFor(
-                    m_graph.m_vm, structure,
-                    m_graph.identifiers()[node->identifierNumber()]);
-                if (status.isSimple() && status.numVariants() == 1) {
-                    // Assert things that we can't handle and that the computeFor() method
-                    // above won't be able to return.
-                    ASSERT(status[0].structureSet().size() == 1);
-                    ASSERT(status[0].constantChecks().isEmpty());
-                    ASSERT(!status[0].alternateBase());
+        
+        AbstractValue& value = forNode(node->child1());
+        if (!value.m_structure.isTop() && !value.m_structure.isClobbered()
+            && (node->child1().useKind() == CellUse || !(value.m_type & ~SpecCell))) {
+            GetByIdStatus status = GetByIdStatus::computeFor(
+                m_graph.m_vm, value.m_structure.set(),
+                m_graph.identifiers()[node->identifierNumber()]);
+            if (status.isSimple()) {
+                // Figure out what the result is going to be - is it TOP, a constant, or maybe
+                // something more subtle?
+                AbstractValue result;
+                for (unsigned i = status.numVariants(); i--;) {
+                    if (!status[i].specificValue()) {
+                        result.makeHeapTop();
+                        break;
+                    }
                     
-                    if (status[0].specificValue()) {
-                        if (status[0].specificValue().isCell()) {
-                            Structure* structure = status[0].specificValue().asCell()->structure();
-                            m_graph.watchpoints().consider(structure);
-                        }
-                        setConstant(node, *m_graph.freeze(status[0].specificValue()));
-                    } else
-                        forNode(node).makeHeapTop();
-                    filter(node->child1(), status[0].structureSet());
-                    
+                    AbstractValue thisResult;
+                    thisResult.set(
+                        m_graph, *m_graph.freeze(status[i].specificValue()),
+                        m_state.structureClobberState());
+                    result.merge(thisResult);
+                }
+                if (status.numVariants() == 1 || isFTL(m_graph.m_plan.mode))
                     m_state.setFoundConstants(true);
-                    break;
-                }
-            }
-        }
+                forNode(node) = result;
+                break;
+            }
+        }
+
         clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).makeHeapTop();
         break;
+    }
             
     case GetArrayLength:
@@ -1463 +1462 @@
         
     case PutStructure:
-    case PhantomPutStructure:
         if (!forNode(node->child1()).m_structure.isClear()) {
-            observeTransition(
-                clobberLimit, node->transition()->previous, node->transition()->next);
-            forNode(node->child1()).set(m_graph, node->transition()->next);
+            if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next)
+                m_state.setFoundConstants(true);
+            else {
+                observeTransition(
+                    clobberLimit, node->transition()->previous, node->transition()->next);
+                forNode(node->child1()).changeStructure(m_graph, node->transition()->next);
+            }
         }
         break;
@@ -1596 +1598 @@
         
     case MultiGetByOffset: {
-        AbstractValue& value = forNode(node->child1());
-        ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
-
-        // This should just filter down the cases in MultiGetByOffset. If that results in all
-        // cases having the same offset then we should strength reduce it to a CheckStructure +
-        // GetByOffset.
-        // https://bugs.webkit.org/show_bug.cgi?id=133229
-        if (Structure* structure = value.m_structure.onlyStructure()) {
-            bool done = false;
-            for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
-                const GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
-                if (!variant.structureSet().contains(structure))
-                    continue;
-                
-                if (variant.alternateBase())
-                    break;
-                
-                filter(value, structure);
-                forNode(node).makeHeapTop();
-                m_state.setFoundConstants(true);
-                done = true;
-                break;
-            }
-            if (done)
-                break;
-        }
-        
-        StructureSet set;
-        for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;)
-            set.merge(node->multiGetByOffsetData().variants[i].structureSet());
-        
-        filter(node->child1(), set);
-        forNode(node).makeHeapTop();
+        // This code will filter the base value in a manner that is possibly different (either more
+        // or less precise) than the way it would be filtered if this was strength-reduced to a
+        // CheckStructure. This is fine. It's legal for different passes over the code to prove
+        // different things about the code, so long as all of them are sound. That even includes
+        // one guy proving that code should never execute (due to a contradiction) and another guy
+        // not finding that contradiction. If someone ever proved that there would be a
+        // contradiction then there must always be a contradiction even if subsequent passes don't
+        // realize it. This is the case here.
+        
+        // Ordinarily you have to be careful with calling setFoundConstants()
+        // because of the effect on compile times, but this node is FTL-only.
+        m_state.setFoundConstants(true);
+        
+        AbstractValue base = forNode(node->child1());
+        StructureSet baseSet;
+        AbstractValue result;
+        for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
+            GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
+            StructureSet set = variant.structureSet();
+            set.filter(base);
+            if (set.isEmpty())
+                continue;
+            baseSet.merge(set);
+            if (!variant.specificValue()) {
+                result.makeHeapTop();
+                continue;
+            }
+            AbstractValue thisResult;
+            thisResult.set(
+                m_graph,
+                *m_graph.freeze(variant.specificValue()),
+                m_state.structureClobberState());
+            result.merge(thisResult);
+        }
+        
+        if (forNode(node->child1()).changeStructure(m_graph, baseSet) == Contradiction)
+            m_state.setIsValid(false);
+        
+        forNode(node) = result;
         break;
     }
@@ -1637 +1645 @@
         
     case MultiPutByOffset: {
-        AbstractValue& value = forNode(node->child1());
-        ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
-
-        // This should just filter down the cases in MultiPutByOffset. If that results in either
-        // one case, or nothing but replace cases and they have the same offset, then we should
-        // just strength reduce it to the appropriate combination of CheckStructure,
-        // [Re]AllocatePropertyStorage, PutStructure, and PutByOffset.
-        // https://bugs.webkit.org/show_bug.cgi?id=133229
-        if (Structure* structure = value.m_structure.onlyStructure()) {
-            bool done = false;
-            for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
-                const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
-                if (variant.oldStructure() != structure)
-                    continue;
-                
-                if (variant.kind() == PutByIdVariant::Replace) {
-                    filter(node->child1(), structure);
-                    m_state.setFoundConstants(true);
-                    done = true;
-                    break;
-                }
-                
-                ASSERT(variant.kind() == PutByIdVariant::Transition);
-                clobberStructures(clobberLimit);
-                forNode(node->child1()).set(m_graph, variant.newStructure());
-                m_state.setFoundConstants(true);
-                done = true;
-                break;
-            }
-            if (done)
-                break;
-        }
-        
-        StructureSet oldSet;
         StructureSet newSet;
         TransitionVector transitions;
+        
+        // Ordinarily you have to be careful with calling setFoundConstants()
+        // because of the effect on compile times, but this node is FTL-only.
+        m_state.setFoundConstants(true);
+        
+        AbstractValue base = forNode(node->child1());
+        
         for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
             const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
-            oldSet.add(variant.oldStructure());
+            StructureSet thisSet = variant.oldStructure();
+            thisSet.filter(base);
+            if (thisSet.isEmpty())
+                continue;
             if (variant.kind() == PutByIdVariant::Transition) {
-                transitions.append(Transition(variant.oldStructure(), variant.newStructure()));
+                if (thisSet.onlyStructure() != variant.newStructure()) {
+                    transitions.append(
+                        Transition(variant.oldStructureForTransition(), variant.newStructure()));
+                } // else this is really a replace.
                 newSet.add(variant.newStructure());
             } else {
                 ASSERT(variant.kind() == PutByIdVariant::Replace);
-                newSet.add(variant.oldStructure());
-            }
-        }
-        
-        filter(node->child1(), oldSet);
+                newSet.merge(thisSet);
+            }
+        }
+        
         observeTransitions(clobberLimit, transitions);
-        forNode(node->child1()).set(m_graph, newSet);
+        if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
+            m_state.setIsValid(false);
         break;
     }
@@ -1716 +1703 @@
     case PutById:
     case PutByIdFlush:
-    case PutByIdDirect:
-        // This use of onlyStructure() should be replaced by giving PutByIdStatus the ability
-        // to compute things based on a StructureSet, and then to factor ByteCodeParser's
-        // ability to generate code based on a PutByIdStatus out of ByteCodeParser so that
-        // ConstantFoldingPhase can use it.
-        // https://bugs.webkit.org/show_bug.cgi?id=133229
-        if (Structure* structure = forNode(node->child1()).m_structure.onlyStructure()) {
+    case PutByIdDirect: {
+        AbstractValue& value = forNode(node->child1());
+        if (!value.m_structure.isTop() && !value.m_structure.isClobbered()) {
             PutByIdStatus status = PutByIdStatus::computeFor(
                 m_graph.m_vm,
                 m_graph.globalObjectFor(node->origin.semantic),
-                structure,
+                value.m_structure.set(),
                 m_graph.identifiers()[node->identifierNumber()],
                 node->op() == PutByIdDirect);
-            if (status.isSimple() && status.numVariants() == 1) {
-                if (status[0].kind() == PutByIdVariant::Replace) {
-                    filter(node->child1(), structure);
+            
+            if (status.isSimple()) {
+                StructureSet newSet;
+                TransitionVector transitions;
+                
+                for (unsigned i = status.numVariants(); i--;) {
+                    const PutByIdVariant& variant = status[i];
+                    if (variant.kind() == PutByIdVariant::Transition) {
+                        transitions.append(
+                            Transition(
+                                variant.oldStructureForTransition(), variant.newStructure()));
+                        m_graph.watchpoints().consider(variant.newStructure());
+                        newSet.add(variant.newStructure());
+                    } else {
+                        ASSERT(variant.kind() == PutByIdVariant::Replace);
+                        newSet.merge(variant.oldStructure());
+                    }
+                }
+                
+                if (status.numVariants() == 1 || isFTL(m_graph.m_plan.mode))
                     m_state.setFoundConstants(true);
-                    break;
-                }
-                if (status[0].kind() == PutByIdVariant::Transition
-                    && structure->transitionWatchpointSetHasBeenInvalidated()) {
-                    m_graph.watchpoints().consider(status[0].newStructure());
-                    clobberStructures(clobberLimit);
-                    forNode(node->child1()).set(m_graph, status[0].newStructure());
-                    m_state.setFoundConstants(true);
-                    break;
-                }
-            }
-        }
+                
+                observeTransitions(clobberLimit, transitions);
+                if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
+                    m_state.setIsValid(false);
+                break;
+            }
+        }
+        
         clobberWorld(node->origin.semantic, clobberLimit);
         break;
+    }
         
     case In:
@@ -1949 +1946 @@
     AbstractValue::TransitionObserver transitionObserver(from, to);
     forAllValues(clobberLimit, transitionObserver);
-    setDidClobber();
+    
+    ASSERT(!from->dfgShouldWatch()); // We don't need to claim to be in a clobbered state because 'from' was never watchable (during the time we were compiling), hence no constants ever introduced into the DFG IR that ever had a watchable structure would ever have the same structure as from.
 }
 
@@ -1958 +1956 @@
     AbstractValue::TransitionsObserver transitionsObserver(vector);
     forAllValues(clobberLimit, transitionsObserver);
-    setDidClobber();
+    
+    if (!ASSERT_DISABLED) {
+        // We don't need to claim to be in a clobbered state because none of the Transition::previous structures are watchable.
+        for (unsigned i = vector.size(); i--;)
+            ASSERT(!vector[i].previous->dfgShouldWatch());
+    }
 }
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

@@ -192 +192 @@
 }
 
+FiltrationResult AbstractValue::changeStructure(Graph& graph, const StructureSet& other)
+{
+    m_type &= other.speculationFromStructures();
+    m_arrayModes = other.arrayModesFromStructures();
+    m_structure = other;
+    
+    filterValueByType();
+    
+    return normalizeClarity(graph);
+}
+
 FiltrationResult AbstractValue::filterArrayModes(ArrayModes arrayModes)
 {
@@ -242 +253 @@
 }
 
+bool AbstractValue::contains(Structure* structure) const
+{
+    return couldBeType(speculationFromStructure(structure))
+        && (m_arrayModes & arrayModeFromStructure(structure))
+        && m_structure.contains(structure);
+}
+
 FiltrationResult AbstractValue::filter(const AbstractValue& other)
 {

trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h

@@ -268 +268 @@
     }
     
-    bool couldBeType(SpeculatedType desiredType)
+    bool couldBeType(SpeculatedType desiredType) const
     {
         return !!(m_type & desiredType);
     }
     
-    bool isType(SpeculatedType desiredType)
+    bool isType(SpeculatedType desiredType) const
     {
         return !(m_type & ~desiredType);
@@ -283 +283 @@
     FiltrationResult filterByValue(const FrozenValue& value);
     FiltrationResult filter(const AbstractValue&);
+    
+    FiltrationResult changeStructure(Graph&, const StructureSet&);
+    
+    bool contains(Structure*) const;
     
     bool validate(JSValue value) const

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1892 +1892 @@
     emitChecks(variant.constantChecks());
 
-    ASSERT(variant.oldStructure()->transitionWatchpointSetHasBeenInvalidated());
+    ASSERT(variant.oldStructureForTransition()->transitionWatchpointSetHasBeenInvalidated());
     
     Node* propertyStorage;
     Transition* transition = m_graph.m_transitions.add(
-        variant.oldStructure(), variant.newStructure());
-
-    if (variant.oldStructure()->outOfLineCapacity()
-        != variant.newStructure()->outOfLineCapacity()) {
+        variant.oldStructureForTransition(), variant.newStructure());
+
+    if (variant.reallocatesStorage()) {
 
         // If we're growing the property storage then it must be because we're
@@ -1905 +1904 @@
         ASSERT(!isInlineOffset(variant.offset()));
 
-        if (!variant.oldStructure()->outOfLineCapacity()) {
+        if (!variant.oldStructureForTransition()->outOfLineCapacity()) {
             propertyStorage = addToGraph(
                 AllocatePropertyStorage, OpInfo(transition), base);
@@ -2037 +2036 @@
             if (op1->op() != ToThis) {
                 Structure* cachedStructure = currentInstruction[2].u.structure.get();
-                if (!cachedStructure
+                if (currentInstruction[2].u.toThisStatus != ToThisOK
+                    || !cachedStructure
                     || cachedStructure->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis
                     || m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
@@ -2887 +2887 @@
                 SpeculatedType prediction = getPrediction();
                 GetByIdStatus status = GetByIdStatus::computeFor(*m_vm, structure, uid);
-                if (status.state() != GetByIdStatus::Simple || status.numVariants() != 1) {
+                if (status.state() != GetByIdStatus::Simple
+                    || status.numVariants() != 1
+                    || status[0].structureSet().size() != 1) {
                     set(VirtualRegister(dst), addToGraph(GetByIdFlush, OpInfo(identifierNumber), OpInfo(prediction), get(VirtualRegister(scope))));
                     break;
@@ -2972 +2974 @@
             case GlobalPropertyWithVarInjectionChecks: {
                 PutByIdStatus status = PutByIdStatus::computeFor(*m_vm, globalObject, structure, uid, false);
-                if (status.numVariants() != 1 || status[0].kind() != PutByIdVariant::Replace) {
+                if (status.numVariants() != 1
+                    || status[0].kind() != PutByIdVariant::Replace
+                    || status[0].structure().size() != 1) {
                     addToGraph(PutById, OpInfo(identifierNumber), get(VirtualRegister(scope)), get(VirtualRegister(value)));
                     break;
                 }
-                Node* base = cellConstantWithStructureCheck(globalObject, status[0].structure());
+                ASSERT(status[0].structure().onlyStructure() == structure);
+                Node* base = cellConstantWithStructureCheck(globalObject, structure);
                 addToGraph(Phantom, get(VirtualRegister(scope)));
                 handlePutByOffset(base, identifierNumber, static_cast<PropertyOffset>(operand), get(VirtualRegister(value)));

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -441 +441 @@
         
     case PutStructure:
-    case PhantomPutStructure:
         write(JSCell_structureID);
         write(JSCell_typeInfoType);

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -133 +133 @@
             }
                 
+            case PutStructure: {
+                if (m_state.forNode(node->child1()).m_structure.onlyStructure() != node->transition()->next)
+                    break;
+                
+                node->convertToPhantom();
+                eliminated = true;
+                break;
+            }
+                
             case CheckFunction: {
                 if (m_state.forNode(node->child1()).value() != node->function()->value())
@@ -155 +164 @@
                 
             case MultiGetByOffset: {
-                Edge childEdge = node->child1();
-                Node* child = childEdge.node();
+                Edge baseEdge = node->child1();
+                Node* base = baseEdge.node();
                 MultiGetByOffsetData& data = node->multiGetByOffsetData();
 
-                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
-                if (!structure)
-                    break;
-                
-                for (unsigned i = data.variants.size(); i--;) {
-                    const GetByIdVariant& variant = data.variants[i];
-                    if (!variant.structureSet().contains(structure))
+                // First prune the variants, then check if the MultiGetByOffset can be
+                // strength-reduced to a GetByOffset.
+                
+                AbstractValue baseValue = m_state.forNode(base);
+                
+                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+                eliminated = true; // Don't allow the default constant folder to do things to this.
+                
+                for (unsigned i = 0; i < data.variants.size(); ++i) {
+                    GetByIdVariant& variant = data.variants[i];
+                    variant.structureSet().filter(baseValue);
+                    if (variant.structureSet().isEmpty()) {
+                        data.variants[i--] = data.variants.last();
+                        data.variants.removeLast();
+                    }
+                }
+                
+                if (data.variants.size() != 1)
+                    break;
+                
+                emitGetByOffset(
+                    indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
+                break;
+            }
+                
+            case MultiPutByOffset: {
+                Edge baseEdge = node->child1();
+                Node* base = baseEdge.node();
+                MultiPutByOffsetData& data = node->multiPutByOffsetData();
+                
+                AbstractValue baseValue = m_state.forNode(base);
+
+                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+                eliminated = true; // Don't allow the default constant folder to do things to this.
+                
+
+                for (unsigned i = 0; i < data.variants.size(); ++i) {
+                    PutByIdVariant& variant = data.variants[i];
+                    variant.oldStructure().filter(baseValue);
+                    
+                    if (variant.oldStructure().isEmpty()) {
+                        data.variants[i--] = data.variants.last();
+                        data.variants.removeLast();
                         continue;
+                    }
                     
-                    if (variant.alternateBase())
-                        break;
-                    
-                    emitGetByOffset(indexInBlock, node, structure, variant, data.identifierNumber);
-                    eliminated = true;
-                    break;
-                }
-                break;
-            }
-                
-            case MultiPutByOffset: {
-                Edge childEdge = node->child1();
-                Node* child = childEdge.node();
-                MultiPutByOffsetData& data = node->multiPutByOffsetData();
-
-                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
-                if (!structure)
-                    break;
-                
-                for (unsigned i = data.variants.size(); i--;) {
-                    const PutByIdVariant& variant = data.variants[i];
-                    if (variant.oldStructure() != structure)
-                        continue;
-                    
-                    emitPutByOffset(indexInBlock, node, structure, variant, data.identifierNumber);
-                    eliminated = true;
-                    break;
-                }
+                    if (variant.kind() == PutByIdVariant::Transition
+                        && variant.oldStructure().onlyStructure() == variant.newStructure()) {
+                        variant = PutByIdVariant::replace(
+                            variant.oldStructure(),
+                            variant.offset());
+                    }
+                }
+
+                if (data.variants.size() != 1)
+                    break;
+                
+                emitPutByOffset(
+                    indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
                 break;
             }
@@ -205 +236 @@
                 unsigned identifierNumber = node->identifierNumber();
                 
-                if (childEdge.useKind() != CellUse)
-                    break;
-                
-                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
-                if (!structure)
-                    break;
-
+                AbstractValue baseValue = m_state.forNode(child);
+
+                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+                eliminated = true; // Don't allow the default constant folder to do things to this.
+
+                if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered()
+                    || (node->child1().useKind() == UntypedUse || (baseValue.m_type & ~SpecCell)))
+                    break;
+                
                 GetByIdStatus status = GetByIdStatus::computeFor(
-                    vm(), structure, m_graph.identifiers()[identifierNumber]);
-                
-                if (!status.isSimple() || status.numVariants() != 1 ||
-                    !status[0].constantChecks().isEmpty() || status[0].alternateBase()) {
-                    // FIXME: We could handle prototype cases.
-                    // https://bugs.webkit.org/show_bug.cgi?id=110386
-                    break;
-                }
-                
-                emitGetByOffset(indexInBlock, node, structure, status[0], identifierNumber);
-                eliminated = true;
+                    vm(), baseValue.m_structure.set(), m_graph.identifiers()[identifierNumber]);
+                if (!status.isSimple())
+                    break;
+                
+                for (unsigned i = status.numVariants(); i--;) {
+                    if (!status[i].constantChecks().isEmpty()
+                        || status[i].alternateBase()) {
+                        // FIXME: We could handle prototype cases.
+                        // https://bugs.webkit.org/show_bug.cgi?id=110386
+                        break;
+                    }
+                }
+                
+                if (status.numVariants() == 1) {
+                    emitGetByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
+                    break;
+                }
+                
+                if (!isFTL(m_graph.m_plan.mode))
+                    break;
+                
+                MultiGetByOffsetData* data = m_graph.m_multiGetByOffsetData.add();
+                data->variants = status.variants();
+                data->identifierNumber = identifierNumber;
+                node->convertToMultiGetByOffset(data);
                 break;
             }
                 
             case PutById:
-            case PutByIdDirect: {
+            case PutByIdDirect:
+            case PutByIdFlush: {
                 NodeOrigin origin = node->origin;
                 Edge childEdge = node->child1();
@@ -236 +284 @@
                 ASSERT(childEdge.useKind() == CellUse);
                 
-                Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
-                if (!structure)
+                AbstractValue baseValue = m_state.forNode(child);
+
+                m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+                eliminated = true; // Don't allow the default constant folder to do things to this.
+
+                if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered())
                     break;
                 
@@ -243 +295 @@
                     vm(),
                     m_graph.globalObjectFor(origin.semantic),
-                    structure,
+                    baseValue.m_structure.set(),
                     m_graph.identifiers()[identifierNumber],
                     node->op() == PutByIdDirect);
@@ -249 +301 @@
                 if (!status.isSimple())
                     break;
-                if (status.numVariants() != 1)
-                    break;
-                
-                emitPutByOffset(indexInBlock, node, structure, status[0], identifierNumber);
-                eliminated = true;
+                
+                for (unsigned i = status.numVariants(); i--;)
+                    addChecks(origin, indexInBlock, status[i].constantChecks());
+                
+                if (status.numVariants() == 1) {
+                    emitPutByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
+                    break;
+                }
+                
+                if (!isFTL(m_graph.m_plan.mode))
+                    break;
+
+                MultiPutByOffsetData* data = m_graph.m_multiPutByOffsetData.add();
+                data->variants = status.variants();
+                data->identifierNumber = identifierNumber;
+                node->convertToMultiPutByOffset(data);
                 break;
             }
@@ -344 +407 @@
     }
         
-    void emitGetByOffset(unsigned indexInBlock, Node* node, Structure* structure, const GetByIdVariant& variant, unsigned identifierNumber)
+    void emitGetByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const GetByIdVariant& variant, unsigned identifierNumber)
     {
         NodeOrigin origin = node->origin;
@@ -350 +413 @@
         Node* child = childEdge.node();
 
-        bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
-        
-        ASSERT(!variant.alternateBase());
-        ASSERT_UNUSED(structure, variant.structureSet().contains(structure));
-        
-        // Now before we do anything else, push the CFA forward over the GetById
-        // and make sure we signal to the loop that it should continue and not
-        // do any eliminations.
-        m_interpreter.execute(indexInBlock);
-        
-        if (needsCellCheck) {
-            m_insertionSet.insertNode(
-                indexInBlock, SpecNone, Phantom, origin, childEdge);
-        }
+        addBaseCheck(indexInBlock, node, baseValue, variant.structureSet());
         
         if (variant.specificValue()) {
@@ -370 +420 @@
         }
         
-        childEdge.setUseKind(KnownCellUse);
+        if (variant.alternateBase()) {
+            child = m_insertionSet.insertConstant(indexInBlock, origin, variant.alternateBase());
+            childEdge = Edge(child, KnownCellUse);
+        } else
+            childEdge.setUseKind(KnownCellUse);
         
         Edge propertyStorage;
@@ -389 +443 @@
     }
 
-    void emitPutByOffset(unsigned indexInBlock, Node* node, Structure* structure, const PutByIdVariant& variant, unsigned identifierNumber)
+    void emitPutByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const PutByIdVariant& variant, unsigned identifierNumber)
     {
         NodeOrigin origin = node->origin;
         Edge childEdge = node->child1();
-        Node* child = childEdge.node();
-
-        ASSERT(variant.oldStructure() == structure);
-        
-        bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
-        
-        // Now before we do anything else, push the CFA forward over the PutById
-        // and make sure we signal to the loop that it should continue and not
-        // do any eliminations.
-        m_interpreter.execute(indexInBlock);
-
-        if (needsCellCheck) {
-            m_insertionSet.insertNode(
-                indexInBlock, SpecNone, Phantom, origin, childEdge);
-        }
+        
+        addBaseCheck(indexInBlock, node, baseValue, variant.oldStructure());
 
         childEdge.setUseKind(KnownCellUse);
@@ -413 +454 @@
         Transition* transition = 0;
         if (variant.kind() == PutByIdVariant::Transition) {
-            transition = m_graph.m_transitions.add(structure, variant.newStructure());
-
-            for (unsigned i = 0; i < variant.constantChecks().size(); ++i) {
-                addStructureTransitionCheck(
-                    origin, indexInBlock,
-                    variant.constantChecks()[i].constant(),
-                    variant.constantChecks()[i].structure());
-            }
+            transition = m_graph.m_transitions.add(
+                variant.oldStructureForTransition(), variant.newStructure());
         }
 
@@ -427 +462 @@
         if (isInlineOffset(variant.offset()))
             propertyStorage = childEdge;
-        else if (
-            variant.kind() == PutByIdVariant::Replace
-            || structure->outOfLineCapacity() == variant.newStructure()->outOfLineCapacity()) {
+        else if (!variant.reallocatesStorage()) {
             propertyStorage = Edge(m_insertionSet.insertNode(
                 indexInBlock, SpecNone, GetButterfly, origin, childEdge));
-        } else if (!structure->outOfLineCapacity()) {
+        } else if (!variant.oldStructureForTransition()->outOfLineCapacity()) {
             ASSERT(variant.newStructure()->outOfLineCapacity());
             ASSERT(!isInlineOffset(variant.offset()));
@@ -441 +474 @@
             propertyStorage = Edge(allocatePropertyStorage);
         } else {
-            ASSERT(structure->outOfLineCapacity());
-            ASSERT(variant.newStructure()->outOfLineCapacity() > structure->outOfLineCapacity());
+            ASSERT(variant.oldStructureForTransition()->outOfLineCapacity());
+            ASSERT(variant.newStructure()->outOfLineCapacity() > variant.oldStructureForTransition()->outOfLineCapacity());
             ASSERT(!isInlineOffset(variant.offset()));
 
@@ -470 +503 @@
         m_graph.m_storageAccessData.append(storageAccessData);
     }
+    
+    void addBaseCheck(
+        unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const StructureSet& set)
+    {
+        if (!baseValue.m_structure.isSubsetOf(set)) {
+            // Arises when we prune MultiGetByOffset. We could have a
+            // MultiGetByOffset with a single variant that checks for structure S,
+            // and the input has structures S and T, for example.
+            m_insertionSet.insertNode(
+                indexInBlock, SpecNone, CheckStructure, node->origin,
+                OpInfo(m_graph.addStructureSet(set)), node->child1());
+            return;
+        }
+        
+        if (baseValue.m_type & ~SpecCell) {
+            m_insertionSet.insertNode(
+                indexInBlock, SpecNone, Phantom, node->origin, node->child1());
+        }
+    }
+    
+    void addChecks(
+        NodeOrigin origin, unsigned indexInBlock, const ConstantStructureCheckVector& checks)
+    {
+        for (unsigned i = 0; i < checks.size(); ++i) {
+            addStructureTransitionCheck(
+                origin, indexInBlock, checks[i].constant(), checks[i].structure());
+        }
+    }
 
     void addStructureTransitionCheck(NodeOrigin origin, unsigned indexInBlock, JSCell* cell, Structure* structure)

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -187 +187 @@
     case PutByValAlias:
     case PutStructure:
-    case PhantomPutStructure:
     case GetByOffset:
     case GetGetterSetterByOffset:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -981 +981 @@
         case Upsilon:
         case GetArgument:
-        case PhantomPutStructure:
         case GetIndexedPropertyStorage:
         case GetTypedArrayByteOffset:

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -890 +890 @@
                 
             case PutStructure:
-            case PhantomPutStructure:
             case AllocatePropertyStorage:
             case ReallocatePropertyStorage:
@@ -918 +917 @@
                 for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
                     PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
-                    visitor.appendUnbarrieredReadOnlyPointer(variant.oldStructure());
+                    const StructureSet& set = variant.oldStructure();
+                    for (unsigned j = set.size(); j--;)
+                        visitor.appendUnbarrieredReadOnlyPointer(set[j]);
                     if (variant.kind() == PutByIdVariant::Transition)
                         visitor.appendUnbarrieredReadOnlyPointer(variant.newStructure());
@@ -952 +953 @@
 FrozenValue* Graph::freezeStrong(JSValue value)
 {
-    FrozenValue* result = freeze(value);
+    FrozenValue* result = freezeFragile(value);
     result->strengthenTo(StrongValue);
     return result;

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -148 +148 @@
     
     FrozenValue* freezeFragile(JSValue value);
-    FrozenValue* freeze(JSValue value); // We use weak freezing by default.
-    FrozenValue* freezeStrong(JSValue value); // Shorthand for freeze(value)->markStrongly().
+    FrozenValue* freeze(JSValue value); // We use weak freezing by default. Shorthand for freezeFragile(value)->strengthenTo(WeakValue);
+    FrozenValue* freezeStrong(JSValue value); // Shorthand for freezeFragile(value)->strengthenTo(StrongValue).
     
     void convertToConstant(Node* node, FrozenValue* value);

trunk/Source/JavaScriptCore/dfg/DFGNode.cpp

@@ -38 +38 @@
 {
     for (unsigned i = variants.size(); i--;) {
-        if (variants[i].kind() == PutByIdVariant::Transition)
+        if (variants[i].writesStructures())
             return true;
     }
@@ -47 +47 @@
 {
     for (unsigned i = variants.size(); i--;) {
-        if (variants[i].kind() != PutByIdVariant::Transition)
-            continue;
-        
-        if (variants[i].oldStructure()->outOfLineCapacity() ==
-            variants[i].newStructure()->outOfLineCapacity())
-            continue;
-        
-        return true;
+        if (variants[i].reallocatesStorage())
+            return true;
     }
     return false;

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -459 +459 @@
     }
     
+    void convertToMultiGetByOffset(MultiGetByOffsetData* data)
+    {
+        ASSERT(m_op == GetById || m_op == GetByIdFlush);
+        m_opInfo = bitwise_cast<intptr_t>(data);
+        child1().setUseKind(CellUse);
+        m_op = MultiGetByOffset;
+        m_flags &= ~NodeClobbersWorld;
+    }
+    
     void convertToPutByOffset(unsigned storageAccessDataIndex, Edge storage)
     {
-        ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == MultiPutByOffset);
+        ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == PutByIdFlush || m_op == MultiPutByOffset);
         m_opInfo = storageAccessDataIndex;
         children.setChild3(children.child2());
@@ -467 +476 @@
         children.setChild1(storage);
         m_op = PutByOffset;
+        m_flags &= ~NodeClobbersWorld;
+    }
+    
+    void convertToMultiPutByOffset(MultiPutByOffsetData* data)
+    {
+        ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == PutByIdFlush);
+        m_opInfo = bitwise_cast<intptr_t>(data);
+        m_op = MultiPutByOffset;
         m_flags &= ~NodeClobbersWorld;
     }
@@ -1108 +1125 @@
         switch (op()) {
         case PutStructure:
-        case PhantomPutStructure:
         case AllocatePropertyStorage:
         case ReallocatePropertyStorage:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -156 +156 @@
     macro(CheckExecutable, NodeMustGenerate) \
     macro(PutStructure, NodeMustGenerate) \
-    macro(PhantomPutStructure, NodeMustGenerate) \
     macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
     macro(ReallocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -541 +541 @@
         case GetMyArgumentsLength:
         case GetMyArgumentByVal:
-        case PhantomPutStructure:
         case PhantomArguments:
         case CheckArray:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -284 +284 @@
 
     case PutStructure:
-    case PhantomPutStructure:
     case AllocatePropertyStorage:
     case ReallocatePropertyStorage:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -344 +344 @@
         ASSERT(info.gpr() == source);
         if (node->hasConstant()) {
-            DFG_ASSERT(m_jit.graph(), m_currentNode, node->isCellConstant());
             node->asCell(); // To get the assertion.
             fillAction = SetCellConstant;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -868 +868 @@
     VirtualRegister virtualRegister = edge->virtualRegister();
     GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
-    
-    if (edge->hasConstant() && !edge->isCellConstant()) {
-        // Protect the silent spill/fill logic by failing early. If we "speculate" on
-        // the constant then the silent filler may think that we have a cell and a
-        // constant, so it will try to fill this as an cell constant. Bad things will
-        // happen.
-        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
-        return allocate();
-    }
 
     switch (info.registerFormat()) {
@@ -888 +879 @@
             JSValue jsValue = edge->asJSValue();
             GPRReg gpr = allocate();
-            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-            m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
-            info.fillCell(*m_stream, gpr);
+            if (jsValue.isCell()) {
+                m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+                m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
+                info.fillCell(*m_stream, gpr);
+                return gpr;
+            }
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
             return gpr;
         }
@@ -3740 +3735 @@
     }
         
-    case PhantomPutStructure: {
-        ASSERT(isKnownCell(node->child1().node()));
-        m_jit.jitCode()->common.notifyCompilingStructureTransition(m_jit.graph().m_plan, m_jit.codeBlock(), node);
-        noResult(node);
-        break;
-    }
-
     case PutStructure: {
         Structure* oldStructure = node->transition()->previous;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -98 +98 @@
             default:
                 m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-                RELEASE_ASSERT(spillFormat & DataFormatJS);
+                DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat & DataFormatJS);
                 break;
             }
@@ -138 +138 @@
     case DataFormatInt52:
         // this type currently never occurs
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
         
     default:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
         return InvalidGPRReg;
     }
@@ -312 +312 @@
         Node* branchNode = m_block->at(branchIndexInBlock);
 
-        RELEASE_ASSERT(node->adjustedRefCount() == 1);
+        DFG_ASSERT(m_jit.graph(), node, node->adjustedRefCount() == 1);
         
         nonSpeculativePeepholeBranchNull(operand, branchNode, invert);
@@ -629 +629 @@
     bool isCall = node->op() == Call;
     if (!isCall)
-        RELEASE_ASSERT(node->op() == Construct);
-
+        DFG_ASSERT(m_jit.graph(), node, node->op() == Construct);
+    
     // For constructors, the this argument is not passed but we have to make space
     // for it.
@@ -742 +742 @@
         DataFormat spillFormat = info.spillFormat();
         
-        RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
+        DFG_ASSERT(m_jit.graph(), m_currentNode, (spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
         
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -772 +772 @@
 
     case DataFormatJS: {
-        RELEASE_ASSERT(!(type & SpecInt52));
+        DFG_ASSERT(m_jit.graph(), m_currentNode, !(type & SpecInt52));
         // Check the value is an integer.
         GPRReg gpr = info.gpr();
@@ -835 +835 @@
     case DataFormatInt52:
     case DataFormatStrictInt52:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
         
     default:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
         return InvalidGPRReg;
     }
@@ -855 +855 @@
     DataFormat mustBeDataFormatInt32;
     GPRReg result = fillSpeculateInt32Internal<true>(edge, mustBeDataFormatInt32);
-    RELEASE_ASSERT(mustBeDataFormatInt32 == DataFormatInt32);
+    DFG_ASSERT(m_jit.graph(), m_currentNode, mustBeDataFormatInt32 == DataFormatInt32);
     return result;
 }
@@ -890 +890 @@
         DataFormat spillFormat = info.spillFormat();
         
-        RELEASE_ASSERT(spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
+        DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
         
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -942 +942 @@
 
     default:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
         return InvalidGPRReg;
     }
@@ -973 +973 @@
         
         DataFormat spillFormat = info.spillFormat();
-        RELEASE_ASSERT(spillFormat == DataFormatDouble);
+        DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat == DataFormatDouble);
         FPRReg fpr = fprAllocate();
         m_jit.loadDouble(JITCompiler::addressFor(virtualRegister), fpr);
@@ -981 +981 @@
     }
 
-    RELEASE_ASSERT(info.registerFormat() == DataFormatDouble);
+    DFG_ASSERT(m_jit.graph(), m_currentNode, info.registerFormat() == DataFormatDouble);
     FPRReg fpr = info.fpr();
     m_fprs.lock(fpr);
@@ -996 +996 @@
     GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
 
-    if (edge->hasConstant() && !edge->isCellConstant()) {
-        // Better to fail early on constants.
-        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
-        return allocate();
-    }
-
     switch (info.registerFormat()) {
     case DataFormatNone: {
@@ -1008 +1002 @@
         if (edge->hasConstant()) {
             JSValue jsValue = edge->asJSValue();
-            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-            m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
-            info.fillJSValue(*m_stream, gpr, DataFormatJSCell);
+            if (jsValue.isCell()) {
+                m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+                m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
+                info.fillJSValue(*m_stream, gpr, DataFormatJSCell);
+                return gpr;
+            }
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
             return gpr;
         }
@@ -1063 +1061 @@
     case DataFormatInt52:
     case DataFormatStrictInt52:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
         
     default:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
         return InvalidGPRReg;
     }
@@ -1099 +1097 @@
             return gpr;
         }
-        RELEASE_ASSERT(info.spillFormat() & DataFormatJS);
+        DFG_ASSERT(m_jit.graph(), m_currentNode, info.spillFormat() & DataFormatJS);
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
         m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
@@ -1144 +1142 @@
     case DataFormatInt52:
     case DataFormatStrictInt52:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
         
     default:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
         return InvalidGPRReg;
     }
@@ -1611 +1609 @@
 
     default:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), node, "Bad use kind");
         break;
     }
@@ -1766 +1764 @@
         
     default:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), m_currentNode, "Bad use kind");
     }
 }
@@ -1791 +1789 @@
     case Identity: {
         // CSE should always eliminate this.
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), node, "Unexpected Identity node");
         break;
     }
@@ -1872 +1870 @@
     case ZombieHint:
     case Check: {
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), node, "Unexpected node");
         break;
     }
@@ -1932 +1930 @@
             
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad flush format");
             break;
         }
@@ -2070 +2068 @@
             
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
         }
         break;
@@ -2150 +2148 @@
             
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
             break;
         }
@@ -2217 +2215 @@
             
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
             break;
         }
@@ -2339 +2337 @@
         case Array::SelectUsingPredictions:
         case Array::ForceExit:
-            RELEASE_ASSERT_NOT_REACHED();
-            terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
+            DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
             break;
         case Array::Generic: {
@@ -2541 +2538 @@
         case Array::SelectUsingPredictions:
         case Array::ForceExit:
-            RELEASE_ASSERT_NOT_REACHED();
-            terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
-            alreadyHandled = true;
+            DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
             break;
         case Array::Generic: {
-            RELEASE_ASSERT(node->op() == PutByVal);
+            DFG_ASSERT(m_jit.graph(), node, node->op() == PutByVal);
             
             JSValueOperand arg1(this, child1);
@@ -3119 +3114 @@
             
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
             break;
         }
@@ -3126 +3121 @@
         
     case ToPrimitive: {
-        RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
+        DFG_ASSERT(m_jit.graph(), node, node->child1().useKind() == UntypedUse);
         JSValueOperand op1(this, node->child1());
         GPRTemporary result(this, Reuse, op1);
@@ -3193 +3188 @@
         if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(node->indexingType())) {
             Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType());
-            RELEASE_ASSERT(structure->indexingType() == node->indexingType());
+            DFG_ASSERT(m_jit.graph(), node, structure->indexingType() == node->indexingType());
             ASSERT(
                 hasUndecided(structure->indexingType())
@@ -3444 +3439 @@
             emitAllocateJSArray(resultGPR, globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType), storageGPR, numElements);
             
-            RELEASE_ASSERT(indexingType & IsArray);
+            DFG_ASSERT(m_jit.graph(), node, indexingType & IsArray);
             JSValue* data = m_jit.codeBlock()->constantBuffer(node->startConstant());
             if (indexingType == ArrayWithDouble) {
@@ -3498 +3493 @@
         }
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
             break;
         }
@@ -3728 +3723 @@
             
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
             break;
         }
@@ -3778 +3773 @@
             
         default:
-            RELEASE_ASSERT_NOT_REACHED();
+            DFG_CRASH(m_jit.graph(), node, "Bad use kind");
             break;
         }
@@ -3834 +3829 @@
         }
         
-        noResult(node);
-        break;
-    }
-        
-    case PhantomPutStructure: {
-        ASSERT(isKnownCell(node->child1().node()));
-        m_jit.jitCode()->common.notifyCompilingStructureTransition(m_jit.graph().m_plan, m_jit.codeBlock(), node);
         noResult(node);
         break;
@@ -4249 +4237 @@
 
     case CreateActivation: {
-        RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+        DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
         
         JSValueOperand value(this, node->child1());
@@ -4322 +4310 @@
 
     case TearOffActivation: {
-        RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+        DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
 
         JSValueOperand activationValue(this, node->child1());
@@ -4394 +4382 @@
         }
         
-        RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+        DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
         m_jit.load32(JITCompiler::payloadFor(JSStack::ArgumentCount), resultGPR);
         m_jit.sub32(TrustedImm32(1), resultGPR);
@@ -4470 +4458 @@
         JITCompiler::JumpList slowArgumentOutOfBounds;
         if (m_jit.symbolTableFor(node->origin.semantic)->slowArguments()) {
-            RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+            DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
             const SlowArgument* slowArguments = m_jit.graph().m_slowArguments.get();
             
@@ -4537 +4525 @@
         JITCompiler::JumpList slowArgumentOutOfBounds;
         if (m_jit.symbolTableFor(node->origin.semantic)->slowArguments()) {
-            RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+            DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
             const SlowArgument* slowArguments = m_jit.graph().m_slowArguments.get();
 
@@ -4672 +4660 @@
 
     case Unreachable:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), node, "Unexpected Unreachable node");
         break;
 
@@ -4740 +4728 @@
     case CheckTierUpAtReturn:
     case CheckTierUpAndOSREnter:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), node, "Unexpected tier-up node");
         break;
 #endif // ENABLE(FTL_JIT)
@@ -4756 +4744 @@
     case MultiPutByOffset:
     case FiatInt52:
-        RELEASE_ASSERT_NOT_REACHED();
+        DFG_CRASH(m_jit.graph(), node, "Unexpected FTL node");
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp

@@ -84 +84 @@
 {
     SAMPLE("StructureAbstractValue observeTransition");
+    
+    ASSERT(!from->dfgShouldWatch());
 
     if (isTop())
@@ -90 +92 @@
     if (!m_set.contains(from))
         return;
-    
-    if (from->dfgShouldWatch()) {
-        setClobbered(true);
-        return;
-    }
     
     if (!m_set.add(to))
@@ -112 +109 @@
     StructureSet newStructures;
     for (unsigned i = vector.size(); i--;) {
+        ASSERT(!vector[i].previous->dfgShouldWatch());
+
         if (!m_set.contains(vector[i].previous))
             continue;
         
-        if (vector[i].previous->dfgShouldWatch())
-            setClobbered(true);
-        else
-            newStructures.add(vector[i].next);
+        newStructures.add(vector[i].next);
     }
     

trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h

@@ -56 +56 @@
     }
     
+    ALWAYS_INLINE StructureAbstractValue& operator=(Structure* structure)
+    {
+        m_set = structure;
+        setClobbered(false);
+        return *this;
+    }
+    ALWAYS_INLINE StructureAbstractValue& operator=(const StructureSet& other)
+    {
+        m_set = other;
+        setClobbered(false);
+        return *this;
+    }
     ALWAYS_INLINE StructureAbstractValue& operator=(const StructureAbstractValue& other)
     {
@@ -150 +162 @@
     }
     
+    const StructureSet& set() const
+    {
+        ASSERT(!isTop());
+        return m_set;
+    }
+    
     size_t size() const
     {
@@ -164 +182 @@
     Structure* operator[](size_t i) const { return at(i); }
     
-    // FIXME: Eliminate all uses of this method. There shouldn't be any
-    // special-casing for the one-structure case.
-    // https://bugs.webkit.org/show_bug.cgi?id=133229
+    // In most cases, what you really want to do is verify whether the set is top or clobbered, and
+    // if not, enumerate the set of structures. Use this only in cases where the singleton case is
+    // meaningfully special, like for transitions.
     Structure* onlyStructure() const
     {
-        if (isTop() || size() != 1)
+        if (isTop() || isClobbered())
             return nullptr;
-        return at(0);
+        return m_set.onlyStructure();
     }
     

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -234 +234 @@
                     VALIDATE((node), !!node->child2());
                     break;
+                case PutStructure:
+                    VALIDATE((node), !node->transition()->previous->dfgShouldWatch());
+                    break;
+                case MultiPutByOffset:
+                    for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
+                        const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
+                        if (variant.kind() != PutByIdVariant::Transition)
+                            continue;
+                        VALIDATE((node), !variant.oldStructureForTransition()->dfgShouldWatch());
+                    }
+                    break;
                 default:
                     break;

trunk/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp

@@ -78 +78 @@
                 
                 case PutStructure:
-                case PhantomPutStructure:
                 case AllocatePropertyStorage:
                 case ReallocatePropertyStorage: