Changeset 172176 in webkit for trunk/Source/JavaScriptCore/dfg

Timestamp:

Aug 6, 2014, 2:32:55 PM (11 years ago)

Author:

[email protected]

Message:

Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.

Source/JavaScriptCore:

2014-07-28 Mark Hahnenberg <​[email protected]>

Support for-in in the FTL
​https://bugs.webkit.org/show_bug.cgi?id=134140

Reviewed by Filip Pizlo.

• dfg/DFGSSALoweringPhase.cpp: (JSC::DFG::SSALoweringPhase::handleNode):
• ftl/FTLAbstractHeapRepository.cpp:
• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile):
• ftl/FTLIntrinsicRepository.h:
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileNode): (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty): (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty): (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty): (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname): (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength): (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): (JSC::FTL::LowerDFGToLLVM::compileToIndexString):

2014-07-25 Mark Hahnenberg <​[email protected]>

Remove JSPropertyNameIterator
​https://bugs.webkit.org/show_bug.cgi?id=135066

Reviewed by Geoffrey Garen.

It has been replaced by JSPropertyNameEnumerator.

• JavaScriptCore.order:
• bytecode/BytecodeBasicBlock.cpp: (JSC::isBranch):
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset):
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode):
• bytecode/PreciseJumpTargets.cpp: (JSC::getJumpTargetsForBytecodeOffset):
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted. (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
• bytecompiler/BytecodeGenerator.h:
• interpreter/Interpreter.cpp:
• interpreter/Register.h:
• jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases):
• jit/JIT.h:
• jit/JITOpcodes.cpp: (JSC::JIT::emit_op_get_pnames): Deleted. (JSC::JIT::emit_op_next_pname): Deleted.
• jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_get_pnames): Deleted. (JSC::JIT::emit_op_next_pname): Deleted.
• jit/JITOperations.cpp:
• jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_pname): Deleted. (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
• jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_get_by_pname): Deleted. (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
• llint/LLIntOffsetsExtractor.cpp:
• llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:
• runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted. (JSC::JSPropertyNameIterator::create): Deleted. (JSC::JSPropertyNameIterator::destroy): Deleted. (JSC::JSPropertyNameIterator::get): Deleted. (JSC::JSPropertyNameIterator::visitChildren): Deleted.
• runtime/JSPropertyNameIterator.h: (JSC::JSPropertyNameIterator::createStructure): Deleted. (JSC::JSPropertyNameIterator::size): Deleted. (JSC::JSPropertyNameIterator::setCachedStructure): Deleted. (JSC::JSPropertyNameIterator::cachedStructure): Deleted. (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted. (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted. (JSC::JSPropertyNameIterator::finishCreation): Deleted. (JSC::Register::propertyNameIterator): Deleted. (JSC::StructureRareData::enumerationCache): Deleted. (JSC::StructureRareData::setEnumerationCache): Deleted.
• runtime/Structure.cpp: (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::removePropertyWithoutTransition):
• runtime/Structure.h:
• runtime/StructureInlines.h: (JSC::Structure::setEnumerationCache): Deleted. (JSC::Structure::enumerationCache): Deleted.
• runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren):
• runtime/StructureRareData.h:
• runtime/VM.cpp: (JSC::VM::VM):

2014-07-25 Saam Barati <​[email protected]>

Fix 32-bit build breakage for type profiling
​https://bugs.webkit.org/process_bug.cgi

Reviewed by Mark Hahnenberg.

32-bit builds currently break because global variable IDs for high
fidelity type profiling are int64_t. Change this to intptr_t so that
it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.

• bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::scopeDependentProfile):
• bytecode/TypeLocation.h:
• runtime/SymbolTable.cpp: (JSC::SymbolTable::uniqueIDForVariable): (JSC::SymbolTable::uniqueIDForRegister):
• runtime/SymbolTable.h:
• runtime/TypeLocationCache.cpp: (JSC::TypeLocationCache::getTypeLocation):
• runtime/TypeLocationCache.h:
• runtime/VM.h: (JSC::VM::getNextUniqueVariableID):

2014-07-25 Mark Hahnenberg <​[email protected]>

Reindent PropertyNameArray.h
​https://bugs.webkit.org/show_bug.cgi?id=135067

Reviewed by Geoffrey Garen.

• runtime/PropertyNameArray.h: (JSC::RefCountedIdentifierSet::contains): (JSC::RefCountedIdentifierSet::size): (JSC::RefCountedIdentifierSet::add): (JSC::PropertyNameArrayData::create): (JSC::PropertyNameArrayData::propertyNameVector): (JSC::PropertyNameArrayData::PropertyNameArrayData): (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::vm): (JSC::PropertyNameArray::add): (JSC::PropertyNameArray::addKnownUnique): (JSC::PropertyNameArray::operator[]): (JSC::PropertyNameArray::setData): (JSC::PropertyNameArray::data): (JSC::PropertyNameArray::releaseData): (JSC::PropertyNameArray::identifierSet): (JSC::PropertyNameArray::canAddKnownUniqueForStructure): (JSC::PropertyNameArray::size): (JSC::PropertyNameArray::begin): (JSC::PropertyNameArray::end): (JSC::PropertyNameArray::numCacheableSlots): (JSC::PropertyNameArray::setNumCacheableSlotsForObject): (JSC::PropertyNameArray::setBaseObject): (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):

2014-07-23 Mark Hahnenberg <​[email protected]>

Refactor our current implementation of for-in
​https://bugs.webkit.org/show_bug.cgi?id=134142

Reviewed by Filip Pizlo.

This patch splits for-in loops into three distinct parts:

• Iterating over the indexed properties in the base object.
• Iterating over the Structure properties in the base object.
• Iterating over any other enumerable properties for that object and any objects in the prototype chain.

It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
support the various operations required for each loop.

• API/JSCallbackObjectFunctions.h: (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h: (JSC::computeUsesForBytecodeOffset): (JSC::computeDefsForBytecodeOffset):
• bytecode/CallLinkStatus.h: (JSC::CallLinkStatus::CallLinkStatus):
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::CodeBlock):
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitGetByVal): (JSC::BytecodeGenerator::emitComplexPopScopes): (JSC::BytecodeGenerator::emitGetEnumerableLength): (JSC::BytecodeGenerator::emitHasGenericProperty): (JSC::BytecodeGenerator::emitHasIndexedProperty): (JSC::BytecodeGenerator::emitHasStructureProperty): (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): (JSC::BytecodeGenerator::emitToIndexString): (JSC::BytecodeGenerator::pushIndexedForInScope): (JSC::BytecodeGenerator::popIndexedForInScope): (JSC::BytecodeGenerator::pushStructureForInScope): (JSC::BytecodeGenerator::popStructureForInScope): (JSC::BytecodeGenerator::invalidateForInContextForLocal):
• bytecompiler/BytecodeGenerator.h: (JSC::ForInContext::ForInContext): (JSC::ForInContext::~ForInContext): (JSC::ForInContext::isValid): (JSC::ForInContext::invalidate): (JSC::ForInContext::local): (JSC::StructureForInContext::StructureForInContext): (JSC::StructureForInContext::type): (JSC::StructureForInContext::index): (JSC::StructureForInContext::property): (JSC::StructureForInContext::enumerator): (JSC::IndexedForInContext::IndexedForInContext): (JSC::IndexedForInContext::type): (JSC::IndexedForInContext::index): (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted. (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
• bytecompiler/NodesCodegen.cpp: (JSC::ReadModifyResolveNode::emitBytecode): (JSC::AssignResolveNode::emitBytecode): (JSC::ForInNode::tryGetBoundLocal): (JSC::ForInNode::emitLoopHeader): (JSC::ForInNode::emitMultiLoopBytecode): (JSC::ForInNode::emitBytecode):
• debugger/DebuggerScope.h:
• dfg/DFGAbstractHeap.h:
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock):
• dfg/DFGCapabilities.cpp: (JSC::DFG::capabilityLevel):
• dfg/DFGClobberize.h: (JSC::DFG::clobberize):
• dfg/DFGDoesGC.cpp: (JSC::DFG::doesGC):
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode):
• dfg/DFGHeapLocation.cpp: (WTF::printInternal):
• dfg/DFGHeapLocation.h:
• dfg/DFGNode.h: (JSC::DFG::Node::hasHeapPrediction): (JSC::DFG::Node::hasArrayMode):
• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate):
• dfg/DFGSafeToExecute.h: (JSC::DFG::safeToExecute):
• dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation):
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases):
• jit/JIT.h: (JSC::JIT::compileHasIndexedProperty): (JSC::JIT::emitInt32Load):
• jit/JITInlines.h: (JSC::JIT::emitDoubleGetByVal): (JSC::JIT::emitLoadForArrayMode): (JSC::JIT::emitContiguousGetByVal): (JSC::JIT::emitArrayStorageGetByVal):
• jit/JITOpcodes.cpp: (JSC::JIT::emit_op_get_enumerable_length): (JSC::JIT::emit_op_has_structure_property): (JSC::JIT::emitSlow_op_has_structure_property): (JSC::JIT::emit_op_has_generic_property): (JSC::JIT::privateCompileHasIndexedProperty): (JSC::JIT::emit_op_has_indexed_property): (JSC::JIT::emitSlow_op_has_indexed_property): (JSC::JIT::emit_op_get_direct_pname): (JSC::JIT::emitSlow_op_get_direct_pname): (JSC::JIT::emit_op_get_structure_property_enumerator): (JSC::JIT::emit_op_get_generic_property_enumerator): (JSC::JIT::emit_op_next_enumerator_pname): (JSC::JIT::emit_op_to_index_string):
• jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_get_enumerable_length): (JSC::JIT::emit_op_has_structure_property): (JSC::JIT::emitSlow_op_has_structure_property): (JSC::JIT::emit_op_has_generic_property): (JSC::JIT::privateCompileHasIndexedProperty): (JSC::JIT::emit_op_has_indexed_property): (JSC::JIT::emitSlow_op_has_indexed_property): (JSC::JIT::emit_op_get_direct_pname): (JSC::JIT::emitSlow_op_get_direct_pname): (JSC::JIT::emit_op_get_structure_property_enumerator): (JSC::JIT::emit_op_get_generic_property_enumerator): (JSC::JIT::emit_op_next_enumerator_pname): (JSC::JIT::emit_op_to_index_string):
• jit/JITOperations.cpp:
• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp: (JSC::JIT::emitDoubleLoad): (JSC::JIT::emitContiguousLoad): (JSC::JIT::emitArrayStorageLoad): (JSC::JIT::emitDoubleGetByVal): Deleted. (JSC::JIT::emitContiguousGetByVal): Deleted. (JSC::JIT::emitArrayStorageGetByVal): Deleted.
• jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emitContiguousLoad): (JSC::JIT::emitDoubleLoad): (JSC::JIT::emitArrayStorageLoad): (JSC::JIT::emitContiguousGetByVal): Deleted. (JSC::JIT::emitDoubleGetByVal): Deleted. (JSC::JIT::emitArrayStorageGetByVal): Deleted.
• llint/LowLevelInterpreter.asm:
• parser/Nodes.h:
• runtime/Arguments.cpp: (JSC::Arguments::getOwnPropertyNames):
• runtime/ClassInfo.h:
• runtime/CommonSlowPaths.cpp: (JSC::SLOW_PATH_DECL):
• runtime/CommonSlowPaths.h:
• runtime/EnumerationMode.h: Added. (JSC::shouldIncludeDontEnumProperties): (JSC::shouldExcludeDontEnumProperties): (JSC::shouldIncludeJSObjectPropertyNames): (JSC::modeThatSkipsJSObject):
• runtime/JSActivation.cpp: (JSC::JSActivation::getOwnNonIndexPropertyNames):
• runtime/JSArray.cpp: (JSC::JSArray::getOwnNonIndexPropertyNames):
• runtime/JSArrayBuffer.cpp: (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
• runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
• runtime/JSCell.cpp: (JSC::JSCell::getEnumerableLength): (JSC::JSCell::getStructurePropertyNames): (JSC::JSCell::getGenericPropertyNames):
• runtime/JSCell.h:
• runtime/JSFunction.cpp: (JSC::JSFunction::getOwnNonIndexPropertyNames):
• runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
• runtime/JSObject.cpp: (JSC::getClassPropertyNames): (JSC::JSObject::hasOwnProperty): (JSC::JSObject::getOwnPropertyNames): (JSC::JSObject::getOwnNonIndexPropertyNames): (JSC::JSObject::getEnumerableLength): (JSC::JSObject::getStructurePropertyNames): (JSC::JSObject::getGenericPropertyNames):
• runtime/JSObject.h:
• runtime/JSPropertyNameEnumerator.cpp: Added. (JSC::JSPropertyNameEnumerator::create): (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator): (JSC::JSPropertyNameEnumerator::finishCreation): (JSC::JSPropertyNameEnumerator::destroy): (JSC::JSPropertyNameEnumerator::visitChildren):
• runtime/JSPropertyNameEnumerator.h: Added. (JSC::JSPropertyNameEnumerator::createStructure): (JSC::JSPropertyNameEnumerator::propertyNameAtIndex): (JSC::JSPropertyNameEnumerator::identifierSet): (JSC::JSPropertyNameEnumerator::cachedPrototypeChain): (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain): (JSC::JSPropertyNameEnumerator::cachedStructure): (JSC::JSPropertyNameEnumerator::cachedStructureID): (JSC::JSPropertyNameEnumerator::cachedInlineCapacity): (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset): (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset): (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset): (JSC::structurePropertyNameEnumerator): (JSC::genericPropertyNameEnumerator):
• runtime/JSProxy.cpp: (JSC::JSProxy::getEnumerableLength): (JSC::JSProxy::getStructurePropertyNames): (JSC::JSProxy::getGenericPropertyNames):
• runtime/JSProxy.h:
• runtime/JSSymbolTableObject.cpp: (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
• runtime/PropertyNameArray.cpp: (JSC::PropertyNameArray::add): (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
• runtime/PropertyNameArray.h: (JSC::RefCountedIdentifierSet::contains): (JSC::RefCountedIdentifierSet::size): (JSC::RefCountedIdentifierSet::add): (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::add): (JSC::PropertyNameArray::addKnownUnique): (JSC::PropertyNameArray::identifierSet): (JSC::PropertyNameArray::canAddKnownUniqueForStructure): (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
• runtime/RegExpObject.cpp: (JSC::RegExpObject::getOwnNonIndexPropertyNames): (JSC::RegExpObject::getPropertyNames): (JSC::RegExpObject::getGenericPropertyNames):
• runtime/RegExpObject.h:
• runtime/StringObject.cpp: (JSC::StringObject::getOwnPropertyNames):
• runtime/Structure.cpp: (JSC::Structure::getPropertyNamesFromStructure): (JSC::Structure::setCachedStructurePropertyNameEnumerator): (JSC::Structure::cachedStructurePropertyNameEnumerator): (JSC::Structure::setCachedGenericPropertyNameEnumerator): (JSC::Structure::cachedGenericPropertyNameEnumerator): (JSC::Structure::canCacheStructurePropertyNameEnumerator): (JSC::Structure::canCacheGenericPropertyNameEnumerator): (JSC::Structure::canAccessPropertiesQuickly):
• runtime/Structure.h:
• runtime/StructureRareData.cpp: (JSC::StructureRareData::visitChildren): (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
• runtime/StructureRareData.h:
• runtime/VM.cpp: (JSC::VM::VM):
• runtime/VM.h:

2014-07-23 Saam Barati <​[email protected]>

Make improvements to Type Profiling
​https://bugs.webkit.org/show_bug.cgi?id=134860

Reviewed by Filip Pizlo.

I improved the API between the inspector and JSC. We no longer send one huge
string to the inspector. We now send structured data that represents the type
information that JSC has collected. I've also created a beginning implementation
of a type lattice that allows us to resolve a display name for a type that
consists of a single word.

I created a data structure that knows which functions have executed. This
solves the bug where types inside an un-executed function will resolve
to the type of the enclosing expression of that function. This data
structure may also be useful later if the inspector chooses to create a UI
around showing which functions have executed.

Better type information is gathered for objects. StructureShape now
represents an object's prototype chain. StructureShape also collects
the constructor name for an object.

Expression ranges are now zero indexed.

Removed some extraneous methods.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::CodeBlock): (JSC::CodeBlock::scopeDependentProfile):
• bytecode/CodeBlock.h:
• bytecode/TypeLocation.h: (JSC::TypeLocation::TypeLocation):
• bytecode/UnlinkedCodeBlock.cpp: (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
• bytecode/UnlinkedCodeBlock.h: (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
• bytecompiler/BytecodeGenerator.h: (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
• heap/Heap.cpp: (JSC::Heap::collect):
• inspector/agents/InspectorRuntimeAgent.cpp: (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
• inspector/agents/InspectorRuntimeAgent.h:
• inspector/protocol/Runtime.json:
• runtime/Executable.cpp: (JSC::ScriptExecutable::ScriptExecutable): (JSC::ProgramExecutable::ProgramExecutable): (JSC::FunctionExecutable::FunctionExecutable): (JSC::ProgramExecutable::initializeGlobalProperties):
• runtime/Executable.h: (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
• runtime/FunctionHasExecutedCache.cpp: Added. (JSC::FunctionHasExecutedCache::hasExecutedAtOffset): (JSC::FunctionHasExecutedCache::insertUnexecutedRange): (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
• runtime/FunctionHasExecutedCache.h: Added. (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange): (JSC::FunctionHasExecutedCache::FunctionRange::operator==): (JSC::FunctionHasExecutedCache::FunctionRange::hash):
• runtime/HighFidelityLog.cpp: (JSC::HighFidelityLog::processHighFidelityLog): (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
• runtime/HighFidelityLog.h: (JSC::HighFidelityLog::recordTypeInformationForLocation):
• runtime/HighFidelityTypeProfiler.cpp: (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation): (JSC::HighFidelityTypeProfiler::insertNewLocation): (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector): (JSC::descriptorMatchesTypeLocation): (JSC::HighFidelityTypeProfiler::findLocation): (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted. (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted. (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
• runtime/HighFidelityTypeProfiler.h: (JSC::QueryKey::QueryKey): (JSC::QueryKey::isHashTableDeletedValue): (JSC::QueryKey::operator==): (JSC::QueryKey::hash): (JSC::QueryKeyHash::hash): (JSC::QueryKeyHash::equal): (JSC::HighFidelityTypeProfiler::functionHasExecutedCache): (JSC::HighFidelityTypeProfiler::typeLocationCache):
• runtime/Structure.cpp: (JSC::Structure::toStructureShape):
• runtime/Structure.h:
• runtime/TypeLocationCache.cpp: Added. (JSC::TypeLocationCache::getTypeLocation):
• runtime/TypeLocationCache.h: Added. (JSC::TypeLocationCache::LocationKey::LocationKey): (JSC::TypeLocationCache::LocationKey::operator==): (JSC::TypeLocationCache::LocationKey::hash):
• runtime/TypeSet.cpp: (JSC::TypeSet::getRuntimeTypeForValue): (JSC::TypeSet::addTypeForValue): (JSC::TypeSet::seenTypes): (JSC::TypeSet::doesTypeConformTo): (JSC::TypeSet::displayName): (JSC::TypeSet::allPrimitiveTypeNames): (JSC::TypeSet::allStructureRepresentations): (JSC::TypeSet::leastCommonAncestor): (JSC::StructureShape::StructureShape): (JSC::StructureShape::addProperty): (JSC::StructureShape::propertyHash): (JSC::StructureShape::leastCommonAncestor): (JSC::StructureShape::stringRepresentation): (JSC::StructureShape::inspectorRepresentation): (JSC::StructureShape::leastUpperBound): Deleted.
• runtime/TypeSet.h: (JSC::StructureShape::setConstructorName): (JSC::StructureShape::constructorName): (JSC::StructureShape::setProto):
• runtime/VM.cpp: (JSC::VM::dumpHighFidelityProfilingTypes): (JSC::VM::getTypesForVariableAtOffset): Deleted. (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
• runtime/VM.h: (JSC::VM::isProfilingTypesWithHighFidelity): (JSC::VM::highFidelityTypeProfiler):

2014-07-23 Filip Pizlo <​[email protected]>

Fix debug build.

• bytecode/CallLinkStatus.h: (JSC::CallLinkStatus::CallLinkStatus):

2014-07-20 Filip Pizlo <​[email protected]>

[ftlopt] Phantoms in SSA form should be aggressively hoisted
​https://bugs.webkit.org/show_bug.cgi?id=135111

Reviewed by Oliver Hunt.

In CPS form, Phantom means three things: (1) that the children should be kept alive so long
as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
second meaning is not used but the other two stay.

The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
even in a totally different basic block, complicates some SSA transformations. It's not
possible to just jettison some successor, since tha successor could have a Phantom that we
care about.

This change rationalizes how Phantoms work so that:

1) Phantoms keep children alive so long as those children are relevant to OSR. This is true

in both CPS and SSA. This was true before and it's true now.

2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true

now, except that now we also don't bother preserving the live-in-bytecode information
that Phantoms convey, when we are in SSA.

3) Phantoms may incidentally have checks, but in cases where we only want checks, we now

use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
Phantom.

The biggest part of this change is that in SSA, we canonicalize Phantoms:

• All Phantoms are replaced with Check nodes that include only those edges that have checks.

• Nodes that were the children of any Phantoms have a Phantom right after them.

For example, the following code:

5: ArithAdd(@1, @2)
6: ArithSub(@5, @3)
7: Phantom(Int32:@5)

would be turned into the following:

5: ArithAdd(@1, @2)
8: Phantom(@5) @5 was the child of a Phantom, so we create a new Phantom right after

@5. This is the only Phantom we will have for @5.

6: ArithSub(@5, @3)
7: Check(Int32:@5) We replace the Phantom with a Check; in this case since Int32: is

a checking edge, we leave it.

This is a slight speed-up across the board, presumably because we now do a better job of
reducing the size of the graph during compilation. It could also be a fluke, though. The
main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
become a requirement to run phantom canonicalization prior to some SSA phases. None of the
current phases need it, but future phases probably will.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants):
• dfg/DFGDCEPhase.cpp: (JSC::DFG::DCEPhase::run): (JSC::DFG::DCEPhase::findTypeCheckRoot): (JSC::DFG::DCEPhase::countEdge): (JSC::DFG::DCEPhase::fixupBlock): (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
• dfg/DFGEdge.cpp: (JSC::DFG::Edge::dump):
• dfg/DFGEdge.h: (JSC::DFG::Edge::isProved): (JSC::DFG::Edge::needsCheck): Deleted.
• dfg/DFGNodeFlags.h:
• dfg/DFGPhantomCanonicalizationPhase.cpp: Added. (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase): (JSC::DFG::PhantomCanonicalizationPhase::run): (JSC::DFG::performPhantomCanonicalization):
• dfg/DFGPhantomCanonicalizationPhase.h: Added.
• dfg/DFGPhantomRemovalPhase.cpp: (JSC::DFG::PhantomRemovalPhase::run):
• dfg/DFGPhantomRemovalPhase.h:
• dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::lowJSValue): (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):

2014-07-22 Filip Pizlo <​[email protected]>

[ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
​https://bugs.webkit.org/show_bug.cgi?id=135146

Reviewed by Oliver Hunt.

This greatly simplifies our closure call optimizations by taking advantage of the type
bits available in the cell header.

• bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::visitWeak):
• bytecode/CallLinkStatus.cpp: (JSC::CallLinkStatus::CallLinkStatus): (JSC::CallLinkStatus::computeFor): (JSC::CallLinkStatus::dump):
• bytecode/CallLinkStatus.h: (JSC::CallLinkStatus::CallLinkStatus): (JSC::CallLinkStatus::executable): (JSC::CallLinkStatus::structure): Deleted.
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::emitFunctionChecks):
• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::observeUseKindOnNode):
• dfg/DFGSafeToExecute.h: (JSC::DFG::SafeToExecuteEdge::operator()):
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::checkArray): (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering): (JSC::DFG::SpeculativeJIT::speculateCellType): (JSC::DFG::SpeculativeJIT::speculateFunction): (JSC::DFG::SpeculativeJIT::speculateFinalObject): (JSC::DFG::SpeculativeJIT::speculate):
• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGUseKind.cpp: (WTF::printInternal):
• dfg/DFGUseKind.h: (JSC::DFG::typeFilterFor): (JSC::DFG::isCell):
• ftl/FTLCapabilities.cpp: (JSC::FTL::canCompile):
• ftl/FTLLowerDFGToLLVM.cpp: (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): (JSC::FTL::LowerDFGToLLVM::speculate): (JSC::FTL::LowerDFGToLLVM::isFunction): (JSC::FTL::LowerDFGToLLVM::isNotFunction): (JSC::FTL::LowerDFGToLLVM::speculateFunction):
• jit/ClosureCallStubRoutine.cpp: (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
• jit/ClosureCallStubRoutine.h: (JSC::ClosureCallStubRoutine::structure): Deleted.
• jit/JIT.h: (JSC::JIT::compileClosureCall): Deleted.
• jit/JITCall.cpp: (JSC::JIT::privateCompileClosureCall): Deleted.
• jit/JITCall32_64.cpp: (JSC::JIT::privateCompileClosureCall): Deleted.
• jit/JITOperations.cpp:
• jit/Repatch.cpp: (JSC::linkClosureCall):
• jit/Repatch.h:

Source/WebCore:

2014-08-06 Mark Hahnenberg <​[email protected]>

Refactor our current implementation of for-in
​https://bugs.webkit.org/show_bug.cgi?id=134142

Reviewed by Filip Pizlo.

No new tests.

This patch splits for-in loops into three distinct parts:

• Iterating over the indexed properties in the base object.
• Iterating over the Structure properties in the base object.
• Iterating over any other enumerable properties for that object and any objects in the prototype chain.

It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
support the various operations required for each loop.

• bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getEnumerableLength): (WebCore::JSDOMWindow::getStructurePropertyNames): (WebCore::JSDOMWindow::getGenericPropertyNames):
• bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader):
• bridge/runtime_array.cpp: (JSC::RuntimeArray::getOwnPropertyNames):

Source/WebKit2:

2014-08-06 Mark Hahnenberg <​[email protected]>

Refactor our current implementation of for-in
​https://bugs.webkit.org/show_bug.cgi?id=134142

Reviewed by Filip Pizlo.

• WebProcess/Plugins/Netscape/JSNPObject.cpp: (WebKit::JSNPObject::invalidate): Fixed an invalid ASSERT that was crashing in debug builds.

Location:

trunk/Source/JavaScriptCore/dfg

Files:

• DFGAbstractHeap.h (modified) (1 diff)
• DFGAbstractInterpreterInlines.h (modified) (3 diffs)
• DFGByteCodeParser.cpp (modified) (2 diffs)
• DFGCapabilities.cpp (modified) (1 diff)
• DFGClobberize.h (modified) (1 diff)
• DFGConstantFoldingPhase.cpp (modified) (17 diffs)
• DFGDCEPhase.cpp (modified) (8 diffs)
• DFGDoesGC.cpp (modified) (2 diffs)
• DFGEdge.cpp (modified) (2 diffs)
• DFGEdge.h (modified) (1 diff)
• DFGFixupPhase.cpp (modified) (3 diffs)
• DFGGraph.cpp (modified) (3 diffs)
• DFGHeapLocation.cpp (modified) (1 diff)
• DFGHeapLocation.h (modified) (1 diff)
• DFGNode.h (modified) (2 diffs)
• DFGNodeFlags.h (modified) (1 diff)
• DFGNodeType.h (modified) (2 diffs)
• DFGPhantomCanonicalizationPhase.cpp (added)
• DFGPhantomCanonicalizationPhase.h (added)
• DFGPhantomRemovalPhase.cpp (modified) (3 diffs)
• DFGPhantomRemovalPhase.h (modified) (1 diff)
• DFGPlan.cpp (modified) (5 diffs)
• DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• DFGSSALoweringPhase.cpp (modified) (1 diff)
• DFGSafeToExecute.h (modified) (2 diffs)
• DFGSpeculativeJIT.cpp (modified) (5 diffs)
• DFGSpeculativeJIT.h (modified) (9 diffs)
• DFGSpeculativeJIT32_64.cpp (modified) (5 diffs)
• DFGSpeculativeJIT64.cpp (modified) (5 diffs)
• DFGUseKind.cpp (modified) (1 diff)
• DFGUseKind.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/dfg/DFGAbstractHeap.h

@@ -54 +54 @@
     macro(JSObject_butterfly) \
     macro(JSVariableObject_registers) \
+    macro(JSPropertyNameEnumerator_cachedPropertyNames) \
     macro(NamedProperties) \
     macro(IndexedInt32Properties) \

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1796 +1796 @@
     }
         
-    case In:
+    case In: {
         // FIXME: We can determine when the property definitely exists based on abstract
         // value information.
@@ -1802 +1802 @@
         forNode(node).setType(SpecBoolean);
         break;
-            
+    }
+            
+    case GetEnumerableLength: {
+        forNode(node).setType(SpecInt32);
+        break;
+    }
+    case HasGenericProperty: {
+        forNode(node).setType(SpecBoolean);
+        break;
+    }
+    case HasStructureProperty: {
+        forNode(node).setType(SpecBoolean);
+        break;
+    }
+    case HasIndexedProperty: {
+        ArrayMode mode = node->arrayMode();
+        switch (mode.type()) {
+        case Array::Int32:
+        case Array::Double:
+        case Array::Contiguous:
+        case Array::ArrayStorage: {
+            break;
+        }
+        default: {
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        }
+        }
+        forNode(node).setType(SpecBoolean);
+        break;
+    }
+    case GetDirectPname: {
+        clobberWorld(node->origin.semantic, clobberLimit);
+        forNode(node).makeHeapTop();
+        break;
+    }
+    case GetStructurePropertyEnumerator: {
+        forNode(node).setType(SpecCell);
+        break;
+    }
+    case GetGenericPropertyEnumerator: {
+        forNode(node).setType(SpecCell);
+        break;
+    }
+    case GetEnumeratorPname: {
+        forNode(node).setType(SpecString | SpecOther);
+        break;
+    }
+    case ToIndexString: {
+        forNode(node).setType(SpecString);
+        break;
+    }
+
     case GetGlobalVar:
         forNode(node).makeHeapTop();
@@ -1867 +1919 @@
     case Phantom:
     case HardPhantom:
-    case Check:
     case CountExecution:
     case CheckTierUpInLoop:
     case CheckTierUpAtReturn:
         break;
+
+    case Check: {
+        // Simplify out checks that don't actually do checking.
+        for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+            Edge edge = node->children.child(i);
+            if (!edge)
+                break;
+            if (edge.isProved() || edge.willNotHaveCheck()) {
+                m_state.setFoundConstants(true);
+                break;
+            }
+        }
+        break;
+    }
 
     case StoreBarrier: {

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1108 +1108 @@
         addToGraph(CheckFunction, OpInfo(m_graph.freeze(function)), callTarget, thisArgument);
     else {
-        ASSERT(callLinkStatus.structure());
         ASSERT(callLinkStatus.executable());
         
-        addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(callLinkStatus.structure())), callTarget);
         addToGraph(CheckExecutable, OpInfo(callLinkStatus.executable()), callTarget, thisArgument);
     }
@@ -3209 +3207 @@
         }
 
+        case op_get_enumerable_length: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetEnumerableLength, 
+                get(VirtualRegister(currentInstruction[2].u.operand))));
+            NEXT_OPCODE(op_get_enumerable_length);
+        }
+
+        case op_has_generic_property: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(HasGenericProperty, 
+                get(VirtualRegister(currentInstruction[2].u.operand)),
+                get(VirtualRegister(currentInstruction[3].u.operand))));
+            NEXT_OPCODE(op_has_generic_property);
+        }
+
+        case op_has_structure_property: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(HasStructureProperty, 
+                get(VirtualRegister(currentInstruction[2].u.operand)),
+                get(VirtualRegister(currentInstruction[3].u.operand)),
+                get(VirtualRegister(currentInstruction[4].u.operand))));
+            NEXT_OPCODE(op_has_structure_property);
+        }
+
+        case op_has_indexed_property: {
+            Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
+            ArrayMode arrayMode = getArrayModeConsideringSlowPath(currentInstruction[4].u.arrayProfile, Array::Read);
+            Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
+            Node* hasIterableProperty = addToGraph(HasIndexedProperty, OpInfo(arrayMode.asWord()), base, property);
+            set(VirtualRegister(currentInstruction[1].u.operand), hasIterableProperty);
+            NEXT_OPCODE(op_has_indexed_property);
+        }
+
+        case op_get_direct_pname: {
+            SpeculatedType prediction = getPredictionWithoutOSRExit();
+            
+            Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
+            Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
+            Node* index = get(VirtualRegister(currentInstruction[4].u.operand));
+            Node* enumerator = get(VirtualRegister(currentInstruction[5].u.operand));
+
+            addVarArgChild(base);
+            addVarArgChild(property);
+            addVarArgChild(index);
+            addVarArgChild(enumerator);
+            set(VirtualRegister(currentInstruction[1].u.operand), 
+                addToGraph(Node::VarArg, GetDirectPname, OpInfo(0), OpInfo(prediction)));
+
+            NEXT_OPCODE(op_get_direct_pname);
+        }
+
+        case op_get_structure_property_enumerator: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetStructurePropertyEnumerator, 
+                get(VirtualRegister(currentInstruction[2].u.operand)),
+                get(VirtualRegister(currentInstruction[3].u.operand))));
+            NEXT_OPCODE(op_get_structure_property_enumerator);
+        }
+
+        case op_get_generic_property_enumerator: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetGenericPropertyEnumerator, 
+                get(VirtualRegister(currentInstruction[2].u.operand)),
+                get(VirtualRegister(currentInstruction[3].u.operand)),
+                get(VirtualRegister(currentInstruction[4].u.operand))));
+            NEXT_OPCODE(op_get_generic_property_enumerator);
+        }
+
+        case op_next_enumerator_pname: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetEnumeratorPname, 
+                get(VirtualRegister(currentInstruction[2].u.operand)),
+                get(VirtualRegister(currentInstruction[3].u.operand))));
+            NEXT_OPCODE(op_next_enumerator_pname);
+        }
+
+        case op_to_index_string: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(ToIndexString, 
+                get(VirtualRegister(currentInstruction[2].u.operand))));
+            NEXT_OPCODE(op_to_index_string);
+        }
+
         default:
             // Parse failed! This should not happen because the capabilities checker

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -194 +194 @@
     case op_in:
     case op_get_from_scope:
+    case op_get_enumerable_length:
+    case op_has_generic_property:
+    case op_has_structure_property:
+    case op_has_indexed_property:
+    case op_get_direct_pname:
+    case op_get_structure_property_enumerator:
+    case op_get_generic_property_enumerator:
+    case op_next_enumerator_pname:
+    case op_to_index_string:
         return CanCompileAndInline;
 

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -148 +148 @@
         return;
         
+    case HasGenericProperty:
+    case HasStructureProperty:
+    case GetEnumerableLength:
+    case GetStructurePropertyEnumerator:
+    case GetGenericPropertyEnumerator: {
+        read(World);
+        write(SideState);
+        return;
+    }
+
+    case GetDirectPname: {
+        // This reads and writes world because it can end up calling a generic getByVal 
+        // if the Structure changed, which could in turn end up calling a getter.
+        read(World);
+        write(World);
+        return;
+    }
+
+    case ToIndexString:
+    case GetEnumeratorPname: {
+        def(PureValue(node));
+        return;
+    }
+
+    case HasIndexedProperty: {
+        read(JSObject_butterfly);
+        ArrayMode mode = node->arrayMode();
+        switch (mode.type()) {
+        case Array::Int32: {
+            if (mode.isInBounds()) {
+                read(Butterfly_publicLength);
+                read(IndexedInt32Properties);
+                def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, node->child1(), node->child2()), node);
+                return;
+            }
+            read(World);
+            return;
+        }
+            
+        case Array::Double: {
+            if (mode.isInBounds()) {
+                read(Butterfly_publicLength);
+                read(IndexedDoubleProperties);
+                def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, node->child1(), node->child2()), node);
+                return;
+            }
+            read(World);
+            return;
+        }
+            
+        case Array::Contiguous: {
+            if (mode.isInBounds()) {
+                read(Butterfly_publicLength);
+                read(IndexedContiguousProperties);
+                def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, node->child1(), node->child2()), node);
+                return;
+            }
+            read(World);
+            return;
+        }
+
+        case Array::ArrayStorage: {
+            if (mode.isInBounds()) {
+                read(Butterfly_vectorLength);
+                read(IndexedArrayStorageProperties);
+                return;
+            }
+            read(World);
+            return;
+        }
+
+        default: {
+            read(World);
+            write(World);
+            return;
+        }
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+        return;
+    }
+
     case ArithAdd:
     case ArithSub:

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -87 +87 @@
             Node* node = block->at(indexInBlock);
 
+            bool alreadyHandled = false;
             bool eliminated = false;
                     
@@ -174 +175 @@
                 
                 m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
+                alreadyHandled = true; // Don't allow the default constant folder to do things to this.
                 
                 for (unsigned i = 0; i < data.variants.size(); ++i) {
@@ -182 +183 @@
                         data.variants[i--] = data.variants.last();
                         data.variants.removeLast();
+                        changed = true;
                     }
                 }
@@ -190 +192 @@
                 emitGetByOffset(
                     indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
+                changed = true;
                 break;
             }
@@ -201 +204 @@
 
                 m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
+                alreadyHandled = true; // Don't allow the default constant folder to do things to this.
                 
 
@@ -211 +214 @@
                         data.variants[i--] = data.variants.last();
                         data.variants.removeLast();
+                        changed = true;
                         continue;
                     }
@@ -219 +223 @@
                             variant.oldStructure(),
                             variant.offset());
+                        changed = true;
                     }
                 }
@@ -227 +232 @@
                 emitPutByOffset(
                     indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
+                changed = true;
                 break;
             }
@@ -239 +245 @@
 
                 m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
+                alreadyHandled = true; // Don't allow the default constant folder to do things to this.
 
                 if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered()
@@ -261 +267 @@
                 if (status.numVariants() == 1) {
                     emitGetByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
+                    changed = true;
                     break;
                 }
@@ -271 +278 @@
                 data->identifierNumber = identifierNumber;
                 node->convertToMultiGetByOffset(data);
+                changed = true;
                 break;
             }
@@ -287 +295 @@
 
                 m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
-                eliminated = true; // Don't allow the default constant folder to do things to this.
+                alreadyHandled = true; // Don't allow the default constant folder to do things to this.
 
                 if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered())
@@ -302 +310 @@
                     break;
                 
+                ASSERT(status.numVariants());
+                
+                if (status.numVariants() > 1 && !isFTL(m_graph.m_plan.mode))
+                    break;
+                
+                changed = true;
+                
                 for (unsigned i = status.numVariants(); i--;)
                     addChecks(origin, indexInBlock, status[i].constantChecks());
@@ -310 +325 @@
                 }
                 
-                if (!isFTL(m_graph.m_plan.mode))
-                    break;
+                ASSERT(isFTL(m_graph.m_plan.mode));
 
                 MultiPutByOffsetData* data = m_graph.m_multiPutByOffsetData.add();
@@ -325 +339 @@
                 
                 node->convertToIdentity();
+                changed = true;
                 break;
             }
@@ -355 +370 @@
                 break;
             }
+                
+            case Check: {
+                alreadyHandled = true;
+                m_interpreter.execute(indexInBlock);
+                for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+                    Edge edge = node->children.child(i);
+                    if (!edge)
+                        break;
+                    if (edge.isProved() || edge.willNotHaveCheck()) {
+                        node->children.removeEdge(i--);
+                        changed = true;
+                    }
+                }
+                break;
+            }
 
             default:
                 break;
             }
-                
+            
             if (eliminated) {
                 changed = true;
@@ -365 +395 @@
             }
                 
+            if (alreadyHandled)
+                continue;
+            
             m_interpreter.execute(indexInBlock);
             if (!m_state.isValid()) {

trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp

@@ -50 +50 @@
         
         // First reset the counts to 0 for all nodes.
+        //
+        // Also take this opportunity to pretend that Check nodes are not NodeMustGenerate. Check
+        // nodes are MustGenerate because they are executed for effect, but they follow the same
+        // DCE rules as nodes that aren't MustGenerate: they only contribute to the ref count of
+        // their children if the edges require checks. Non-checking edges are removed. Note that
+        // for any Checks left over, this phase will turn them back into NodeMustGenerate.
         for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
             BasicBlock* block = m_graph.block(blockIndex);
             if (!block)
                 continue;
-            for (unsigned indexInBlock = block->size(); indexInBlock--;)
-                block->at(indexInBlock)->setRefCount(0);
+            for (unsigned indexInBlock = block->size(); indexInBlock--;) {
+                Node* node = block->at(indexInBlock);
+                if (node->op() == Check)
+                    node->clearFlags(NodeMustGenerate);
+                node->setRefCount(0);
+            }
             for (unsigned phiIndex = block->phis.size(); phiIndex--;)
                 block->phis[phiIndex]->setRefCount(0);
@@ -120 +130 @@
         }
         
+        // Just do a basic HardPhantom/Phantom/Check clean-up.
+        for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+            BasicBlock* block = m_graph.block(blockIndex);
+            if (!block)
+                continue;
+            unsigned sourceIndex = 0;
+            unsigned targetIndex = 0;
+            while (sourceIndex < block->size()) {
+                Node* node = block->at(sourceIndex++);
+                switch (node->op()) {
+                case Check:
+                case HardPhantom:
+                case Phantom:
+                    if (node->children.isEmpty())
+                        continue;
+                    break;
+                default:
+                    break;
+                }
+                block->at(targetIndex++) = node;
+            }
+            block->resize(targetIndex);
+        }
+        
         m_graph.m_refCountState = ExactRefCount;
         
@@ -130 +164 @@
         // We may have an "unproved" untyped use for code that is unreachable. The CFA
         // will just not have gotten around to it.
-        if (edge.willNotHaveCheck())
+        if (edge.isProved() || edge.willNotHaveCheck())
             return;
         if (!edge->postfixRef())
@@ -146 +180 @@
     {
         // Don't count edges that are already counted for their type checks.
-        if (edge.willHaveCheck())
+        if (!(edge.isProved() || edge.willNotHaveCheck()))
             return;
         countNode(edge.node());
@@ -215 +249 @@
                         Edge edge = m_graph.m_varArgChildren[childIdx];
 
-                        if (!edge || edge.willNotHaveCheck())
+                        if (!edge || edge.isProved() || edge.willNotHaveCheck())
                             continue;
 
-                        m_insertionSet.insertNode(indexInBlock, SpecNone, Phantom, node->origin, edge);
+                        m_insertionSet.insertNode(indexInBlock, SpecNone, Check, node->origin, edge);
                     }
 
@@ -227 +261 @@
                 }
 
-                node->convertToPhantom();
-                eliminateIrrelevantPhantomChildren(node);
+                node->convertToCheck();
+                for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+                    Edge edge = node->children.child(i);
+                    if (!edge)
+                        continue;
+                    if (edge.isProved() || edge.willNotHaveCheck())
+                        node->children.removeEdge(i--);
+                }
                 node->setRefCount(1);
                 break;
@@ -237 +277 @@
     }
     
-    void eliminateIrrelevantPhantomChildren(Node* node)
-    {
-        for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
-            Edge edge = node->children.child(i);
-            if (!edge)
-                continue;
-            if (edge.willNotHaveCheck())
-                node->children.removeEdge(i--);
-        }
-    }
-    
     template<typename VariablesVectorType>
     void cleanVariables(VariablesVectorType& variables)
@@ -255 +284 @@
             if (!node)
                 continue;
-            if (node->op() != Phantom && node->shouldGenerate())
+            if (node->op() != Phantom && node->op() != Check && node->shouldGenerate())
                 continue;
             if (node->op() == GetLocal) {

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -190 +190 @@
     case GetGetterSetterByOffset:
     case PutByOffset:
+    case GetEnumerableLength:
+    case HasGenericProperty:
+    case HasStructureProperty:
+    case HasIndexedProperty:
+    case GetDirectPname:
     case FiatInt52:
     case BooleanToNumber:
@@ -214 +219 @@
     case NewTypedArray:
     case ThrowReferenceError:
+    case GetStructurePropertyEnumerator:
+    case GetGenericPropertyEnumerator:
+    case GetEnumeratorPname:
+    case ToIndexString:
         return true;
         

trunk/Source/JavaScriptCore/dfg/DFGEdge.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
 {
     if (useKindUnchecked() != UntypedUse) {
-        if (needsCheck())
+        if (!isProved())
             out.print("Check:");
         out.print(useKind(), ":");

trunk/Source/JavaScriptCore/dfg/DFGEdge.h

@@ -116 +116 @@
         return proofStatus() == IsProved;
     }
-    bool needsCheck() const
-    {
-        return proofStatus() == NeedsCheck;
-    }
     
     bool willNotHaveCheck() const

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -899 +899 @@
         }
 
-        case CheckExecutable:
+        case CheckExecutable: {
+            fixEdge<FunctionUse>(node->child1());
+            break;
+        }
+            
         case CheckStructure:
         case CheckFunction:
@@ -1041 +1045 @@
             }
             break;
+
+        case GetEnumerableLength: {
+            fixEdge<CellUse>(node->child1());
+            break;
+        }
+        case HasGenericProperty: {
+            fixEdge<StringUse>(node->child2());
+            break;
+        }
+        case HasStructureProperty: {
+            fixEdge<StringUse>(node->child2());
+            fixEdge<KnownCellUse>(node->child3());
+            break;
+        }
+        case HasIndexedProperty: {
+            node->setArrayMode(
+                node->arrayMode().refine(
+                    m_graph, node,
+                    node->child1()->prediction(),
+                    node->child2()->prediction(),
+                    SpecNone, node->flags()));
+            
+            blessArrayOperation(node->child1(), node->child2(), node->child3());
+            fixEdge<CellUse>(node->child1());
+            fixEdge<KnownInt32Use>(node->child2());
+            break;
+        }
+        case GetDirectPname: {
+            Edge& base = m_graph.varArgChild(node, 0);
+            Edge& property = m_graph.varArgChild(node, 1);
+            Edge& index = m_graph.varArgChild(node, 2);
+            Edge& enumerator = m_graph.varArgChild(node, 3);
+            fixEdge<CellUse>(base);
+            fixEdge<KnownCellUse>(property);
+            fixEdge<KnownInt32Use>(index);
+            fixEdge<KnownCellUse>(enumerator);
+            break;
+        }
+        case GetStructurePropertyEnumerator: {
+            fixEdge<CellUse>(node->child1());
+            fixEdge<KnownInt32Use>(node->child2());
+            break;
+        }
+        case GetGenericPropertyEnumerator: {
+            fixEdge<CellUse>(node->child1());
+            fixEdge<KnownInt32Use>(node->child2());
+            fixEdge<KnownCellUse>(node->child3());
+            break;
+        }
+        case GetEnumeratorPname: {
+            fixEdge<KnownCellUse>(node->child1());
+            fixEdge<KnownInt32Use>(node->child2());
+            break;
+        }
+        case ToIndexString: {
+            fixEdge<KnownInt32Use>(node->child1());
+            break;
+        }
             
 #if !ASSERT_DISABLED
@@ -1544 +1606 @@
         case KnownCellUse:
         case ObjectUse:
+        case FunctionUse:
         case StringUse:
         case KnownStringUse:

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -158 +158 @@
 
     unsigned refCount = node->refCount();
-    bool skipped = !refCount;
     bool mustGenerate = node->mustGenerate();
     if (mustGenerate)
@@ -182 +181 @@
     //         id#  - the index in the CodeBlock of an identifier { if codeBlock is passed to dump(), the string representation is displayed }.
     //         var# - the index of a var on the global object, used by GetGlobalVar/PutGlobalVar operations.
-    out.printf("% 4d:%s<%c%u:", (int)node->index(), skipped ? "  skipped  " : "           ", mustGenerate ? '!' : ' ', refCount);
-    if (node->hasResult() && !skipped && node->hasVirtualRegister())
+    out.printf("% 4d:<%c%u:", (int)node->index(), mustGenerate ? '!' : ' ', refCount);
+    if (node->hasResult() && node->hasVirtualRegister() && node->virtualRegister().isValid())
         out.print(node->virtualRegister());
     else
@@ -353 +352 @@
     out.print(")");
 
-    if (!skipped) {
-        if (node->hasVariableAccessData(*this) && node->tryGetVariableAccessData())
-            out.print("  predicting ", SpeculationDump(node->tryGetVariableAccessData()->prediction()));
-        else if (node->hasHeapPrediction())
-            out.print("  predicting ", SpeculationDump(node->getHeapPrediction()));
-    }
+    if (node->hasVariableAccessData(*this) && node->tryGetVariableAccessData())
+        out.print("  predicting ", SpeculationDump(node->tryGetVariableAccessData()->prediction()));
+    else if (node->hasHeapPrediction())
+        out.print("  predicting ", SpeculationDump(node->getHeapPrediction()));
     
     out.print("\n");

trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp

@@ -109 +109 @@
         return;
         
+    case HasIndexedPropertyLoc:
+        out.print("HasIndexedPorpertyLoc");
+        return;
+        
     case IndexedPropertyLoc:
         out.print("IndexedPorpertyLoc");

trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h

@@ -45 +45 @@
     GetterLoc,
     GlobalVariableLoc,
+    HasIndexedPropertyLoc,
     IndexedPropertyLoc,
     IndexedPropertyStorageLoc,

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1002 +1002 @@
     {
         switch (op()) {
+        case GetDirectPname:
         case GetById:
         case GetByIdFlush:
@@ -1268 +1269 @@
         case ArrayPush:
         case ArrayPop:
+        case HasIndexedProperty:
             return true;
         default:

trunk/Source/JavaScriptCore/dfg/DFGNodeFlags.h

@@ -70 +70 @@
 
 #define NodeIsFlushed                   0x20000 // Used by Graph::computeIsFlushed(), will tell you which local nodes are backwards-reachable from a Flush.
+
+#define NodeMiscFlag1                   0x40000
+#define NodeMiscFlag2                   0x80000
 
 typedef uint32_t NodeFlags;

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -62 +62 @@
     macro(Phantom, NodeMustGenerate) \
     macro(HardPhantom, NodeMustGenerate) /* Like Phantom, but we never remove any of its children. */ \
-    macro(Check, 0) /* Used if we want just a type check but not liveness. DCE eithers kills this or converts it to Phantom. */\
+    macro(Check, NodeMustGenerate) /* Used if we want just a type check but not liveness. Non-checking uses will be removed. */\
     macro(Upsilon, NodeRelevantToOSR) \
     macro(Phi, NodeRelevantToOSR) \
@@ -294 +294 @@
     macro(StoreBarrier, NodeMustGenerate) \
     macro(StoreBarrierWithNullCheck, NodeMustGenerate) \
+    \
+    /* For-in enumeration opcodes */\
+    macro(GetEnumerableLength, NodeMustGenerate | NodeResultJS) \
+    macro(HasIndexedProperty, NodeResultBoolean) \
+    macro(HasStructureProperty, NodeResultBoolean) \
+    macro(HasGenericProperty, NodeResultBoolean) \
+    macro(GetDirectPname, NodeMustGenerate | NodeHasVarArgs | NodeResultJS) \
+    macro(GetStructurePropertyEnumerator, NodeMustGenerate | NodeResultJS) \
+    macro(GetGenericPropertyEnumerator, NodeMustGenerate | NodeResultJS) \
+    macro(GetEnumeratorPname, NodeMustGenerate | NodeResultJS) \
+    macro(ToIndexString, NodeResultJS)
 
 // This enum generates a monotonically increasing id for all Node types,

trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp

@@ -97 +97 @@
             while (sourceIndex < block->size()) {
                 Node* node = block->at(sourceIndex++);
-                if (node->op() == Phantom) {
+                switch (node->op()) {
+                case Phantom: {
                     if (lastNode && (lastNode->origin.forExit != node->origin.forExit || (lastNode->flags() & NodeHasVarArgs)))
                         lastNode = nullptr;
@@ -104 +105 @@
                         if (!edge)
                             break;
-                        if (edge.useKind() != UntypedUse)
+                        if (edge.willHaveCheck())
                             continue; // Keep the type check.
                         if (edge->flags() & NodeRelevantToOSR) {
@@ -124 +125 @@
                     }
                     
+                    if (node->children.isEmpty()) {
+                        changed = true;
+                        continue;
+                    }
+                    break;
+                }
+                    
+                case Check: {
+                    for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
+                        Edge edge = node->children.child(i);
+                        if (!edge)
+                            break;
+                        if (edge.willHaveCheck())
+                            continue;
+                        node->children.removeEdge(i--);
+                        changed = true;
+                    }
+                    if (node->children.isEmpty()) {
+                        changed = true;
+                        continue;
+                    }
+                    break;
+                }
+                    
+                case HardPhantom: {
                     if (node->children.isEmpty())
                         continue;
+                    break;
+                }
+                    
+                default:
+                    break;
                 }
                 lastNode = node;

trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h

@@ -35 +35 @@
 // Cleans up unnecessary Phantoms and Phanton children. This reduces live ranges, but also, it
 // eliminates many Phantoms entirely. This invalidates liveness analysis.
+//
+// This should work over all IR forms; however, in SSA form it's better to run
+// PhantomCanonicalizationPhase since it's more powerful.
 
 bool performPhantomRemoval(Graph&);

trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp

@@ -50 +50 @@
 #include "DFGOSRAvailabilityAnalysisPhase.h"
 #include "DFGOSREntrypointCreationPhase.h"
+#include "DFGPhantomCanonicalizationPhase.h"
 #include "DFGPhantomRemovalPhase.h"
 #include "DFGPredictionInjectionPhase.h"
@@ -312 +313 @@
         }
         
-        performPhantomRemoval(dfg);
+        performPhantomRemoval(dfg); // Reduce the graph size a bit.
         performCriticalEdgeBreaking(dfg);
         performLoopPreHeaderCreation(dfg);
@@ -322 +323 @@
         performCFA(dfg);
         performConstantFolding(dfg);
+        performPhantomCanonicalization(dfg); // Reduce the graph size a lot.
         if (performStrengthReduction(dfg)) {
             // State-at-tail and state-at-head will be invalid if we did strength reduction since
@@ -329 +331 @@
         }
         performLICM(dfg);
-        performPhantomRemoval(dfg);
+        performPhantomCanonicalization(dfg);
         performIntegerCheckCombining(dfg);
         performGlobalCSE(dfg);
@@ -338 +340 @@
         
         performStoreBarrierElision(dfg);
-        performPhantomRemoval(dfg);
+        performPhantomCanonicalization(dfg);
         performLivenessAnalysis(dfg);
         performCFA(dfg);

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -186 +186 @@
         case GetByOffset:
         case MultiGetByOffset:
+        case GetDirectPname:
         case Call:
         case Construct:
@@ -584 +585 @@
             changed |= setPrediction(SpecBoolean);
             break;
+
+        case GetEnumerableLength: {
+            changed |= setPrediction(SpecInt32);
+            break;
+        }
+        case HasGenericProperty: {
+            changed |= setPrediction(SpecBoolean);
+            break;
+        }
+        case HasStructureProperty: {
+            changed |= setPrediction(SpecBoolean);
+            break;
+        }
+        case HasIndexedProperty: {
+            changed |= setPrediction(SpecBoolean);
+            break;
+        }
+        case GetStructurePropertyEnumerator: {
+            changed |= setPrediction(SpecCell);
+            break;
+        }
+        case GetGenericPropertyEnumerator: {
+            changed |= setPrediction(SpecCell);
+            break;
+        }
+        case GetEnumeratorPname: {
+            changed |= setPrediction(SpecCell | SpecOther);
+            break;
+        }
+        case ToIndexString: {
+            changed |= setPrediction(SpecString);
+            break;
+        }
 
 #ifndef NDEBUG

trunk/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp

@@ -70 +70 @@
         switch (m_node->op()) {
         case GetByVal:
+        case HasIndexedProperty:
             lowerBoundsCheck(m_node->child1(), m_node->child2(), m_node->child3());
             break;

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -54 +54 @@
         case CellUse:
         case ObjectUse:
+        case FunctionUse:
         case FinalObjectUse:
         case ObjectOrOtherUse:
@@ -259 +260 @@
     case GetGetter:
     case GetSetter:
+    case GetEnumerableLength:
+    case HasGenericProperty:
+    case HasStructureProperty:
+    case HasIndexedProperty:
+    case GetDirectPname:
+    case GetStructurePropertyEnumerator:
+    case GetGenericPropertyEnumerator:
+    case GetEnumeratorPname:
+    case ToIndexString:
         return true;
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -713 +713 @@
     }
     case Array::Arguments:
-        speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node,
-            m_jit.branch8(
-                MacroAssembler::NotEqual,
-                MacroAssembler::Address(baseReg, JSCell::typeInfoTypeOffset()),
-                MacroAssembler::TrustedImm32(ArgumentsType)));
+        speculateCellTypeWithoutTypeFiltering(node->child1(), baseReg, ArgumentsType);
 
         noResult(m_currentNode);
         return;
     default:
-        speculationCheck(BadType, JSValueSource::unboxedCell(baseReg), node,
-            m_jit.branch8(
-                MacroAssembler::NotEqual,
-                MacroAssembler::Address(baseReg, JSCell::typeInfoTypeOffset()),
-                MacroAssembler::TrustedImm32(typeForTypedArrayType(node->arrayMode().typedArrayType()))));
+        speculateCellTypeWithoutTypeFiltering(
+            node->child1(), baseReg,
+            typeForTypedArrayType(node->arrayMode().typedArrayType()));
         noResult(m_currentNode);
         return;
@@ -4509 +4503 @@
 }
 
+void SpeculativeJIT::speculateCellTypeWithoutTypeFiltering(
+    Edge edge, GPRReg cellGPR, JSType jsType)
+{
+    speculationCheck(
+        BadType, JSValueSource::unboxedCell(cellGPR), edge,
+        m_jit.branch8(
+            MacroAssembler::NotEqual,
+            MacroAssembler::Address(cellGPR, JSCell::typeInfoTypeOffset()),
+            MacroAssembler::TrustedImm32(jsType)));
+}
+
+void SpeculativeJIT::speculateCellType(
+    Edge edge, GPRReg cellGPR, SpeculatedType specType, JSType jsType)
+{
+    DFG_TYPE_CHECK(
+        JSValueSource::unboxedCell(cellGPR), edge, specType,
+        m_jit.branch8(
+            MacroAssembler::NotEqual,
+            MacroAssembler::Address(cellGPR, JSCell::typeInfoTypeOffset()),
+            TrustedImm32(jsType)));
+}
+
 void SpeculativeJIT::speculateInt32(Edge edge)
 {
@@ -4582 +4598 @@
 }
 
+void SpeculativeJIT::speculateFunction(Edge edge)
+{
+    if (!needsTypeCheck(edge, SpecFunction))
+        return;
+    
+    SpeculateCellOperand operand(this, edge);
+    speculateCellType(edge, operand.gpr(), SpecFunction, JSFunctionType);
+}
+
 void SpeculativeJIT::speculateFinalObject(Edge edge)
 {
@@ -4588 +4613 @@
     
     SpeculateCellOperand operand(this, edge);
-    GPRReg gpr = operand.gpr();
-    DFG_TYPE_CHECK(
-        JSValueSource::unboxedCell(gpr), edge, SpecFinalObject, m_jit.branch8(
-            MacroAssembler::NotEqual,
-            MacroAssembler::Address(gpr, JSCell::typeInfoTypeOffset()),
-            TrustedImm32(FinalObjectType)));
+    speculateCellType(edge, operand.gpr(), SpecFinalObject, FinalObjectType);
 }
 
@@ -4836 +4856 @@
     case ObjectUse:
         speculateObject(edge);
+        break;
+    case FunctionUse:
+        speculateFunction(edge);
         break;
     case FinalObjectUse:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1035 +1035 @@
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(C_JITOperation_ECZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(C_JITOperation_ECZC operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(C_JITOperation_ECC operation, GPRReg result, GPRReg arg1, JSCell* cell)
     {
@@ -1132 +1142 @@
         m_jit.setupArgumentsExecState();
         return appendCallWithCallFrameRollbackOnExceptionSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(Z_JITOperation_EC operation, GPRReg result, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheckSetResult(operation, result);
     }
 
@@ -1259 +1274 @@
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(J_JITOperation_ECZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(J_JITOperation_ESsiCI operation, GPRReg result, StructureStubInfo* stubInfo, GPRReg arg1, const StringImpl* uid)
     {
@@ -1270 +1290 @@
     }
     JITCompiler::Call callOperation(J_JITOperation_EDA operation, GPRReg result, FPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(J_JITOperation_EJC operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(J_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
     {
         m_jit.setupArgumentsWithExecState(arg1, arg2);
@@ -1320 +1350 @@
     {
         m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(C_JITOperation_EJJC operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(C_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(C_JITOperation_EJZC operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
@@ -1495 +1540 @@
         return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
     }
+    JITCompiler::Call callOperation(J_JITOperation_EJ operation, GPRReg resultPayload, GPRReg resultTag, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
+    JITCompiler::Call callOperation(J_JITOperation_EJC operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2);
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
     JITCompiler::Call callOperation(J_JITOperation_EJssZ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2)
     {
@@ -1524 +1579 @@
     {
         m_jit.setupArgumentsWithExecState(TrustedImmPtr(cell));
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
+    JITCompiler::Call callOperation(J_JITOperation_ECZ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
         return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
     }
@@ -2212 +2272 @@
     void typeCheck(JSValueSource, Edge, SpeculatedType typesPassedThrough, MacroAssembler::Jump jumpToFail);
     
+    void speculateCellTypeWithoutTypeFiltering(Edge, GPRReg cellGPR, JSType);
+    void speculateCellType(Edge, GPRReg cellGPR, SpeculatedType, JSType);
+    
     void speculateInt32(Edge);
 #if USE(JSVALUE64)
@@ -2223 +2286 @@
     void speculateCell(Edge);
     void speculateObject(Edge);
+    void speculateFunction(Edge);
     void speculateFinalObject(Edge);
     void speculateObjectOrOther(Edge);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -38 +38 @@
 #include "GetterSetter.h"
 #include "JSActivation.h"
+#include "JSPropertyNameEnumerator.h"
 #include "ObjectPrototype.h"
 #include "JSCInlines.h"
@@ -1785 +1786 @@
 
     case MovHint:
-    case ZombieHint:
-    case Check: {
+    case ZombieHint: {
         RELEASE_ASSERT_NOT_REACHED();
         break;
@@ -3701 +3701 @@
     case CheckExecutable: {
         SpeculateCellOperand function(this, node->child1());
+        speculateCellType(node->child1(), function.gpr(), SpecFunction, JSFunctionType);
         speculationCheck(BadExecutable, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node->executable()));
         noResult(node);
@@ -4602 +4603 @@
     }
 
+    case GetEnumerableLength: {
+        SpeculateCellOperand base(this, node->child1());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationGetEnumerableLength, resultGPR, base.gpr());
+        int32Result(resultGPR, node);
+        break;
+    }
+    case HasGenericProperty: {
+        JSValueOperand base(this, node->child1());
+        SpeculateCellOperand property(this, node->child2());
+        GPRResult resultPayload(this);
+        GPRResult2 resultTag(this);
+        GPRReg basePayloadGPR = base.payloadGPR();
+        GPRReg baseTagGPR = base.tagGPR();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+
+        flushRegisters();
+        callOperation(operationHasGenericProperty, resultTagGPR, resultPayloadGPR, baseTagGPR, basePayloadGPR, property.gpr());
+        booleanResult(resultPayloadGPR, node);
+        break;
+    }
+    case HasStructureProperty: {
+        JSValueOperand base(this, node->child1());
+        SpeculateCellOperand property(this, node->child2());
+        SpeculateCellOperand enumerator(this, node->child3());
+        GPRTemporary scratch(this);
+        GPRResult resultPayload(this);
+        GPRResult2 resultTag(this);
+
+        GPRReg baseTagGPR = base.tagGPR();
+        GPRReg basePayloadGPR = base.payloadGPR();
+        GPRReg propertyGPR = property.gpr();
+        GPRReg scratchGPR = scratch.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+
+        m_jit.load32(MacroAssembler::Address(basePayloadGPR, JSCell::structureIDOffset()), scratchGPR);
+        MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual, 
+            scratchGPR, 
+            MacroAssembler::Address(enumerator.gpr(), JSPropertyNameEnumerator::cachedStructureIDOffset()));
+
+        moveTrueTo(resultPayloadGPR);
+        MacroAssembler::Jump done = m_jit.jump();
+
+        done.link(&m_jit);
+
+        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationHasGenericProperty, resultTagGPR, resultPayloadGPR, baseTagGPR, basePayloadGPR, propertyGPR));
+        booleanResult(resultPayloadGPR, node);
+        break;
+    }
+    case HasIndexedProperty: {
+        SpeculateCellOperand base(this, node->child1());
+        SpeculateInt32Operand index(this, node->child2());
+        GPRResult resultPayload(this);
+        GPRResult2 resultTag(this);
+
+        GPRReg baseGPR = base.gpr();
+        GPRReg indexGPR = index.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+
+        MacroAssembler::JumpList slowCases;
+        ArrayMode mode = node->arrayMode();
+        switch (mode.type()) {
+        case Array::Int32:
+        case Array::Contiguous: {
+            ASSERT(!!node->child3());
+            StorageOperand storage(this, node->child3());
+            GPRTemporary scratch(this);
+            
+            GPRReg storageGPR = storage.gpr();
+            GPRReg scratchGPR = scratch.gpr();
+
+            slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength())));
+            m_jit.load32(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), scratchGPR);
+            slowCases.append(m_jit.branch32(MacroAssembler::Equal, scratchGPR, TrustedImm32(JSValue::EmptyValueTag)));
+            break;
+        }
+        case Array::Double: {
+            ASSERT(!!node->child3());
+            StorageOperand storage(this, node->child3());
+            FPRTemporary scratch(this);
+            FPRReg scratchFPR = scratch.fpr();
+            GPRReg storageGPR = storage.gpr();
+
+            slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength())));
+            m_jit.loadDouble(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchFPR);
+            slowCases.append(m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, scratchFPR, scratchFPR));
+            break;
+        }
+        case Array::ArrayStorage: {
+            ASSERT(!!node->child3());
+            StorageOperand storage(this, node->child3());
+            GPRTemporary scratch(this);
+
+            GPRReg storageGPR = storage.gpr();
+            GPRReg scratchGPR = scratch.gpr();
+
+            slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, ArrayStorage::vectorLengthOffset())));
+            m_jit.load32(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), scratchGPR);
+            slowCases.append(m_jit.branch32(MacroAssembler::Equal, scratchGPR, TrustedImm32(JSValue::EmptyValueTag)));
+            break;
+        }
+        default: {
+            slowCases.append(m_jit.jump());
+            break;
+        }
+        }
+
+        moveTrueTo(resultPayloadGPR);
+        MacroAssembler::Jump done = m_jit.jump();
+
+        addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, resultTagGPR, resultPayloadGPR, baseGPR, indexGPR));
+        
+        done.link(&m_jit);
+        booleanResult(resultPayloadGPR, node);
+        break;
+    }
+    case GetDirectPname: {
+        Edge& baseEdge = m_jit.graph().varArgChild(node, 0);
+        Edge& propertyEdge = m_jit.graph().varArgChild(node, 1);
+        Edge& indexEdge = m_jit.graph().varArgChild(node, 2);
+        Edge& enumeratorEdge = m_jit.graph().varArgChild(node, 3);
+
+        SpeculateCellOperand base(this, baseEdge);
+        SpeculateCellOperand property(this, propertyEdge);
+        SpeculateInt32Operand index(this, indexEdge);
+        SpeculateCellOperand enumerator(this, enumeratorEdge);
+        GPRResult resultPayload(this);
+        GPRResult2 resultTag(this);
+        GPRTemporary scratch(this);
+
+        GPRReg baseGPR = base.gpr();
+        GPRReg propertyGPR = property.gpr();
+        GPRReg indexGPR = index.gpr();
+        GPRReg enumeratorGPR = enumerator.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg scratchGPR = scratch.gpr();
+
+        // Check the structure
+        m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratchGPR);
+        MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual, 
+            scratchGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset()));
+        
+        // Compute the offset
+        // If index is less than the enumerator's cached inline storage, then it's an inline access
+        MacroAssembler::Jump outOfLineAccess = m_jit.branch32(MacroAssembler::AboveOrEqual, 
+            indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()));
+
+        m_jit.move(indexGPR, scratchGPR);
+        m_jit.signExtend32ToPtr(scratchGPR, scratchGPR);
+        m_jit.load32(MacroAssembler::BaseIndex(baseGPR, scratchGPR, MacroAssembler::TimesEight, JSObject::offsetOfInlineStorage() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTagGPR);
+        m_jit.load32(MacroAssembler::BaseIndex(baseGPR, scratchGPR, MacroAssembler::TimesEight, JSObject::offsetOfInlineStorage() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayloadGPR);
+
+        MacroAssembler::Jump done = m_jit.jump();
+        
+        // Otherwise it's out of line
+        outOfLineAccess.link(&m_jit);
+        m_jit.move(indexGPR, scratchGPR);
+        m_jit.sub32(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), scratchGPR);
+        m_jit.neg32(scratchGPR);
+        m_jit.signExtend32ToPtr(scratchGPR, scratchGPR);
+        // We use resultPayloadGPR as a temporary here. We have to make sure clobber it after getting the 
+        // value out of indexGPR and enumeratorGPR because resultPayloadGPR could reuse either of those registers.
+        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), resultPayloadGPR); 
+        int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+        m_jit.load32(MacroAssembler::BaseIndex(resultPayloadGPR, scratchGPR, MacroAssembler::TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTagGPR);
+        m_jit.load32(MacroAssembler::BaseIndex(resultPayloadGPR, scratchGPR, MacroAssembler::TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayloadGPR);
+
+        done.link(&m_jit);
+
+        m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR);
+        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR));
+
+        jsValueResult(resultTagGPR, resultPayloadGPR, node);
+        break;
+    }
+    case GetStructurePropertyEnumerator: {
+        SpeculateCellOperand base(this, node->child1());
+        SpeculateInt32Operand length(this, node->child2());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationGetStructurePropertyEnumerator, resultGPR, base.gpr(), length.gpr());
+        cellResult(resultGPR, node);
+        break;
+    }
+    case GetGenericPropertyEnumerator: {
+        SpeculateCellOperand base(this, node->child1());
+        SpeculateInt32Operand length(this, node->child2());
+        SpeculateCellOperand enumerator(this, node->child3());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationGetGenericPropertyEnumerator, resultGPR, base.gpr(), length.gpr(), enumerator.gpr());
+        cellResult(resultGPR, node);
+        break;
+    }
+    case GetEnumeratorPname: {
+        SpeculateCellOperand enumerator(this, node->child1());
+        SpeculateInt32Operand index(this, node->child2());
+        GPRTemporary scratch(this);
+        GPRResult resultPayload(this);
+        GPRResult2 resultTag(this);
+
+        GPRReg enumeratorGPR = enumerator.gpr();
+        GPRReg indexGPR = index.gpr();
+        GPRReg scratchGPR = scratch.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+
+        MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, 
+            indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset()));
+
+        m_jit.move(MacroAssembler::TrustedImm32(JSValue::NullTag), resultTagGPR);
+        m_jit.move(MacroAssembler::TrustedImm32(0), resultPayloadGPR);
+
+        MacroAssembler::Jump done = m_jit.jump();
+        inBounds.link(&m_jit);
+
+        m_jit.loadPtr(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), scratchGPR);
+        m_jit.loadPtr(MacroAssembler::BaseIndex(scratchGPR, indexGPR, MacroAssembler::ScalePtr), resultPayloadGPR);
+        m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), resultTagGPR);
+
+        done.link(&m_jit);
+        jsValueResult(resultTagGPR, resultPayloadGPR, node);
+        break;
+    }
+    case ToIndexString: {
+        SpeculateInt32Operand index(this, node->child1());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationToIndexString, resultGPR, index.gpr());
+        cellResult(resultGPR, node);
+        break;
+    }
+
     case ForceOSRExit: {
         terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
@@ -4626 +4873 @@
     case Phantom:
     case HardPhantom:
+    case Check:
         DFG_NODE_DO_TO_CHILDREN(m_jit.graph(), node, speculate);
         noResult(node);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -38 +38 @@
 #include "GetterSetter.h"
 #include "JSCInlines.h"
+#include "JSPropertyNameEnumerator.h"
 #include "ObjectPrototype.h"
 #include "SpillRegistersMode.h"
@@ -1870 +1871 @@
         
     case MovHint:
-    case ZombieHint:
-    case Check: {
+    case ZombieHint: {
         DFG_CRASH(m_jit.graph(), node, "Unexpected node");
         break;
@@ -3794 +3794 @@
     case CheckExecutable: {
         SpeculateCellOperand function(this, node->child1());
+        speculateCellType(node->child1(), function.gpr(), SpecFunction, JSFunctionType);
         speculationCheck(BadExecutable, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node->executable()));
         noResult(node);
@@ -4648 +4649 @@
     case Phantom:
     case HardPhantom:
+    case Check:
         DFG_NODE_DO_TO_CHILDREN(m_jit.graph(), node, speculate);
         noResult(node);
@@ -4668 +4670 @@
     case StoreBarrierWithNullCheck: {
         compileStoreBarrier(node);
+        break;
+    }
+
+    case GetEnumerableLength: {
+        SpeculateCellOperand base(this, node->child1());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationGetEnumerableLength, resultGPR, base.gpr());
+        int32Result(resultGPR, node);
+        break;
+    }
+    case HasGenericProperty: {
+        JSValueOperand base(this, node->child1());
+        SpeculateCellOperand property(this, node->child2());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationHasGenericProperty, resultGPR, base.gpr(), property.gpr());
+        jsValueResult(resultGPR, node, DataFormatJSBoolean);
+        break;
+    }
+    case HasStructureProperty: {
+        JSValueOperand base(this, node->child1());
+        SpeculateCellOperand property(this, node->child2());
+        SpeculateCellOperand enumerator(this, node->child3());
+        GPRTemporary scratch(this);
+        GPRResult result(this);
+
+        GPRReg baseGPR = base.gpr();
+        GPRReg propertyGPR = property.gpr();
+        GPRReg scratchGPR = scratch.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratchGPR);
+        MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual, 
+            scratchGPR, 
+            MacroAssembler::Address(enumerator.gpr(), JSPropertyNameEnumerator::cachedStructureIDOffset()));
+
+        moveTrueTo(resultGPR);
+        MacroAssembler::Jump done = m_jit.jump();
+
+        done.link(&m_jit);
+
+        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationHasGenericProperty, resultGPR, baseGPR, propertyGPR));
+        jsValueResult(resultGPR, node, DataFormatJSBoolean);
+        break;
+    }
+    case HasIndexedProperty: {
+        SpeculateCellOperand base(this, node->child1());
+        SpeculateInt32Operand index(this, node->child2());
+        GPRResult result(this);
+
+        GPRReg baseGPR = base.gpr();
+        GPRReg indexGPR = index.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        MacroAssembler::JumpList slowCases;
+        ArrayMode mode = node->arrayMode();
+        switch (mode.type()) {
+        case Array::Int32:
+        case Array::Contiguous: {
+            ASSERT(!!node->child3());
+            StorageOperand storage(this, node->child3());
+            GPRTemporary scratch(this);
+            
+            GPRReg storageGPR = storage.gpr();
+            GPRReg scratchGPR = scratch.gpr();
+
+            MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
+            if (mode.isInBounds())
+                speculationCheck(OutOfBounds, JSValueRegs(), 0, outOfBounds);
+            else
+                slowCases.append(outOfBounds);
+
+            m_jit.load64(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchGPR);
+            slowCases.append(m_jit.branchTest64(MacroAssembler::Zero, scratchGPR));
+            moveTrueTo(resultGPR);
+            break;
+        }
+        case Array::Double: {
+            ASSERT(!!node->child3());
+            StorageOperand storage(this, node->child3());
+            FPRTemporary scratch(this);
+            FPRReg scratchFPR = scratch.fpr();
+            GPRReg storageGPR = storage.gpr();
+
+            MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, Butterfly::offsetOfPublicLength()));
+            if (mode.isInBounds())
+                speculationCheck(OutOfBounds, JSValueRegs(), 0, outOfBounds);
+            else
+                slowCases.append(outOfBounds);
+
+            m_jit.loadDouble(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight), scratchFPR);
+            slowCases.append(m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, scratchFPR, scratchFPR));
+            break;
+        }
+        case Array::ArrayStorage: {
+            ASSERT(!!node->child3());
+            StorageOperand storage(this, node->child3());
+            GPRTemporary scratch(this);
+
+            GPRReg storageGPR = storage.gpr();
+            GPRReg scratchGPR = scratch.gpr();
+
+            MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, indexGPR, MacroAssembler::Address(storageGPR, ArrayStorage::vectorLengthOffset()));
+            if (mode.isInBounds())
+                speculationCheck(OutOfBounds, JSValueRegs(), 0, outOfBounds);
+            else    
+                slowCases.append(outOfBounds);
+
+            m_jit.load64(MacroAssembler::BaseIndex(storageGPR, indexGPR, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()), scratchGPR);
+            slowCases.append(m_jit.branchTest64(MacroAssembler::Zero, scratchGPR));
+            moveTrueTo(resultGPR);
+            break;
+        }
+        default: {
+            slowCases.append(m_jit.jump());
+            break;
+        }
+        }
+
+        addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, resultGPR, baseGPR, indexGPR));
+        
+        jsValueResult(resultGPR, node, DataFormatJSBoolean);
+        break;
+    }
+    case GetDirectPname: {
+        Edge& baseEdge = m_jit.graph().varArgChild(node, 0);
+        Edge& propertyEdge = m_jit.graph().varArgChild(node, 1);
+        Edge& indexEdge = m_jit.graph().varArgChild(node, 2);
+        Edge& enumeratorEdge = m_jit.graph().varArgChild(node, 3);
+
+        SpeculateCellOperand base(this, baseEdge);
+        SpeculateCellOperand property(this, propertyEdge);
+        SpeculateInt32Operand index(this, indexEdge);
+        SpeculateCellOperand enumerator(this, enumeratorEdge);
+        GPRResult result(this);
+        GPRTemporary scratch1(this);
+        GPRTemporary scratch2(this);
+
+        GPRReg baseGPR = base.gpr();
+        GPRReg propertyGPR = property.gpr();
+        GPRReg indexGPR = index.gpr();
+        GPRReg enumeratorGPR = enumerator.gpr();
+        GPRReg resultGPR = result.gpr();
+        GPRReg scratch1GPR = scratch1.gpr();
+        GPRReg scratch2GPR = scratch2.gpr();
+
+        // Check the structure
+        m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratch1GPR);
+        MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual, 
+            scratch1GPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset()));
+        
+        // Compute the offset
+        // If index is less than the enumerator's cached inline storage, then it's an inline access
+        MacroAssembler::Jump outOfLineAccess = m_jit.branch32(MacroAssembler::AboveOrEqual, 
+            indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()));
+
+        m_jit.load64(MacroAssembler::BaseIndex(baseGPR, indexGPR, MacroAssembler::TimesEight, JSObject::offsetOfInlineStorage()), resultGPR);
+
+        MacroAssembler::Jump done = m_jit.jump();
+        
+        // Otherwise it's out of line
+        outOfLineAccess.link(&m_jit);
+        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratch2GPR);
+        m_jit.move(indexGPR, scratch1GPR);
+        m_jit.sub32(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), scratch1GPR);
+        m_jit.neg32(scratch1GPR);
+        m_jit.signExtend32ToPtr(scratch1GPR, scratch1GPR);
+        int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+        m_jit.load64(MacroAssembler::BaseIndex(scratch2GPR, scratch1GPR, MacroAssembler::TimesEight, offsetOfFirstProperty), resultGPR);
+
+        done.link(&m_jit);
+
+        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByVal, resultGPR, baseGPR, propertyGPR));
+
+        jsValueResult(resultGPR, node);
+        break;
+    }
+    case GetStructurePropertyEnumerator: {
+        SpeculateCellOperand base(this, node->child1());
+        SpeculateInt32Operand length(this, node->child2());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationGetStructurePropertyEnumerator, resultGPR, base.gpr(), length.gpr());
+        cellResult(resultGPR, node);
+        break;
+    }
+    case GetGenericPropertyEnumerator: {
+        SpeculateCellOperand base(this, node->child1());
+        SpeculateInt32Operand length(this, node->child2());
+        SpeculateCellOperand enumerator(this, node->child3());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationGetGenericPropertyEnumerator, resultGPR, base.gpr(), length.gpr(), enumerator.gpr());
+        cellResult(resultGPR, node);
+        break;
+    }
+    case GetEnumeratorPname: {
+        SpeculateCellOperand enumerator(this, node->child1());
+        SpeculateInt32Operand index(this, node->child2());
+        GPRTemporary scratch1(this);
+        GPRTemporary scratch2(this);
+        GPRResult result(this);
+
+        GPRReg enumeratorGPR = enumerator.gpr();
+        GPRReg indexGPR = index.gpr();
+        GPRReg scratch1GPR = scratch1.gpr();
+        GPRReg scratch2GPR = scratch2.gpr();
+        GPRReg resultGPR = result.gpr();
+
+        MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, 
+            indexGPR, MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset()));
+
+        m_jit.move(MacroAssembler::TrustedImm32(ValueNull), resultGPR);
+
+        MacroAssembler::Jump done = m_jit.jump();
+        inBounds.link(&m_jit);
+
+        m_jit.loadPtr(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), scratch1GPR);
+        m_jit.move(indexGPR, scratch2GPR);
+        m_jit.signExtend32ToPtr(scratch2GPR, scratch2GPR);
+        m_jit.load64(MacroAssembler::BaseIndex(scratch1GPR, scratch2GPR, MacroAssembler::TimesEight), resultGPR);
+
+        done.link(&m_jit);
+        jsValueResult(resultGPR, node);
+        break;
+    }
+    case ToIndexString: {
+        SpeculateInt32Operand index(this, node->child1());
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        flushRegisters();
+        callOperation(operationToIndexString, resultGPR, index.gpr());
+        cellResult(resultGPR, node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp

@@ -40 +40 @@
     case UntypedUse:
         out.print("Untyped");
-        break;
+        return;
     case Int32Use:
         out.print("Int32");
-        break;
+        return;
     case KnownInt32Use:
         out.print("KnownInt32");
-        break;
+        return;
     case Int52RepUse:
         out.print("Int52Rep");
-        break;
+        return;
     case MachineIntUse:
         out.print("MachineInt");
-        break;
+        return;
     case NumberUse:
         out.print("Number");
-        break;
+        return;
     case DoubleRepUse:
         out.print("DoubleRep");
-        break;
+        return;
     case DoubleRepRealUse:
         out.print("DoubleRepReal");
-        break;
+        return;
     case DoubleRepMachineIntUse:
         out.print("DoubleRepMachineInt");
-        break;
+        return;
     case BooleanUse:
         out.print("Boolean");
-        break;
+        return;
     case CellUse:
         out.print("Cell");
-        break;
+        return;
     case KnownCellUse:
         out.print("KnownCell");
-        break;
+        return;
     case ObjectUse:
         out.print("Object");
-        break;
+        return;
+    case FunctionUse:
+        out.print("Function");
+        return;
     case FinalObjectUse:
         out.print("FinalObject");
-        break;
+        return;
     case ObjectOrOtherUse:
         out.print("ObjectOrOther");
-        break;
+        return;
     case StringIdentUse:
         out.print("StringIdent");
-        break;
+        return;
     case StringUse:
         out.print("String");
-        break;
+        return;
     case KnownStringUse:
         out.print("KnownString");
-        break;
+        return;
     case StringObjectUse:
         out.print("StringObject");
-        break;
+        return;
     case StringOrStringObjectUse:
         out.print("StringOrStringObject");
-        break;
+        return;
     case NotStringVarUse:
         out.print("NotStringVar");
-        break;
+        return;
     case NotCellUse:
         out.print("NotCell");
-        break;
+        return;
     case OtherUse:
         out.print("Other");
-        break;
+        return;
     case MiscUse:
         out.print("Misc");
-        break;
-    default:
+        return;
+    case LastUseKind:
         RELEASE_ASSERT_NOT_REACHED();
-        break;
+        return;
     }
+    RELEASE_ASSERT_NOT_REACHED();
 }
 

trunk/Source/JavaScriptCore/dfg/DFGUseKind.h

@@ -49 +49 @@
     KnownCellUse,
     ObjectUse,
+    FunctionUse,
     FinalObjectUse,
     ObjectOrOtherUse,
@@ -90 +91 @@
     case ObjectUse:
         return SpecObject;
+    case FunctionUse:
+        return SpecFunction;
     case FinalObjectUse:
         return SpecFinalObject;
@@ -172 +175 @@
     case KnownCellUse:
     case ObjectUse:
+    case FunctionUse:
     case FinalObjectUse:
     case StringIdentUse: