Changeset 172940 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Aug 25, 2014, 3:35:40 PM (11 years ago)

Author:

[email protected]

Message:

FTL should be able to do polymorphic call inlining
​https://bugs.webkit.org/show_bug.cgi?id=135145

Reviewed by Geoffrey Garen.
Source/JavaScriptCore:

Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
inlining sites use the call edge profile if it is available, but they will still fall back
on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
multiple possible callees can be inlined with a switch to guard them. The slow path may
either be an OSR exit or a virtual call.

The call edge profiling added in this patch is very precise - it will tell you about every
call that has ever happened. It took some effort to reduce the overhead of this profiling.
This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
I also experimented with reducing the precision of the profiling. This led to a significant
reduction in the speed-up, so I avoided this approach. I also explored making log processing
concurrent, but that didn't help. Also, I tested the overhead of the log processing and
found that most of the overhead of this profiling is actually in putting things into the log
rather than in processing the log - that part appears to be surprisingly cheap.

Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
and if we guarded such inlining sites with some profiling mechanism to detect
polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
it's actually monomorphic).

This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
on anything we care about. Some aggregates, like V8Spider, see a regression. This is
highlighting the increase in profiling overhead. But since this doesn't show up on any major
score (code-load or SunSpider), it's probably not relevant.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CallEdge.cpp: Added.

(JSC::CallEdge::dump):

• bytecode/CallEdge.h: Added.

(JSC::CallEdge::operator!):
(JSC::CallEdge::callee):
(JSC::CallEdge::count):
(JSC::CallEdge::despecifiedClosure):
(JSC::CallEdge::CallEdge):

• bytecode/CallEdgeProfile.cpp: Added.

(JSC::CallEdgeProfile::callEdges):
(JSC::CallEdgeProfile::numCallsToKnownCells):
(JSC::worthDespecifying):
(JSC::CallEdgeProfile::worthDespecifying):
(JSC::CallEdgeProfile::visitWeak):
(JSC::CallEdgeProfile::addSlow):
(JSC::CallEdgeProfile::mergeBack):
(JSC::CallEdgeProfile::fadeByHalf):
(JSC::CallEdgeLog::CallEdgeLog):
(JSC::CallEdgeLog::~CallEdgeLog):
(JSC::CallEdgeLog::isEnabled):
(JSC::operationProcessCallEdgeLog):
(JSC::CallEdgeLog::emitLogCode):
(JSC::CallEdgeLog::processLog):

• bytecode/CallEdgeProfile.h: Added.

(JSC::CallEdgeProfile::numCallsToNotCell):
(JSC::CallEdgeProfile::numCallsToUnknownCell):
(JSC::CallEdgeProfile::totalCalls):

• bytecode/CallEdgeProfileInlines.h: Added.

(JSC::CallEdgeProfile::CallEdgeProfile):
(JSC::CallEdgeProfile::add):

• bytecode/CallLinkInfo.cpp:

(JSC::CallLinkInfo::visitWeak):

• bytecode/CallLinkInfo.h:
• bytecode/CallLinkStatus.cpp:

(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeFromCallLinkInfo):
(JSC::CallLinkStatus::computeFromCallEdgeProfile):
(JSC::CallLinkStatus::computeDFGStatuses):
(JSC::CallLinkStatus::isClosureCall):
(JSC::CallLinkStatus::makeClosureCall):
(JSC::CallLinkStatus::dump):
(JSC::CallLinkStatus::function): Deleted.
(JSC::CallLinkStatus::internalFunction): Deleted.
(JSC::CallLinkStatus::intrinsicFor): Deleted.

• bytecode/CallLinkStatus.h:

(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::isSet):
(JSC::CallLinkStatus::couldTakeSlowPath):
(JSC::CallLinkStatus::edges):
(JSC::CallLinkStatus::size):
(JSC::CallLinkStatus::at):
(JSC::CallLinkStatus::operator[]):
(JSC::CallLinkStatus::canOptimize):
(JSC::CallLinkStatus::canTrustCounts):
(JSC::CallLinkStatus::isClosureCall): Deleted.
(JSC::CallLinkStatus::callTarget): Deleted.
(JSC::CallLinkStatus::executable): Deleted.
(JSC::CallLinkStatus::makeClosureCall): Deleted.

• bytecode/CallVariant.cpp: Added.

(JSC::CallVariant::dump):

• bytecode/CallVariant.h: Added.

(JSC::CallVariant::CallVariant):
(JSC::CallVariant::operator!):
(JSC::CallVariant::despecifiedClosure):
(JSC::CallVariant::rawCalleeCell):
(JSC::CallVariant::internalFunction):
(JSC::CallVariant::function):
(JSC::CallVariant::isClosureCall):
(JSC::CallVariant::executable):
(JSC::CallVariant::nonExecutableCallee):
(JSC::CallVariant::intrinsicFor):
(JSC::CallVariant::functionExecutable):
(JSC::CallVariant::isHashTableDeletedValue):
(JSC::CallVariant::operator==):
(JSC::CallVariant::operator!=):
(JSC::CallVariant::operator<):
(JSC::CallVariant::operator>):
(JSC::CallVariant::operator<=):
(JSC::CallVariant::operator>=):
(JSC::CallVariant::hash):
(JSC::CallVariant::deletedToken):
(JSC::CallVariantHash::hash):
(JSC::CallVariantHash::equal):

• bytecode/CodeOrigin.h:

(JSC::InlineCallFrame::isNormalCall):

• bytecode/ExitKind.cpp:

(JSC::exitKindToString):

• bytecode/ExitKind.h:
• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeForStubInfo):

• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::computeForStubInfo):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGBackwardsPropagationPhase.cpp:

(JSC::DFG::BackwardsPropagationPhase::propagate):

• dfg/DFGBasicBlock.cpp:

(JSC::DFG::BasicBlock::~BasicBlock):

• dfg/DFGBasicBlock.h:

(JSC::DFG::BasicBlock::takeLast):
(JSC::DFG::BasicBlock::didLink):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::processSetLocalQueue):
(JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
(JSC::DFG::ByteCodeParser::undoFunctionChecks):
(JSC::DFG::ByteCodeParser::inliningCost):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::prepareToParseBlock):
(JSC::DFG::ByteCodeParser::clearCaches):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::linkBlocks):
(JSC::DFG::ByteCodeParser::parseCodeBlock):

• dfg/DFGCPSRethreadingPhase.cpp:

(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGCommon.h:
• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGDriver.cpp:

(JSC::DFG::compileImpl):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::visitChildren):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::link):

• dfg/DFGLazyJSValue.cpp:

(JSC::DFG::LazyJSValue::switchLookupValue):

• dfg/DFGLazyJSValue.h:

(JSC::DFG::LazyJSValue::switchLookupValue): Deleted.

• dfg/DFGNode.cpp:

(WTF::printInternal):

• dfg/DFGNode.h:

(JSC::DFG::OpInfo::OpInfo):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::cellOperand):
(JSC::DFG::Node::setCellOperand):
(JSC::DFG::Node::canBeKnownFunction): Deleted.
(JSC::DFG::Node::hasKnownFunction): Deleted.
(JSC::DFG::Node::knownFunction): Deleted.
(JSC::DFG::Node::giveKnownFunction): Deleted.
(JSC::DFG::Node::hasFunction): Deleted.
(JSC::DFG::Node::function): Deleted.
(JSC::DFG::Node::hasExecutable): Deleted.
(JSC::DFG::Node::executable): Deleted.

• dfg/DFGNodeType.h:
• dfg/DFGPhantomCanonicalizationPhase.cpp:

(JSC::DFG::PhantomCanonicalizationPhase::run):

• dfg/DFGPhantomRemovalPhase.cpp:

(JSC::DFG::PhantomRemovalPhase::run):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::emitSwitch):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStructureRegistrationPhase.cpp:

(JSC::DFG::StructureRegistrationPhase::run):

• dfg/DFGTierUpCheckInjectionPhase.cpp:

(JSC::DFG::TierUpCheckInjectionPhase::run):
(JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):

• dfg/DFGValidate.cpp:

(JSC::DFG::Validate::validate):

• dfg/DFGWatchpointCollectionPhase.cpp:

(JSC::DFG::WatchpointCollectionPhase::handle):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::ftlUnreachable):
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCheckCell):
(JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
(JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::compileSwitch):
(JSC::FTL::LowerDFGToLLVM::buildSwitch):
(JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
(JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.

• heap/Heap.cpp:

(JSC::Heap::collect):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::storeValue):
(JSC::AssemblyHelpers::loadValue):

• jit/CCallHelpers.h:

(JSC::CCallHelpers::setupArguments):

• jit/GPRInfo.h:

(JSC::JSValueRegs::uses):

• jit/JITCall.cpp:

(JSC::JIT::compileOpCall):

• jit/JITCall32_64.cpp:

(JSC::JIT::compileOpCall):

• runtime/Options.h:
• runtime/VM.cpp:

(JSC::VM::ensureCallEdgeLog):

• runtime/VM.h:
• tests/stress/new-array-then-exit.js: Added.

(foo):

• tests/stress/poly-call-exit-this.js: Added.
• tests/stress/poly-call-exit.js: Added.

Source/WTF:

Add some power that I need for call edge profiling.

• wtf/OwnPtr.h:

(WTF::OwnPtr<T>::createTransactionally):

• wtf/Spectrum.h:

(WTF::Spectrum::add):
(WTF::Spectrum::addAll):
(WTF::Spectrum::get):
(WTF::Spectrum::size):
(WTF::Spectrum::KeyAndCount::KeyAndCount):
(WTF::Spectrum::clear):
(WTF::Spectrum::removeIf):

LayoutTests:

• js/regress/script-tests/simple-poly-call-nested.js: Added.
• js/regress/script-tests/simple-poly-call.js: Added.
• js/regress/simple-poly-call-expected.txt: Added.
• js/regress/simple-poly-call-nested-expected.txt: Added.
• js/regress/simple-poly-call-nested.html: Added.
• js/regress/simple-poly-call.html: Added.

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (2 diffs)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (11 diffs)
• bytecode/CallEdge.cpp (added)
• bytecode/CallEdge.h (added)
• bytecode/CallEdgeProfile.cpp (added)
• bytecode/CallEdgeProfile.h (added)
• bytecode/CallEdgeProfileInlines.h (added)
• bytecode/CallLinkInfo.cpp (modified) (1 diff)
• bytecode/CallLinkInfo.h (modified) (3 diffs)
• bytecode/CallLinkStatus.cpp (modified) (11 diffs)
• bytecode/CallLinkStatus.h (modified) (4 diffs)
• bytecode/CallVariant.cpp (added)
• bytecode/CallVariant.h (added)
• bytecode/CodeOrigin.h (modified) (1 diff)
• bytecode/ExitKind.cpp (modified) (1 diff)
• bytecode/ExitKind.h (modified) (1 diff)
• bytecode/GetByIdStatus.cpp (modified) (1 diff)
• bytecode/PutByIdStatus.cpp (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (6 diffs)
• dfg/DFGBackwardsPropagationPhase.cpp (modified) (1 diff)
• dfg/DFGBasicBlock.cpp (modified) (1 diff)
• dfg/DFGBasicBlock.h (modified) (2 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (35 diffs)
• dfg/DFGCPSRethreadingPhase.cpp (modified) (1 diff)
• dfg/DFGClobberize.h (modified) (4 diffs)
• dfg/DFGCommon.h (modified) (1 diff)
• dfg/DFGConstantFoldingPhase.cpp (modified) (2 diffs)
• dfg/DFGDoesGC.cpp (modified) (4 diffs)
• dfg/DFGDriver.cpp (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (6 diffs)
• dfg/DFGGraph.cpp (modified) (2 diffs)
• dfg/DFGJITCompiler.cpp (modified) (1 diff)
• dfg/DFGLazyJSValue.cpp (modified) (1 diff)
• dfg/DFGLazyJSValue.h (modified) (2 diffs)
• dfg/DFGNode.cpp (modified) (1 diff)
• dfg/DFGNode.h (modified) (5 diffs)
• dfg/DFGNodeType.h (modified) (4 diffs)
• dfg/DFGPhantomCanonicalizationPhase.cpp (modified) (1 diff)
• dfg/DFGPhantomRemovalPhase.cpp (modified) (3 diffs)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (4 diffs)
• dfg/DFGSafeToExecute.h (modified) (4 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (6 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (6 diffs)
• dfg/DFGStructureRegistrationPhase.cpp (modified) (1 diff)
• dfg/DFGTierUpCheckInjectionPhase.cpp (modified) (2 diffs)
• dfg/DFGValidate.cpp (modified) (1 diff)
• dfg/DFGWatchpointCollectionPhase.cpp (modified) (2 diffs)
• ftl/FTLCapabilities.cpp (modified) (4 diffs)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (7 diffs)
• heap/Heap.cpp (modified) (1 diff)
• jit/AssemblyHelpers.h (modified) (1 diff)
• jit/CCallHelpers.h (modified) (1 diff)
• jit/GPRInfo.h (modified) (2 diffs)
• jit/JITCall.cpp (modified) (2 diffs)
• jit/JITCall32_64.cpp (modified) (2 diffs)
• runtime/Options.h (modified) (1 diff)
• runtime/VM.cpp (modified) (1 diff)
• runtime/VM.h (modified) (2 diffs)
• tests/stress/new-array-then-exit.js (added)
• tests/stress/poly-call-exit-this.js (added)
• tests/stress/poly-call-exit.js (added)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -66 +66 @@
     bytecode/BytecodeBasicBlock.cpp
     bytecode/BytecodeLivenessAnalysis.cpp
+    bytecode/CallEdge.cpp
+    bytecode/CallEdgeProfile.cpp
     bytecode/CallLinkInfo.cpp
     bytecode/CallLinkStatus.cpp
+    bytecode/CallVariant.cpp
     bytecode/CodeBlock.cpp
     bytecode/CodeBlockHash.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-08-24  Filip Pizlo  <[email protected]>
+
+        FTL should be able to do polymorphic call inlining
+        https://bugs.webkit.org/show_bug.cgi?id=135145
+
+        Reviewed by Geoffrey Garen.
+        
+        Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
+        baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
+        inlining sites use the call edge profile if it is available, but they will still fall back
+        on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
+        multiple possible callees can be inlined with a switch to guard them. The slow path may
+        either be an OSR exit or a virtual call.
+        
+        The call edge profiling added in this patch is very precise - it will tell you about every
+        call that has ever happened. It took some effort to reduce the overhead of this profiling.
+        This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
+        in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
+        it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
+        I also experimented with reducing the precision of the profiling. This led to a significant
+        reduction in the speed-up, so I avoided this approach. I also explored making log processing
+        concurrent, but that didn't help. Also, I tested the overhead of the log processing and
+        found that most of the overhead of this profiling is actually in putting things into the log
+        rather than in processing the log - that part appears to be surprisingly cheap.
+        
+        Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
+        and if we guarded such inlining sites with some profiling mechanism to detect
+        polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
+        it's actually monomorphic).
+        
+        This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
+        other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
+        on anything we care about. Some aggregates, like V8Spider, see a regression. This is
+        highlighting the increase in profiling overhead. But since this doesn't show up on any major
+        score (code-load or SunSpider), it's probably not relevant.
+        
+        * CMakeLists.txt:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CallEdge.cpp: Added.
+        (JSC::CallEdge::dump):
+        * bytecode/CallEdge.h: Added.
+        (JSC::CallEdge::operator!):
+        (JSC::CallEdge::callee):
+        (JSC::CallEdge::count):
+        (JSC::CallEdge::despecifiedClosure):
+        (JSC::CallEdge::CallEdge):
+        * bytecode/CallEdgeProfile.cpp: Added.
+        (JSC::CallEdgeProfile::callEdges):
+        (JSC::CallEdgeProfile::numCallsToKnownCells):
+        (JSC::worthDespecifying):
+        (JSC::CallEdgeProfile::worthDespecifying):
+        (JSC::CallEdgeProfile::visitWeak):
+        (JSC::CallEdgeProfile::addSlow):
+        (JSC::CallEdgeProfile::mergeBack):
+        (JSC::CallEdgeProfile::fadeByHalf):
+        (JSC::CallEdgeLog::CallEdgeLog):
+        (JSC::CallEdgeLog::~CallEdgeLog):
+        (JSC::CallEdgeLog::isEnabled):
+        (JSC::operationProcessCallEdgeLog):
+        (JSC::CallEdgeLog::emitLogCode):
+        (JSC::CallEdgeLog::processLog):
+        * bytecode/CallEdgeProfile.h: Added.
+        (JSC::CallEdgeProfile::numCallsToNotCell):
+        (JSC::CallEdgeProfile::numCallsToUnknownCell):
+        (JSC::CallEdgeProfile::totalCalls):
+        * bytecode/CallEdgeProfileInlines.h: Added.
+        (JSC::CallEdgeProfile::CallEdgeProfile):
+        (JSC::CallEdgeProfile::add):
+        * bytecode/CallLinkInfo.cpp:
+        (JSC::CallLinkInfo::visitWeak):
+        * bytecode/CallLinkInfo.h:
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::CallLinkStatus):
+        (JSC::CallLinkStatus::computeFromLLInt):
+        (JSC::CallLinkStatus::computeFor):
+        (JSC::CallLinkStatus::computeExitSiteData):
+        (JSC::CallLinkStatus::computeFromCallLinkInfo):
+        (JSC::CallLinkStatus::computeFromCallEdgeProfile):
+        (JSC::CallLinkStatus::computeDFGStatuses):
+        (JSC::CallLinkStatus::isClosureCall):
+        (JSC::CallLinkStatus::makeClosureCall):
+        (JSC::CallLinkStatus::dump):
+        (JSC::CallLinkStatus::function): Deleted.
+        (JSC::CallLinkStatus::internalFunction): Deleted.
+        (JSC::CallLinkStatus::intrinsicFor): Deleted.
+        * bytecode/CallLinkStatus.h:
+        (JSC::CallLinkStatus::CallLinkStatus):
+        (JSC::CallLinkStatus::isSet):
+        (JSC::CallLinkStatus::couldTakeSlowPath):
+        (JSC::CallLinkStatus::edges):
+        (JSC::CallLinkStatus::size):
+        (JSC::CallLinkStatus::at):
+        (JSC::CallLinkStatus::operator[]):
+        (JSC::CallLinkStatus::canOptimize):
+        (JSC::CallLinkStatus::canTrustCounts):
+        (JSC::CallLinkStatus::isClosureCall): Deleted.
+        (JSC::CallLinkStatus::callTarget): Deleted.
+        (JSC::CallLinkStatus::executable): Deleted.
+        (JSC::CallLinkStatus::makeClosureCall): Deleted.
+        * bytecode/CallVariant.cpp: Added.
+        (JSC::CallVariant::dump):
+        * bytecode/CallVariant.h: Added.
+        (JSC::CallVariant::CallVariant):
+        (JSC::CallVariant::operator!):
+        (JSC::CallVariant::despecifiedClosure):
+        (JSC::CallVariant::rawCalleeCell):
+        (JSC::CallVariant::internalFunction):
+        (JSC::CallVariant::function):
+        (JSC::CallVariant::isClosureCall):
+        (JSC::CallVariant::executable):
+        (JSC::CallVariant::nonExecutableCallee):
+        (JSC::CallVariant::intrinsicFor):
+        (JSC::CallVariant::functionExecutable):
+        (JSC::CallVariant::isHashTableDeletedValue):
+        (JSC::CallVariant::operator==):
+        (JSC::CallVariant::operator!=):
+        (JSC::CallVariant::operator<):
+        (JSC::CallVariant::operator>):
+        (JSC::CallVariant::operator<=):
+        (JSC::CallVariant::operator>=):
+        (JSC::CallVariant::hash):
+        (JSC::CallVariant::deletedToken):
+        (JSC::CallVariantHash::hash):
+        (JSC::CallVariantHash::equal):
+        * bytecode/CodeOrigin.h:
+        (JSC::InlineCallFrame::isNormalCall):
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindToString):
+        * bytecode/ExitKind.h:
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeForStubInfo):
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeForStubInfo):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGBasicBlock.cpp:
+        (JSC::DFG::BasicBlock::~BasicBlock):
+        * dfg/DFGBasicBlock.h:
+        (JSC::DFG::BasicBlock::takeLast):
+        (JSC::DFG::BasicBlock::didLink):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::processSetLocalQueue):
+        (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
+        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
+        (JSC::DFG::ByteCodeParser::addCall):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+        (JSC::DFG::ByteCodeParser::undoFunctionChecks):
+        (JSC::DFG::ByteCodeParser::inliningCost):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::prepareToParseBlock):
+        (JSC::DFG::ByteCodeParser::clearCaches):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::linkBlock):
+        (JSC::DFG::ByteCodeParser::linkBlocks):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        * dfg/DFGCPSRethreadingPhase.cpp:
+        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGCommon.h:
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        (JSC::DFG::Graph::visitChildren):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGLazyJSValue.cpp:
+        (JSC::DFG::LazyJSValue::switchLookupValue):
+        * dfg/DFGLazyJSValue.h:
+        (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
+        * dfg/DFGNode.cpp:
+        (WTF::printInternal):
+        * dfg/DFGNode.h:
+        (JSC::DFG::OpInfo::OpInfo):
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::hasCellOperand):
+        (JSC::DFG::Node::cellOperand):
+        (JSC::DFG::Node::setCellOperand):
+        (JSC::DFG::Node::canBeKnownFunction): Deleted.
+        (JSC::DFG::Node::hasKnownFunction): Deleted.
+        (JSC::DFG::Node::knownFunction): Deleted.
+        (JSC::DFG::Node::giveKnownFunction): Deleted.
+        (JSC::DFG::Node::hasFunction): Deleted.
+        (JSC::DFG::Node::function): Deleted.
+        (JSC::DFG::Node::hasExecutable): Deleted.
+        (JSC::DFG::Node::executable): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPhantomCanonicalizationPhase.cpp:
+        (JSC::DFG::PhantomCanonicalizationPhase::run):
+        * dfg/DFGPhantomRemovalPhase.cpp:
+        (JSC::DFG::PhantomRemovalPhase::run):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitSwitch):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStructureRegistrationPhase.cpp:
+        (JSC::DFG::StructureRegistrationPhase::run):
+        * dfg/DFGTierUpCheckInjectionPhase.cpp:
+        (JSC::DFG::TierUpCheckInjectionPhase::run):
+        (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
+        * dfg/DFGValidate.cpp:
+        (JSC::DFG::Validate::validate):
+        * dfg/DFGWatchpointCollectionPhase.cpp:
+        (JSC::DFG::WatchpointCollectionPhase::handle):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::ftlUnreachable):
+        (JSC::FTL::LowerDFGToLLVM::lower):
+        (JSC::FTL::LowerDFGToLLVM::compileNode):
+        (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
+        (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
+        (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
+        (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
+        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
+        (JSC::FTL::LowerDFGToLLVM::buildSwitch):
+        (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
+        (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
+        * heap/Heap.cpp:
+        (JSC::Heap::collect):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::storeValue):
+        (JSC::AssemblyHelpers::loadValue):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArguments):
+        * jit/GPRInfo.h:
+        (JSC::JSValueRegs::uses):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+        * runtime/Options.h:
+        * runtime/VM.cpp:
+        (JSC::VM::ensureCallEdgeLog):
+        * runtime/VM.h:
+        * tests/stress/new-array-then-exit.js: Added.
+        (foo):
+        * tests/stress/poly-call-exit-this.js: Added.
+        * tests/stress/poly-call-exit.js: Added.
+
 2014-08-22  Michael Saboff  <[email protected]>
 

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -315 +315 @@
     <ClCompile Include="..\bytecode\BytecodeBasicBlock.cpp" />
     <ClCompile Include="..\bytecode\BytecodeLivenessAnalysis.cpp" />
+    <ClCompile Include="..\bytecode\CallEdge.cpp" />
+    <ClCompile Include="..\bytecode\CallEdgeProfile.cpp" />
     <ClCompile Include="..\bytecode\CallLinkInfo.cpp" />
     <ClCompile Include="..\bytecode\CallLinkStatus.cpp" />
+    <ClCompile Include="..\bytecode\CallVariant.cpp" />
     <ClCompile Include="..\bytecode\CodeBlock.cpp" />
     <ClCompile Include="..\bytecode\CodeBlockHash.cpp" />
@@ -906 +909 @@
     <ClInclude Include="..\bytecode\BytecodeLivenessAnalysis.h" />
     <ClInclude Include="..\bytecode\BytecodeUseDef.h" />
+    <ClInclude Include="..\bytecode\CallEdge.h" />
+    <ClInclude Include="..\bytecode\CallEdgeProfile.h" />
+    <ClInclude Include="..\bytecode\CallEdgeProfileInlines.h" />
     <ClInclude Include="..\bytecode\CallLinkInfo.h" />
     <ClInclude Include="..\bytecode\CallLinkStatus.h" />
     <ClInclude Include="..\bytecode\CallReturnOffsetToBytecodeOffset.h" />
+    <ClInclude Include="..\bytecode\CallVariant.h" />
     <ClInclude Include="..\bytecode\CodeBlock.h" />
     <ClInclude Include="..\bytecode\CodeBlockHash.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -264 +264 @@
                 0F3B3A2B15475000003ED0FF /* DFGValidate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3B3A2915474FF4003ED0FF /* DFGValidate.cpp */; };
                 0F3B3A2C15475002003ED0FF /* DFGValidate.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3B3A2A15474FF4003ED0FF /* DFGValidate.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F3B7E2619A11B8000D9BC56 /* CallEdge.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3B7E2019A11B8000D9BC56 /* CallEdge.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F3B7E2719A11B8000D9BC56 /* CallEdgeProfile.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3B7E2119A11B8000D9BC56 /* CallEdgeProfile.cpp */; };
+                0F3B7E2819A11B8000D9BC56 /* CallEdgeProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3B7E2219A11B8000D9BC56 /* CallEdgeProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F3B7E2919A11B8000D9BC56 /* CallEdgeProfileInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3B7E2319A11B8000D9BC56 /* CallEdgeProfileInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F3B7E2A19A11B8000D9BC56 /* CallVariant.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3B7E2419A11B8000D9BC56 /* CallVariant.cpp */; };
+                0F3B7E2B19A11B8000D9BC56 /* CallVariant.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3B7E2519A11B8000D9BC56 /* CallVariant.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F3B7E2D19A12AAE00D9BC56 /* CallEdge.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3B7E2C19A12AAE00D9BC56 /* CallEdge.cpp */; };
                 0F3D0BBC194A414300FC9CF9 /* ConstantStructureCheck.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F3D0BBA194A414300FC9CF9 /* ConstantStructureCheck.cpp */; };
                 0F3D0BBD194A414300FC9CF9 /* ConstantStructureCheck.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F3D0BBB194A414300FC9CF9 /* ConstantStructureCheck.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2170 +2177 @@
                 0F3B3A2915474FF4003ED0FF /* DFGValidate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGValidate.cpp; path = dfg/DFGValidate.cpp; sourceTree = "<group>"; };
                 0F3B3A2A15474FF4003ED0FF /* DFGValidate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGValidate.h; path = dfg/DFGValidate.h; sourceTree = "<group>"; };
+                0F3B7E2019A11B8000D9BC56 /* CallEdge.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallEdge.h; sourceTree = "<group>"; };
+                0F3B7E2119A11B8000D9BC56 /* CallEdgeProfile.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallEdgeProfile.cpp; sourceTree = "<group>"; };
+                0F3B7E2219A11B8000D9BC56 /* CallEdgeProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallEdgeProfile.h; sourceTree = "<group>"; };
+                0F3B7E2319A11B8000D9BC56 /* CallEdgeProfileInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallEdgeProfileInlines.h; sourceTree = "<group>"; };
+                0F3B7E2419A11B8000D9BC56 /* CallVariant.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallVariant.cpp; sourceTree = "<group>"; };
+                0F3B7E2519A11B8000D9BC56 /* CallVariant.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallVariant.h; sourceTree = "<group>"; };
+                0F3B7E2C19A12AAE00D9BC56 /* CallEdge.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CallEdge.cpp; sourceTree = "<group>"; };
                 0F3D0BBA194A414300FC9CF9 /* ConstantStructureCheck.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ConstantStructureCheck.cpp; sourceTree = "<group>"; };
                 0F3D0BBB194A414300FC9CF9 /* ConstantStructureCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ConstantStructureCheck.h; sourceTree = "<group>"; };
@@ -5147 +5161 @@
                                 0F885E101849A3BE00F1E3FA /* BytecodeUseDef.h */,
                                 0F8023E91613832300A0BA45 /* ByValInfo.h */,
+                                0F3B7E2C19A12AAE00D9BC56 /* CallEdge.cpp */,
+                                0F3B7E2019A11B8000D9BC56 /* CallEdge.h */,
+                                0F3B7E2119A11B8000D9BC56 /* CallEdgeProfile.cpp */,
+                                0F3B7E2219A11B8000D9BC56 /* CallEdgeProfile.h */,
+                                0F3B7E2319A11B8000D9BC56 /* CallEdgeProfileInlines.h */,
                                 0F0B83AE14BCF71400885B4F /* CallLinkInfo.cpp */,
                                 0F0B83AF14BCF71400885B4F /* CallLinkInfo.h */,
@@ -5152 +5171 @@
                                 0F93329414CA7DC10085F3C6 /* CallLinkStatus.h */,
                                 0F0B83B814BCF95B00885B4F /* CallReturnOffsetToBytecodeOffset.h */,
+                                0F3B7E2419A11B8000D9BC56 /* CallVariant.cpp */,
+                                0F3B7E2519A11B8000D9BC56 /* CallVariant.h */,
                                 969A07900ED1D3AE00F1F681 /* CodeBlock.cpp */,
                                 969A07910ED1D3AE00F1F681 /* CodeBlock.h */,
@@ -5880 +5901 @@
                                 0F2FC77316E12F740038D976 /* DFGDCEPhase.h in Headers */,
                                 0F8F2B9A172F0501007DBDA5 /* DFGDesiredIdentifiers.h in Headers */,
+                                0F3B7E2819A11B8000D9BC56 /* CallEdgeProfile.h in Headers */,
                                 C2C0F7CE17BBFC5B00464FE4 /* DFGDesiredTransitions.h in Headers */,
                                 0FE8534C1723CDA500B618F5 /* DFGDesiredWatchpoints.h in Headers */,
@@ -6148 +6170 @@
                                 0F766D2C15A8CC3A008F363E /* JITStubRoutineSet.h in Headers */,
                                 14C5242B0F5355E900BA3D04 /* JITStubs.h in Headers */,
+                                0F3B7E2B19A11B8000D9BC56 /* CallVariant.h in Headers */,
                                 FEF6835E174343CC00A32E25 /* JITStubsARM.h in Headers */,
                                 FEF6835F174343CC00A32E25 /* JITStubsARMv7.h in Headers */,
@@ -6159 +6182 @@
                                 BC18C4160E16F5CD00B34460 /* JSActivation.h in Headers */,
                                 840480131021A1D9008E7F01 /* JSAPIValueWrapper.h in Headers */,
+                                0F3B7E2919A11B8000D9BC56 /* CallEdgeProfileInlines.h in Headers */,
                                 C2CF39C216E15A8100DD69BE /* JSAPIWrapperObject.h in Headers */,
                                 A76140D2182982CB00750624 /* JSArgumentsIterator.h in Headers */,
@@ -6474 +6498 @@
                                 E49DC16D12EF295300184A1F /* SourceProviderCacheItem.h in Headers */,
                                 0FB7F39E15ED8E4600F167B2 /* SparseArrayValueMap.h in Headers */,
+                                0F3B7E2619A11B8000D9BC56 /* CallEdge.h in Headers */,
                                 A7386554118697B400540279 /* SpecializedThunkJIT.h in Headers */,
                                 0F5541B21613C1FB00CE3E25 /* SpecialPointer.h in Headers */,
@@ -7328 +7353 @@
                                 0F235BD817178E1C00690C7F /* FTLExitThunkGenerator.cpp in Sources */,
                                 0F235BDA17178E1C00690C7F /* FTLExitValue.cpp in Sources */,
+                                0F3B7E2719A11B8000D9BC56 /* CallEdgeProfile.cpp in Sources */,
                                 A7F2996B17A0BB670010417A /* FTLFail.cpp in Sources */,
                                 0FD8A31917D51F2200CA2C40 /* FTLForOSREntryJITCode.cpp in Sources */,
@@ -7514 +7540 @@
                                 0F38B01117CF078000B144D3 /* LLIntEntrypoint.cpp in Sources */,
                                 0F4680A814BA7FAB00BFE272 /* LLIntExceptions.cpp in Sources */,
+                                0F3B7E2D19A12AAE00D9BC56 /* CallEdge.cpp in Sources */,
                                 0F4680A414BA7F8D00BFE272 /* LLIntSlowPaths.cpp in Sources */,
                                 0F0B839C14BCF46300885B4F /* LLIntThunks.cpp in Sources */,
@@ -7675 +7702 @@
                                 2A4EC90B1860D6C20094F782 /* WriteBarrierBuffer.cpp in Sources */,
                                 0FC8150B14043C0E00CFA603 /* WriteBarrierSupport.cpp in Sources */,
+                                0F3B7E2A19A11B8000D9BC56 /* CallVariant.cpp in Sources */,
                                 A7E5AB3A1799E4B200D2833D /* X86Disassembler.cpp in Sources */,
                                 863C6D9C1521111A00585E4E /* YarrCanonicalizeUCS2.cpp in Sources */,

trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp

@@ -84 +84 @@
     if (!!lastSeenCallee && !Heap::isMarked(lastSeenCallee.get()))
         lastSeenCallee.clear();
+    
+    if (callEdgeProfile) {
+        WTF::loadLoadFence();
+        callEdgeProfile->visitWeak();
+    }
 }
 

trunk/Source/JavaScriptCore/bytecode/CallLinkInfo.h

@@ -27 +27 @@
 #define CallLinkInfo_h
 
+#include "CallEdgeProfile.h"
 #include "ClosureCallStubRoutine.h"
 #include "CodeLocation.h"
@@ -34 +35 @@
 #include "Opcode.h"
 #include "WriteBarrier.h"
+#include <wtf/OwnPtr.h>
 #include <wtf/SentinelLinkedList.h>
 
@@ -89 +91 @@
     unsigned slowPathCount;
     CodeOrigin codeOrigin;
+    OwnPtr<CallEdgeProfile> callEdgeProfile;
 
     bool isLinked() { return stub || callee; }

trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp

@@ -33 +33 @@
 #include "JSCInlines.h"
 #include <wtf/CommaPrinter.h>
+#include <wtf/ListDump.h>
 
 namespace JSC {
@@ -39 +40 @@
 
 CallLinkStatus::CallLinkStatus(JSValue value)
-    : m_callTarget(value)
-    , m_executable(0)
-    , m_couldTakeSlowPath(false)
+    : m_couldTakeSlowPath(false)
     , m_isProved(false)
 {
-    if (!value || !value.isCell())
+    if (!value || !value.isCell()) {
+        m_couldTakeSlowPath = true;
         return;
-    
-    if (!value.asCell()->inherits(JSFunction::info()))
-        return;
-    
-    m_executable = jsCast<JSFunction*>(value.asCell())->executable();
-}
-
-JSFunction* CallLinkStatus::function() const
-{
-    if (!m_callTarget || !m_callTarget.isCell())
-        return 0;
-    
-    if (!m_callTarget.asCell()->inherits(JSFunction::info()))
-        return 0;
-    
-    return jsCast<JSFunction*>(m_callTarget.asCell());
-}
-
-InternalFunction* CallLinkStatus::internalFunction() const
-{
-    if (!m_callTarget || !m_callTarget.isCell())
-        return 0;
-    
-    if (!m_callTarget.asCell()->inherits(InternalFunction::info()))
-        return 0;
-    
-    return jsCast<InternalFunction*>(m_callTarget.asCell());
-}
-
-Intrinsic CallLinkStatus::intrinsicFor(CodeSpecializationKind kind) const
-{
-    if (!m_executable)
-        return NoIntrinsic;
-    
-    return m_executable->intrinsicFor(kind);
+    }
+    
+    m_edges.append(CallEdge(CallVariant(value.asCell()), 1));
 }
 
@@ -88 +56 @@
     UNUSED_PARAM(bytecodeIndex);
 #if ENABLE(DFG_JIT)
-    if (profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadFunction))) {
+    if (profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCell))) {
         // We could force this to be a closure call, but instead we'll just assume that it
         // takes slow path.
@@ -126 +94 @@
         return computeFromLLInt(locker, profiledBlock, bytecodeIndex);
     
-    return computeFor(locker, *callLinkInfo, exitSiteData);
+    return computeFor(locker, profiledBlock, *callLinkInfo, exitSiteData);
 #else
     return CallLinkStatus();
@@ -140 +108 @@
 #if ENABLE(DFG_JIT)
     exitSiteData.m_takesSlowPath =
-        profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCache, exitingJITType))
+        profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadType, exitingJITType))
         || profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadExecutable, exitingJITType));
     exitSiteData.m_badFunction =
-        profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadFunction, exitingJITType));
+        profiledBlock->hasExitSite(locker, DFG::FrequentExitSite(bytecodeIndex, BadCell, exitingJITType));
 #else
     UNUSED_PARAM(locker);
@@ -155 +123 @@
 
 #if ENABLE(JIT)
-CallLinkStatus CallLinkStatus::computeFor(const ConcurrentJITLocker&, CallLinkInfo& callLinkInfo)
+CallLinkStatus CallLinkStatus::computeFor(
+    const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, CallLinkInfo& callLinkInfo)
+{
+    // We don't really need this, but anytime we have to debug this code, it becomes indispensable.
+    UNUSED_PARAM(profiledBlock);
+    
+    if (Options::callStatusShouldUseCallEdgeProfile()) {
+        // Always trust the call edge profile over anything else since this has precise counts.
+        // It can make the best possible decision because it never "forgets" what happened for any
+        // call, with the exception of fading out the counts of old calls (for example if the
+        // counter type is 16-bit then calls that happened more than 2^16 calls ago are given half
+        // weight, and this compounds for every 2^15 [sic] calls after that). The combination of
+        // high fidelity for recent calls and fading for older calls makes this the most useful
+        // mechamism of choosing how to optimize future calls.
+        CallEdgeProfile* edgeProfile = callLinkInfo.callEdgeProfile.get();
+        WTF::loadLoadFence();
+        if (edgeProfile) {
+            CallLinkStatus result = computeFromCallEdgeProfile(edgeProfile);
+            if (!!result)
+                return result;
+        }
+    }
+    
+    return computeFromCallLinkInfo(locker, callLinkInfo);
+}
+
+CallLinkStatus CallLinkStatus::computeFromCallLinkInfo(
+    const ConcurrentJITLocker&, CallLinkInfo& callLinkInfo)
 {
     // Note that despite requiring that the locker is held, this code is racy with respect
@@ -178 +173 @@
     JSFunction* target = callLinkInfo.lastSeenCallee.get();
     if (!target)
-        return CallLinkStatus();
+        return takesSlowPath();
     
     if (callLinkInfo.hasSeenClosure)
@@ -186 +181 @@
 }
 
+CallLinkStatus CallLinkStatus::computeFromCallEdgeProfile(CallEdgeProfile* edgeProfile)
+{
+    // In cases where the call edge profile saw nothing, use the CallLinkInfo instead.
+    if (!edgeProfile->totalCalls())
+        return CallLinkStatus();
+    
+    // To do anything meaningful, we require that the majority of calls are to something we
+    // know how to handle.
+    unsigned numCallsToKnown = edgeProfile->numCallsToKnownCells();
+    unsigned numCallsToUnknown = edgeProfile->numCallsToNotCell() + edgeProfile->numCallsToUnknownCell();
+    
+    // We require that the majority of calls were to something that we could possibly inline.
+    if (numCallsToKnown <= numCallsToUnknown)
+        return takesSlowPath();
+    
+    // We require that the number of such calls is greater than some minimal threshold, so that we
+    // avoid inlining completely cold calls.
+    if (numCallsToKnown < Options::frequentCallThreshold())
+        return takesSlowPath();
+    
+    CallLinkStatus result;
+    result.m_edges = edgeProfile->callEdges();
+    result.m_couldTakeSlowPath = !!numCallsToUnknown;
+    result.m_canTrustCounts = true;
+    
+    return result;
+}
+
 CallLinkStatus CallLinkStatus::computeFor(
-    const ConcurrentJITLocker& locker, CallLinkInfo& callLinkInfo, ExitSiteData exitSiteData)
-{
-    if (exitSiteData.m_takesSlowPath)
-        return takesSlowPath();
-    
-    CallLinkStatus result = computeFor(locker, callLinkInfo);
+    const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, CallLinkInfo& callLinkInfo,
+    ExitSiteData exitSiteData)
+{
+    CallLinkStatus result = computeFor(locker, profiledBlock, callLinkInfo);
     if (exitSiteData.m_badFunction)
         result.makeClosureCall();
+    if (exitSiteData.m_takesSlowPath)
+        result.m_couldTakeSlowPath = true;
     
     return result;
@@ -228 +251 @@
         {
             ConcurrentJITLocker locker(dfgCodeBlock->m_lock);
-            map.add(info.codeOrigin, computeFor(locker, info, exitSiteData));
+            map.add(info.codeOrigin, computeFor(locker, dfgCodeBlock, info, exitSiteData));
         }
     }
@@ -257 +280 @@
 }
 
+bool CallLinkStatus::isClosureCall() const
+{
+    for (unsigned i = m_edges.size(); i--;) {
+        if (m_edges[i].callee().isClosureCall())
+            return true;
+    }
+    return false;
+}
+
+void CallLinkStatus::makeClosureCall()
+{
+    ASSERT(!m_isProved);
+    for (unsigned i = m_edges.size(); i--;)
+        m_edges[i] = m_edges[i].despecifiedClosure();
+    
+    if (!ASSERT_DISABLED) {
+        // Doing this should not have created duplicates, because the CallEdgeProfile
+        // should despecify closures if doing so would reduce the number of known callees.
+        for (unsigned i = 0; i < m_edges.size(); ++i) {
+            for (unsigned j = i + 1; j < m_edges.size(); ++j)
+                ASSERT(m_edges[i].callee() != m_edges[j].callee());
+        }
+    }
+}
+
 void CallLinkStatus::dump(PrintStream& out) const
 {
@@ -272 +320 @@
         out.print(comma, "Could Take Slow Path");
     
-    if (m_callTarget)
-        out.print(comma, "Known target: ", m_callTarget);
-    
-    if (m_executable) {
-        out.print(comma, "Executable/CallHash: ", RawPointer(m_executable));
-        if (!isCompilationThread())
-            out.print("/", m_executable->hashFor(CodeForCall));
-    }
+    out.print(listDump(m_edges));
 }
 

trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.h

@@ -47 +47 @@
 public:
     CallLinkStatus()
-        : m_executable(0)
-        , m_couldTakeSlowPath(false)
+        : m_couldTakeSlowPath(false)
         , m_isProved(false)
+        , m_canTrustCounts(false)
     {
     }
@@ -62 +62 @@
     explicit CallLinkStatus(JSValue);
     
-    CallLinkStatus(ExecutableBase* executable)
-        : m_executable(executable)
+    CallLinkStatus(CallVariant variant)
+        : m_edges(1, CallEdge(variant, 1))
         , m_couldTakeSlowPath(false)
         , m_isProved(false)
+        , m_canTrustCounts(false)
     {
     }
@@ -93 +94 @@
     // Computes the status assuming that we never took slow path and never previously
     // exited.
-    static CallLinkStatus computeFor(const ConcurrentJITLocker&, CallLinkInfo&);
-    static CallLinkStatus computeFor(const ConcurrentJITLocker&, CallLinkInfo&, ExitSiteData);
+    static CallLinkStatus computeFor(const ConcurrentJITLocker&, CodeBlock*, CallLinkInfo&);
+    static CallLinkStatus computeFor(
+        const ConcurrentJITLocker&, CodeBlock*, CallLinkInfo&, ExitSiteData);
 #endif
     
@@ -108 +110 @@
         CodeBlock*, CodeOrigin, const CallLinkInfoMap&, const ContextMap&);
     
-    bool isSet() const { return m_callTarget || m_executable || m_couldTakeSlowPath; }
+    bool isSet() const { return !m_edges.isEmpty() || m_couldTakeSlowPath; }
     
     bool operator!() const { return !isSet(); }
     
     bool couldTakeSlowPath() const { return m_couldTakeSlowPath; }
-    bool isClosureCall() const { return m_executable && !m_callTarget; }
     
-    JSValue callTarget() const { return m_callTarget; }
-    JSFunction* function() const;
-    InternalFunction* internalFunction() const;
-    Intrinsic intrinsicFor(CodeSpecializationKind) const;
-    ExecutableBase* executable() const { return m_executable; }
+    CallEdgeList edges() const { return m_edges; }
+    unsigned size() const { return m_edges.size(); }
+    CallEdge at(unsigned i) const { return m_edges[i]; }
+    CallEdge operator[](unsigned i) const { return at(i); }
     bool isProved() const { return m_isProved; }
-    bool canOptimize() const { return (m_callTarget || m_executable) && !m_couldTakeSlowPath; }
+    bool canOptimize() const { return !m_edges.isEmpty(); }
+    bool canTrustCounts() const { return m_canTrustCounts; }
+    
+    bool isClosureCall() const; // Returns true if any callee is a closure call.
     
     void dump(PrintStream&) const;
     
 private:
-    void makeClosureCall()
-    {
-        ASSERT(!m_isProved);
-        // Turn this into a closure call.
-        m_callTarget = JSValue();
-    }
+    void makeClosureCall();
     
     static CallLinkStatus computeFromLLInt(const ConcurrentJITLocker&, CodeBlock*, unsigned bytecodeIndex);
+#if ENABLE(JIT)
+    static CallLinkStatus computeFromCallEdgeProfile(CallEdgeProfile*);
+    static CallLinkStatus computeFromCallLinkInfo(
+        const ConcurrentJITLocker&, CallLinkInfo&);
+#endif
     
-    JSValue m_callTarget;
-    ExecutableBase* m_executable;
+    CallEdgeList m_edges;
     bool m_couldTakeSlowPath;
     bool m_isProved;
+    bool m_canTrustCounts;
 };
 

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h

@@ -155 +155 @@
     }
     
+    static bool isNormalCall(Kind kind)
+    {
+        switch (kind) {
+        case Call:
+        case Construct:
+            return true;
+        default:
+            return false;
+        }
+    }
+    
     Vector<ValueRecovery> arguments; // Includes 'this'.
     WriteBarrier<ScriptExecutable> executable;

trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp

@@ -39 +39 @@
     case BadType:
         return "BadType";
-    case BadFunction:
-        return "BadFunction";
+    case BadCell:
+        return "BadCell";
     case BadExecutable:
         return "BadExecutable";

trunk/Source/JavaScriptCore/bytecode/ExitKind.h

@@ -32 +32 @@
     ExitKindUnset,
     BadType, // We exited because a type prediction was wrong.
-    BadFunction, // We exited because we made an incorrect assumption about what function we would see.
+    BadCell, // We exited because we made an incorrect assumption about what cell we would see. Usually used for function checks.
     BadExecutable, // We exited because we made an incorrect assumption about what executable we would see.
     BadCache, // We exited because an inline cache was wrong.

trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp

@@ -188 +188 @@
                         list->at(listIndex).stubRoutine());
                     callLinkStatus = std::make_unique<CallLinkStatus>(
-                        CallLinkStatus::computeFor(locker, *stub->m_callLinkInfo, callExitSiteData));
+                        CallLinkStatus::computeFor(
+                            locker, profiledBlock, *stub->m_callLinkInfo, callExitSiteData));
                     break;
                 }

trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp

@@ -248 +248 @@
                         std::make_unique<CallLinkStatus>(
                             CallLinkStatus::computeFor(
-                                locker, *stub->m_callLinkInfo, callExitSiteData));
+                                locker, profiledBlock, *stub->m_callLinkInfo, callExitSiteData));
                     
                     variant = PutByIdVariant::setter(

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1460 +1460 @@
         break;
         
-    case CheckExecutable: {
-        // FIXME: We could track executables in AbstractValue, which would allow us to get rid of these checks
-        // more thoroughly. https://bugs.webkit.org/show_bug.cgi?id=106200
-        // FIXME: We could eliminate these entirely if we know the exact value that flows into this.
-        // https://bugs.webkit.org/show_bug.cgi?id=106201
-        break;
-    }
-
     case CheckStructure: {
         // FIXME: We should be able to propagate the structure sets of constants (i.e. prototypes).
@@ -1727 +1719 @@
         break;
     }
+        
+    case GetExecutable: {
+        JSValue value = forNode(node->child1()).value();
+        if (value) {
+            JSFunction* function = jsDynamicCast<JSFunction*>(value);
+            if (function) {
+                setConstant(node, *m_graph.freeze(function->executable()));
+                break;
+            }
+        }
+        forNode(node).setType(SpecCellOther);
+        break;
+    }
     
-    case CheckFunction: {
+    case CheckCell: {
         JSValue value = forNode(node->child1()).value();
-        if (value == node->function()->value()) {
+        if (value == node->cellOperand()->value()) {
             m_state.setFoundConstants(true);
             ASSERT(value);
@@ -1736 +1741 @@
         }
         
-        filterByValue(node->child1(), *node->function());
+        filterByValue(node->child1(), *node->cellOperand());
         break;
     }
@@ -1860 +1865 @@
     case VariableWatchpoint:
     case VarInjectionWatchpoint:
-        break;
-            
     case PutGlobalVar:
     case NotifyWrite:
@@ -1901 +1904 @@
         break;
 
+    case ProfiledCall:
+    case ProfiledConstruct:
+        if (forNode(m_graph.varArgChild(node, 0)).m_value)
+            m_state.setFoundConstants(true);
+        clobberWorld(node->origin.semantic, clobberLimit);
+        forNode(node).makeHeapTop();
+        break;
+
     case ForceOSRExit:
+    case CheckBadCell:
         m_state.setIsValid(false);
         break;
@@ -1956 +1968 @@
     case ArithIMul:
     case FiatInt52:
-        RELEASE_ASSERT_NOT_REACHED();
+    case BottomValue:
+        DFG_CRASH(m_graph, node, "Unexpected node type");
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp

@@ -390 +390 @@
                 node->child1()->mergeFlags(NodeBytecodeUsesAsNumber | NodeBytecodeUsesAsOther);
                 break;
+            case SwitchCell:
+                // There is currently no point to being clever here since this is used for switching
+                // on objects.
+                mergeDefaultFlags(node);
+                break;
             }
             break;

trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.cpp

@@ -59 +59 @@
 }
 
-BasicBlock::~BasicBlock() { }
+BasicBlock::~BasicBlock()
+{
+}
 
 void BasicBlock::ensureLocals(unsigned newNumLocals)

trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h

@@ -63 +63 @@
     Node* operator[](size_t i) const { return at(i); }
     Node* last() const { return at(size() - 1); }
+    Node* takeLast() { return m_nodes.takeLast(); }
     void resize(size_t size) { m_nodes.resize(size); }
     void grow(size_t size) { m_nodes.grow(size); }
@@ -106 +107 @@
     
     void dump(PrintStream& out) const;
+    
+    void didLink()
+    {
+#if !ASSERT_DISABLED
+        isLinked = true;
+#endif
+    }
     
     // This value is used internally for block linking and OSR entry. It is mostly meaningless

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -51 +51 @@
 namespace JSC { namespace DFG {
 
+static const bool verbose = false;
+
 class ConstantBufferKey {
 public:
@@ -179 +181 @@
     void handleCall(int result, NodeType op, CodeSpecializationKind, unsigned instructionSize, int callee, int argCount, int registerOffset);
     void handleCall(Instruction* pc, NodeType op, CodeSpecializationKind);
-    void emitFunctionChecks(const CallLinkStatus&, Node* callTarget, int registerOffset, CodeSpecializationKind);
+    void emitFunctionChecks(CallVariant, Node* callTarget, int registerOffset, CodeSpecializationKind);
+    void undoFunctionChecks(CallVariant);
     void emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind);
+    unsigned inliningCost(CallVariant, int argumentCountIncludingThis, CodeSpecializationKind); // Return UINT_MAX if it's not an inlining candidate. By convention, intrinsics have a cost of 1.
     // Handle inlining. Return true if it succeeded, false if we need to plant a call.
-    bool handleInlining(Node* callTargetNode, int resultOperand, const CallLinkStatus&, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, InlineCallFrame::Kind);
+    bool handleInlining(Node* callTargetNode, int resultOperand, const CallLinkStatus&, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, NodeType callOp, InlineCallFrame::Kind, SpeculatedType prediction);
+    enum CallerLinkability { CallerDoesNormalLinking, CallerLinksManually };
+    bool attemptToInlineCall(Node* callTargetNode, int resultOperand, CallVariant, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, InlineCallFrame::Kind, CallerLinkability, SpeculatedType prediction, unsigned& inliningBalance);
+    void inlineCall(Node* callTargetNode, int resultOperand, CallVariant, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, InlineCallFrame::Kind, CallerLinkability);
+    void cancelLinkingForBlock(InlineStackEntry*, BasicBlock*); // Only works when the given block is the last one to have been added for that inline stack entry.
     // Handle intrinsic functions. Return true if it succeeded, false if we need to plant a call.
     bool handleIntrinsic(int resultOperand, Intrinsic, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction);
     bool handleTypedArrayConstructor(int resultOperand, InternalFunction*, int registerOffset, int argumentCountIncludingThis, TypedArrayType);
-    bool handleConstantInternalFunction(int resultOperand, InternalFunction*, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, CodeSpecializationKind);
+    bool handleConstantInternalFunction(int resultOperand, InternalFunction*, int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind);
     Node* handlePutByOffset(Node* base, unsigned identifier, PropertyOffset, Node* value);
     Node* handleGetByOffset(SpeculatedType, Node* base, const StructureSet&, unsigned identifierNumber, PropertyOffset, NodeType op = GetByOffset);
@@ -201 +209 @@
     Node* getScope(unsigned skipCount);
     
-    // Prepare to parse a block.
     void prepareToParseBlock();
+    void clearCaches();
+
     // Parse a single basic block of bytecode instructions.
     bool parseBlock(unsigned limit);
@@ -297 +306 @@
         return delayed.execute(this, setMode);
     }
+    
+    void processSetLocalQueue()
+    {
+        for (unsigned i = 0; i < m_setLocalQueue.size(); ++i)
+            m_setLocalQueue[i].execute(this);
+        m_setLocalQueue.resize(0);
+    }
 
     Node* set(VirtualRegister operand, Node* value, SetMode setMode = NormalSet)
@@ -638 +654 @@
         return result;
     }
+    
+    void removeLastNodeFromGraph(NodeType expectedNodeType)
+    {
+        Node* node = m_currentBlock->takeLast();
+        RELEASE_ASSERT(node->op() == expectedNodeType);
+        m_graph.m_allocator.free(node);
+    }
 
     void addVarArgChild(Node* child)
@@ -646 +669 @@
     
     Node* addCallWithoutSettingResult(
-        NodeType op, Node* callee, int argCount, int registerOffset,
+        NodeType op, OpInfo opInfo, Node* callee, int argCount, int registerOffset,
         SpeculatedType prediction)
     {
@@ -654 +677 @@
             m_parameterSlots = parameterSlots;
 
-        int dummyThisArgument = op == Call || op == NativeCall ? 0 : 1;
+        int dummyThisArgument = op == Call || op == NativeCall || op == ProfiledCall ? 0 : 1;
         for (int i = 0 + dummyThisArgument; i < argCount; ++i)
             addVarArgChild(get(virtualRegisterForArgument(i, registerOffset)));
 
-        return addToGraph(Node::VarArg, op, OpInfo(0), OpInfo(prediction));
+        return addToGraph(Node::VarArg, op, opInfo, OpInfo(prediction));
     }
     
     Node* addCall(
-        int result, NodeType op, Node* callee, int argCount, int registerOffset,
+        int result, NodeType op, OpInfo opInfo, Node* callee, int argCount, int registerOffset,
         SpeculatedType prediction)
     {
         Node* call = addCallWithoutSettingResult(
-            op, callee, argCount, registerOffset, prediction);
+            op, opInfo, callee, argCount, registerOffset, prediction);
         VirtualRegister resultReg(result);
         if (resultReg.isValid())
@@ -872 +895 @@
         
         // Potential block linking targets. Must be sorted by bytecodeBegin, and
-        // cannot have two blocks that have the same bytecodeBegin. For this very
-        // reason, this is not equivalent to 
+        // cannot have two blocks that have the same bytecodeBegin.
         Vector<BasicBlock*> m_blockLinkingTargets;
         
@@ -1020 +1042 @@
 {
     ASSERT(registerOffset <= 0);
-    CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
     
     if (callTarget->hasConstant())
         callLinkStatus = CallLinkStatus(callTarget->asJSValue()).setIsProved(true);
+    
+    if ((!callLinkStatus.canOptimize() || callLinkStatus.size() != 1)
+        && !isFTL(m_graph.m_plan.mode) && Options::useFTLJIT()
+        && InlineCallFrame::isNormalCall(kind)
+        && CallEdgeLog::isEnabled()
+        && Options::dfgDoesCallEdgeProfiling()) {
+        ASSERT(op == Call || op == Construct);
+        if (op == Call)
+            op = ProfiledCall;
+        else
+            op = ProfiledConstruct;
+    }
     
     if (!callLinkStatus.canOptimize()) {
@@ -1029 +1062 @@
         // that we cannot optimize them.
         
-        addCall(result, op, callTarget, argumentCountIncludingThis, registerOffset, prediction);
+        addCall(result, op, OpInfo(), callTarget, argumentCountIncludingThis, registerOffset, prediction);
         return;
     }
     
     unsigned nextOffset = m_currentIndex + instructionSize;
-
-    if (InternalFunction* function = callLinkStatus.internalFunction()) {
-        if (handleConstantInternalFunction(result, function, registerOffset, argumentCountIncludingThis, prediction, specializationKind)) {
-            // This phantoming has to be *after* the code for the intrinsic, to signify that
-            // the inputs must be kept alive whatever exits the intrinsic may do.
-            addToGraph(Phantom, callTarget);
-            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
-            return;
-        }
-        
-        // Can only handle this using the generic call handler.
-        addCall(result, op, callTarget, argumentCountIncludingThis, registerOffset, prediction);
-        return;
-    }
-        
-    Intrinsic intrinsic = callLinkStatus.intrinsicFor(specializationKind);
-
-    JSFunction* knownFunction = nullptr;
-    if (intrinsic != NoIntrinsic) {
-        emitFunctionChecks(callLinkStatus, callTarget, registerOffset, specializationKind);
-            
-        if (handleIntrinsic(result, intrinsic, registerOffset, argumentCountIncludingThis, prediction)) {
-            // This phantoming has to be *after* the code for the intrinsic, to signify that
-            // the inputs must be kept alive whatever exits the intrinsic may do.
-            addToGraph(Phantom, callTarget);
-            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
-            if (m_graph.compilation())
-                m_graph.compilation()->noticeInlinedCall();
-            return;
-        }
-    } else if (handleInlining(callTarget, result, callLinkStatus, registerOffset, argumentCountIncludingThis, nextOffset, kind)) {
+    
+    OpInfo callOpInfo;
+    
+    if (handleInlining(callTarget, result, callLinkStatus, registerOffset, argumentCountIncludingThis, nextOffset, op, kind, prediction)) {
         if (m_graph.compilation())
             m_graph.compilation()->noticeInlinedCall();
         return;
+    }
+    
 #if ENABLE(FTL_NATIVE_CALL_INLINING)
-    } else if (isFTL(m_graph.m_plan.mode) && Options::optimizeNativeCalls()) {
-        JSFunction* function = callLinkStatus.function();
+    if (isFTL(m_graph.m_plan.mode) && Options::optimizeNativeCalls() && callLinkStatus.size() == 1 && !callLinkStatus.couldTakeSlowPath()) {
+        CallVariant callee = callLinkStatus[0].callee();
+        JSFunction* function = callee.function();
+        CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
         if (function && function->isHostFunction()) {
-            emitFunctionChecks(callLinkStatus, callTarget, registerOffset, specializationKind);
-            knownFunction = function;
-
-            if (op == Call) 
+            emitFunctionChecks(callee, callTarget, registerOffset, specializationKind);
+            callOpInfo = OpInfo(m_graph.freeze(function));
+
+            if (op == Call || op == ProfiledCall)
                 op = NativeCall;
             else {
-                ASSERT(op == Construct);
+                ASSERT(op == Construct || op == ProfiledConstruct);
                 op = NativeConstruct;
             }
         }
+    }
 #endif
-    }
-    Node* call = addCall(result, op, callTarget, argumentCountIncludingThis, registerOffset, prediction);
-
-    if (knownFunction) 
-        call->giveKnownFunction(knownFunction);
+    
+    addCall(result, op, callOpInfo, callTarget, argumentCountIncludingThis, registerOffset, prediction);
 }
 
-void ByteCodeParser::emitFunctionChecks(const CallLinkStatus& callLinkStatus, Node* callTarget, int registerOffset, CodeSpecializationKind kind)
+void ByteCodeParser::emitFunctionChecks(CallVariant callee, Node* callTarget, int registerOffset, CodeSpecializationKind kind)
 {
     Node* thisArgument;
@@ -1098 +1106 @@
         thisArgument = 0;
 
-    if (callLinkStatus.isProved()) {
-        addToGraph(Phantom, callTarget, thisArgument);
-        return;
-    }
-    
-    ASSERT(callLinkStatus.canOptimize());
-    
-    if (JSFunction* function = callLinkStatus.function())
-        addToGraph(CheckFunction, OpInfo(m_graph.freeze(function)), callTarget, thisArgument);
-    else {
-        ASSERT(callLinkStatus.executable());
-        
-        addToGraph(CheckExecutable, OpInfo(callLinkStatus.executable()), callTarget, thisArgument);
-    }
+    JSCell* calleeCell;
+    Node* callTargetForCheck;
+    if (callee.isClosureCall()) {
+        calleeCell = callee.executable();
+        callTargetForCheck = addToGraph(GetExecutable, callTarget);
+    } else {
+        calleeCell = callee.nonExecutableCallee();
+        callTargetForCheck = callTarget;
+    }
+    
+    ASSERT(calleeCell);
+    addToGraph(CheckCell, OpInfo(m_graph.freeze(calleeCell)), callTargetForCheck, thisArgument);
+}
+
+void ByteCodeParser::undoFunctionChecks(CallVariant callee)
+{
+    removeLastNodeFromGraph(CheckCell);
+    if (callee.isClosureCall())
+        removeLastNodeFromGraph(GetExecutable);
 }
 
@@ -1120 +1133 @@
 }
 
-bool ByteCodeParser::handleInlining(Node* callTargetNode, int resultOperand, const CallLinkStatus& callLinkStatus, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, InlineCallFrame::Kind kind)
+unsigned ByteCodeParser::inliningCost(CallVariant callee, int argumentCountIncludingThis, CodeSpecializationKind kind)
 {
-    static const bool verbose = false;
-    
-    CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
-    
     if (verbose)
-        dataLog("Considering inlining ", callLinkStatus, " into ", currentCodeOrigin(), "\n");
-    
-    // First, the really simple checks: do we have an actual JS function?
-    if (!callLinkStatus.executable()) {
+        dataLog("Considering inlining ", callee, " into ", currentCodeOrigin(), "\n");
+    
+    FunctionExecutable* executable = callee.functionExecutable();
+    if (!executable) {
         if (verbose)
-            dataLog("    Failing because there is no executable.\n");
-        return false;
-    }
-    if (callLinkStatus.executable()->isHostFunction()) {
-        if (verbose)
-            dataLog("    Failing because it's a host function.\n");
-        return false;
-    }
-    
-    FunctionExecutable* executable = jsCast<FunctionExecutable*>(callLinkStatus.executable());
+            dataLog("    Failing because there is no function executable.");
+        return UINT_MAX;
+    }
     
     // Does the number of arguments we're passing match the arity of the target? We currently
@@ -1149 +1151 @@
         if (verbose)
             dataLog("    Failing because of arity mismatch.\n");
-        return false;
+        return UINT_MAX;
     }
     
@@ -1158 +1160 @@
     // global function, where watchpointing gives us static information. Overall, it's a rare case
     // because we expect that any hot callees would have already been compiled.
-    CodeBlock* codeBlock = executable->baselineCodeBlockFor(specializationKind);
+    CodeBlock* codeBlock = executable->baselineCodeBlockFor(kind);
     if (!codeBlock) {
         if (verbose)
             dataLog("    Failing because no code block available.\n");
-        return false;
+        return UINT_MAX;
     }
     CapabilityLevel capabilityLevel = inlineFunctionForCapabilityLevel(
-        codeBlock, specializationKind, callLinkStatus.isClosureCall());
+        codeBlock, kind, callee.isClosureCall());
     if (!canInline(capabilityLevel)) {
         if (verbose)
             dataLog("    Failing because the function is not inlineable.\n");
-        return false;
+        return UINT_MAX;
     }
     
@@ -1179 +1181 @@
         if (verbose)
             dataLog("    Failing because the caller is too large.\n");
-        return false;
+        return UINT_MAX;
     }
     
@@ -1198 +1200 @@
             if (verbose)
                 dataLog("    Failing because depth exceeded.\n");
-            return false;
+            return UINT_MAX;
         }
         
@@ -1206 +1208 @@
                 if (verbose)
                     dataLog("    Failing because recursion detected.\n");
-                return false;
+                return UINT_MAX;
             }
         }
@@ -1212 +1214 @@
     
     if (verbose)
-        dataLog("    Committing to inlining.\n");
-    
-    // Now we know without a doubt that we are committed to inlining. So begin the process
-    // by checking the callee (if necessary) and making sure that arguments and the callee
-    // are flushed.
-    emitFunctionChecks(callLinkStatus, callTargetNode, registerOffset, specializationKind);
-    
+        dataLog("    Inlining should be possible.\n");
+    
+    // It might be possible to inline.
+    return codeBlock->instructionCount();
+}
+
+void ByteCodeParser::inlineCall(Node* callTargetNode, int resultOperand, CallVariant callee, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, InlineCallFrame::Kind kind, CallerLinkability callerLinkability)
+{
+    CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
+    
+    ASSERT(inliningCost(callee, argumentCountIncludingThis, specializationKind) != UINT_MAX);
+    
+    CodeBlock* codeBlock = callee.functionExecutable()->baselineCodeBlockFor(specializationKind);
+
     // FIXME: Don't flush constants!
     
@@ -1234 +1243 @@
     
     InlineStackEntry inlineStackEntry(
-        this, codeBlock, codeBlock, m_graph.lastBlock(), callLinkStatus.function(), resultReg,
+        this, codeBlock, codeBlock, m_graph.lastBlock(), callee.function(), resultReg,
         (VirtualRegister)inlineCallFrameStart, argumentCountIncludingThis, kind);
     
@@ -1248 +1257 @@
     RELEASE_ASSERT(
         m_inlineStackTop->m_inlineCallFrame->isClosureCall
-        == callLinkStatus.isClosureCall());
-    if (callLinkStatus.isClosureCall()) {
+        == callee.isClosureCall());
+    if (callee.isClosureCall()) {
         VariableAccessData* calleeVariable =
             set(VirtualRegister(JSStack::Callee), callTargetNode, ImmediateNakedSet)->variableAccessData();
@@ -1264 +1273 @@
     
     parseCodeBlock();
-    prepareToParseBlock(); // Reset our state now that we're back to the outer code.
+    clearCaches(); // Reset our state now that we're back to the outer code.
     
     m_currentIndex = oldIndex;
@@ -1277 +1286 @@
             ASSERT(inlineStackEntry.m_callsiteBlockHead->isLinked);
         
-        // It's possible that the callsite block head is not owned by the caller.
-        if (!inlineStackEntry.m_caller->m_unlinkedBlocks.isEmpty()) {
-            // It's definitely owned by the caller, because the caller created new blocks.
-            // Assert that this all adds up.
-            ASSERT(inlineStackEntry.m_caller->m_unlinkedBlocks.last().m_block == inlineStackEntry.m_callsiteBlockHead);
-            ASSERT(inlineStackEntry.m_caller->m_unlinkedBlocks.last().m_needsNormalLinking);
-            inlineStackEntry.m_caller->m_unlinkedBlocks.last().m_needsNormalLinking = false;
-        } else {
-            // It's definitely not owned by the caller. Tell the caller that he does not
-            // need to link his callsite block head, because we did it for him.
-            ASSERT(inlineStackEntry.m_caller->m_callsiteBlockHeadNeedsLinking);
-            ASSERT(inlineStackEntry.m_caller->m_callsiteBlockHead == inlineStackEntry.m_callsiteBlockHead);
-            inlineStackEntry.m_caller->m_callsiteBlockHeadNeedsLinking = false;
-        }
+        if (callerLinkability == CallerDoesNormalLinking)
+            cancelLinkingForBlock(inlineStackEntry.m_caller, inlineStackEntry.m_callsiteBlockHead);
         
         linkBlocks(inlineStackEntry.m_unlinkedBlocks, inlineStackEntry.m_blockLinkingTargets);
@@ -1309 +1306 @@
             // in the linker's binary search.
             lastBlock->bytecodeBegin = m_currentIndex;
-            m_inlineStackTop->m_caller->m_unlinkedBlocks.append(UnlinkedBlock(m_graph.lastBlock()));
+            if (callerLinkability == CallerDoesNormalLinking) {
+                if (verbose)
+                    dataLog("Adding unlinked block ", RawPointer(m_graph.lastBlock()), " (one return)\n");
+                m_inlineStackTop->m_caller->m_unlinkedBlocks.append(UnlinkedBlock(m_graph.lastBlock()));
+            }
         }
         
         m_currentBlock = m_graph.lastBlock();
-        return true;
+        return;
     }
     
     // If we get to this point then all blocks must end in some sort of terminals.
     ASSERT(lastBlock->last()->isTerminal());
-    
 
     // Need to create a new basic block for the continuation at the caller.
@@ -1334 +1334 @@
         node->targetBlock() = block.get();
         inlineStackEntry.m_unlinkedBlocks[i].m_needsEarlyReturnLinking = false;
-#if !ASSERT_DISABLED
-        blockToLink->isLinked = true;
-#endif
+        if (verbose)
+            dataLog("Marking ", RawPointer(blockToLink), " as linked (jumps to return)\n");
+        blockToLink->didLink();
     }
     
     m_currentBlock = block.get();
     ASSERT(m_inlineStackTop->m_caller->m_blockLinkingTargets.isEmpty() || m_inlineStackTop->m_caller->m_blockLinkingTargets.last()->bytecodeBegin < nextOffset);
-    m_inlineStackTop->m_caller->m_unlinkedBlocks.append(UnlinkedBlock(block.get()));
-    m_inlineStackTop->m_caller->m_blockLinkingTargets.append(block.get());
+    if (verbose)
+        dataLog("Adding unlinked block ", RawPointer(block.get()), " (many returns)\n");
+    if (callerLinkability == CallerDoesNormalLinking) {
+        m_inlineStackTop->m_caller->m_unlinkedBlocks.append(UnlinkedBlock(block.get()));
+        m_inlineStackTop->m_caller->m_blockLinkingTargets.append(block.get());
+    }
     m_graph.appendBlock(block);
     prepareToParseBlock();
-    
-    // At this point we return and continue to generate code for the caller, but
-    // in the new basic block.
+}
+
+void ByteCodeParser::cancelLinkingForBlock(InlineStackEntry* inlineStackEntry, BasicBlock* block)
+{
+    // It's possible that the callsite block head is not owned by the caller.
+    if (!inlineStackEntry->m_unlinkedBlocks.isEmpty()) {
+        // It's definitely owned by the caller, because the caller created new blocks.
+        // Assert that this all adds up.
+        ASSERT_UNUSED(block, inlineStackEntry->m_unlinkedBlocks.last().m_block == block);
+        ASSERT(inlineStackEntry->m_unlinkedBlocks.last().m_needsNormalLinking);
+        inlineStackEntry->m_unlinkedBlocks.last().m_needsNormalLinking = false;
+    } else {
+        // It's definitely not owned by the caller. Tell the caller that he does not
+        // need to link his callsite block head, because we did it for him.
+        ASSERT(inlineStackEntry->m_callsiteBlockHeadNeedsLinking);
+        ASSERT_UNUSED(block, inlineStackEntry->m_callsiteBlockHead == block);
+        inlineStackEntry->m_callsiteBlockHeadNeedsLinking = false;
+    }
+}
+
+bool ByteCodeParser::attemptToInlineCall(Node* callTargetNode, int resultOperand, CallVariant callee, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, InlineCallFrame::Kind kind, CallerLinkability callerLinkability, SpeculatedType prediction, unsigned& inliningBalance)
+{
+    CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
+    
+    if (!inliningBalance)
+        return false;
+    
+    if (InternalFunction* function = callee.internalFunction()) {
+        if (handleConstantInternalFunction(resultOperand, function, registerOffset, argumentCountIncludingThis, specializationKind)) {
+            addToGraph(Phantom, callTargetNode);
+            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
+            inliningBalance--;
+            return true;
+        }
+        return false;
+    }
+    
+    Intrinsic intrinsic = callee.intrinsicFor(specializationKind);
+    if (intrinsic != NoIntrinsic) {
+        if (handleIntrinsic(resultOperand, intrinsic, registerOffset, argumentCountIncludingThis, prediction)) {
+            addToGraph(Phantom, callTargetNode);
+            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
+            inliningBalance--;
+            return true;
+        }
+        return false;
+    }
+    
+    unsigned myInliningCost = inliningCost(callee, argumentCountIncludingThis, specializationKind);
+    if (myInliningCost > inliningBalance)
+        return false;
+    
+    inlineCall(callTargetNode, resultOperand, callee, registerOffset, argumentCountIncludingThis, nextOffset, kind, callerLinkability);
+    inliningBalance -= myInliningCost;
+    return true;
+}
+
+bool ByteCodeParser::handleInlining(Node* callTargetNode, int resultOperand, const CallLinkStatus& callLinkStatus, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, NodeType callOp, InlineCallFrame::Kind kind, SpeculatedType prediction)
+{
+    if (verbose) {
+        dataLog("Handling inlining...\n");
+        dataLog("Stack: ", currentCodeOrigin(), "\n");
+    }
+    CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
+    
+    if (!callLinkStatus.size()) {
+        if (verbose)
+            dataLog("Bailing inlining.\n");
+        return false;
+    }
+    
+    unsigned inliningBalance = Options::maximumFunctionForCallInlineCandidateInstructionCount();
+    if (specializationKind == CodeForConstruct)
+        inliningBalance = std::min(inliningBalance, Options::maximumFunctionForConstructInlineCandidateInstructionCount());
+    if (callLinkStatus.isClosureCall())
+        inliningBalance = std::min(inliningBalance, Options::maximumFunctionForClosureCallInlineCandidateInstructionCount());
+    
+    // First check if we can avoid creating control flow. Our inliner does some CFG
+    // simplification on the fly and this helps reduce compile times, but we can only leverage
+    // this in cases where we don't need control flow diamonds to check the callee.
+    if (!callLinkStatus.couldTakeSlowPath() && callLinkStatus.size() == 1) {
+        emitFunctionChecks(
+            callLinkStatus[0].callee(), callTargetNode, registerOffset, specializationKind);
+        bool result = attemptToInlineCall(
+            callTargetNode, resultOperand, callLinkStatus[0].callee(), registerOffset,
+            argumentCountIncludingThis, nextOffset, kind, CallerDoesNormalLinking, prediction,
+            inliningBalance);
+        if (!result && !callLinkStatus.isProved())
+            undoFunctionChecks(callLinkStatus[0].callee());
+        if (verbose) {
+            dataLog("Done inlining (simple).\n");
+            dataLog("Stack: ", currentCodeOrigin(), "\n");
+        }
+        return result;
+    }
+    
+    // We need to create some kind of switch over callee. For now we only do this if we believe that
+    // we're in the top tier. We have two reasons for this: first, it provides us an opportunity to
+    // do more detailed polyvariant/polymorphic profiling; and second, it reduces compile times in
+    // the DFG. And by polyvariant profiling we mean polyvariant profiling of *this* call. Note that
+    // we could improve that aspect of this by doing polymorphic inlining but having the profiling
+    // also. Currently we opt against this, but it could be interesting. That would require having a
+    // separate node for call edge profiling.
+    // FIXME: Introduce the notion of a separate call edge profiling node.
+    // https://bugs.webkit.org/show_bug.cgi?id=136033
+    if (!isFTL(m_graph.m_plan.mode) || !Options::enablePolymorphicCallInlining()) {
+        if (verbose) {
+            dataLog("Bailing inlining (hard).\n");
+            dataLog("Stack: ", currentCodeOrigin(), "\n");
+        }
+        return false;
+    }
+    
+    unsigned oldOffset = m_currentIndex;
+    
+    bool allAreClosureCalls = true;
+    bool allAreDirectCalls = true;
+    for (unsigned i = callLinkStatus.size(); i--;) {
+        if (callLinkStatus[i].callee().isClosureCall())
+            allAreDirectCalls = false;
+        else
+            allAreClosureCalls = false;
+    }
+    
+    Node* thingToSwitchOn;
+    if (allAreDirectCalls)
+        thingToSwitchOn = callTargetNode;
+    else if (allAreClosureCalls)
+        thingToSwitchOn = addToGraph(GetExecutable, callTargetNode);
+    else {
+        // FIXME: We should be able to handle this case, but it's tricky and we don't know of cases
+        // where it would be beneficial. Also, CallLinkStatus would make all callees appear like
+        // closure calls if any calls were closure calls - except for calls to internal functions.
+        // So this will only arise if some callees are internal functions and others are closures.
+        // https://bugs.webkit.org/show_bug.cgi?id=136020
+        if (verbose) {
+            dataLog("Bailing inlining (mix).\n");
+            dataLog("Stack: ", currentCodeOrigin(), "\n");
+        }
+        return false;
+    }
+    
+    if (verbose) {
+        dataLog("Doing hard inlining...\n");
+        dataLog("Stack: ", currentCodeOrigin(), "\n");
+    }
+    
+    // This makes me wish that we were in SSA all the time. We need to pick a variable into which to
+    // store the callee so that it will be accessible to all of the blocks we're about to create. We
+    // get away with doing an immediate-set here because we wouldn't have performed any side effects
+    // yet.
+    if (verbose)
+        dataLog("Register offset: ", registerOffset);
+    VirtualRegister calleeReg(registerOffset + JSStack::Callee);
+    calleeReg = m_inlineStackTop->remapOperand(calleeReg);
+    if (verbose)
+        dataLog("Callee is going to be ", calleeReg, "\n");
+    setDirect(calleeReg, callTargetNode, ImmediateSetWithFlush);
+    
+    SwitchData& data = *m_graph.m_switchData.add();
+    data.kind = SwitchCell;
+    addToGraph(Switch, OpInfo(&data), thingToSwitchOn);
+    
+    BasicBlock* originBlock = m_currentBlock;
+    if (verbose)
+        dataLog("Marking ", RawPointer(originBlock), " as linked (origin of poly inline)\n");
+    originBlock->didLink();
+    cancelLinkingForBlock(m_inlineStackTop, originBlock);
+    
+    // Each inlined callee will have a landing block that it returns at. They should all have jumps
+    // to the continuation block, which we create last.
+    Vector<BasicBlock*> landingBlocks;
+    
+    // We make force this true if we give up on inlining any of the edges.
+    bool couldTakeSlowPath = callLinkStatus.couldTakeSlowPath();
+    
+    if (verbose)
+        dataLog("About to loop over functions at ", currentCodeOrigin(), ".\n");
+    
+    for (unsigned i = 0; i < callLinkStatus.size(); ++i) {
+        m_currentIndex = oldOffset;
+        RefPtr<BasicBlock> block = adoptRef(new BasicBlock(UINT_MAX, m_numArguments, m_numLocals, PNaN));
+        m_currentBlock = block.get();
+        m_graph.appendBlock(block);
+        prepareToParseBlock();
+        
+        Node* myCallTargetNode = getDirect(calleeReg);
+        
+        bool inliningResult = attemptToInlineCall(
+            myCallTargetNode, resultOperand, callLinkStatus[i].callee(), registerOffset,
+            argumentCountIncludingThis, nextOffset, kind, CallerLinksManually, prediction,
+            inliningBalance);
+        
+        if (!inliningResult) {
+            // That failed so we let the block die. Nothing interesting should have been added to
+            // the block. We also give up on inlining any of the (less frequent) callees.
+            ASSERT(m_currentBlock == block.get());
+            ASSERT(m_graph.m_blocks.last() == block);
+            m_graph.killBlockAndItsContents(block.get());
+            m_graph.m_blocks.removeLast();
+            
+            // The fact that inlining failed means we need a slow path.
+            couldTakeSlowPath = true;
+            break;
+        }
+        
+        JSCell* thingToCaseOn;
+        if (allAreDirectCalls)
+            thingToCaseOn = callLinkStatus[i].callee().nonExecutableCallee();
+        else {
+            ASSERT(allAreClosureCalls);
+            thingToCaseOn = callLinkStatus[i].callee().executable();
+        }
+        data.cases.append(SwitchCase(m_graph.freeze(thingToCaseOn), block.get()));
+        m_currentIndex = nextOffset;
+        processSetLocalQueue(); // This only comes into play for intrinsics, since normal inlined code will leave an empty queue.
+        addToGraph(Jump);
+        if (verbose)
+            dataLog("Marking ", RawPointer(m_currentBlock), " as linked (tail of poly inlinee)\n");
+        m_currentBlock->didLink();
+        landingBlocks.append(m_currentBlock);
+
+        if (verbose)
+            dataLog("Finished inlining ", callLinkStatus[i].callee(), " at ", currentCodeOrigin(), ".\n");
+    }
+    
+    RefPtr<BasicBlock> slowPathBlock = adoptRef(
+        new BasicBlock(UINT_MAX, m_numArguments, m_numLocals, PNaN));
+    m_currentIndex = oldOffset;
+    data.fallThrough = BranchTarget(slowPathBlock.get());
+    m_graph.appendBlock(slowPathBlock);
+    if (verbose)
+        dataLog("Marking ", RawPointer(slowPathBlock.get()), " as linked (slow path block)\n");
+    slowPathBlock->didLink();
+    prepareToParseBlock();
+    m_currentBlock = slowPathBlock.get();
+    Node* myCallTargetNode = getDirect(calleeReg);
+    if (couldTakeSlowPath) {
+        addCall(
+            resultOperand, callOp, OpInfo(), myCallTargetNode, argumentCountIncludingThis,
+            registerOffset, prediction);
+    } else {
+        addToGraph(CheckBadCell);
+        addToGraph(Phantom, myCallTargetNode);
+        emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
+        
+        set(VirtualRegister(resultOperand), addToGraph(BottomValue));
+    }
+
+    m_currentIndex = nextOffset;
+    processSetLocalQueue();
+    addToGraph(Jump);
+    landingBlocks.append(m_currentBlock);
+    
+    RefPtr<BasicBlock> continuationBlock = adoptRef(
+        new BasicBlock(UINT_MAX, m_numArguments, m_numLocals, PNaN));
+    m_graph.appendBlock(continuationBlock);
+    if (verbose)
+        dataLog("Adding unlinked block ", RawPointer(continuationBlock.get()), " (continuation)\n");
+    m_inlineStackTop->m_unlinkedBlocks.append(UnlinkedBlock(continuationBlock.get()));
+    prepareToParseBlock();
+    m_currentBlock = continuationBlock.get();
+    
+    for (unsigned i = landingBlocks.size(); i--;)
+        landingBlocks[i]->last()->targetBlock() = continuationBlock.get();
+    
+    m_currentIndex = oldOffset;
+    
+    if (verbose) {
+        dataLog("Done inlining (hard).\n");
+        dataLog("Stack: ", currentCodeOrigin(), "\n");
+    }
     return true;
 }
@@ -1646 +1919 @@
 bool ByteCodeParser::handleConstantInternalFunction(
     int resultOperand, InternalFunction* function, int registerOffset,
-    int argumentCountIncludingThis, SpeculatedType prediction, CodeSpecializationKind kind)
+    int argumentCountIncludingThis, CodeSpecializationKind kind)
 {
     // If we ever find that we have a lot of internal functions that we specialize for,
@@ -1654 +1927 @@
     // we know about is small enough, that having just a linear cascade of if statements
     // is good enough.
-    
-    UNUSED_PARAM(prediction); // Remove this once we do more things.
     
     if (function->classInfo() == ArrayConstructor::info()) {
@@ -2021 +2292 @@
 void ByteCodeParser::prepareToParseBlock()
 {
+    clearCaches();
+    ASSERT(m_setLocalQueue.isEmpty());
+}
+
+void ByteCodeParser::clearCaches()
+{
     m_constants.resize(0);
 }
@@ -2060 +2337 @@
 
     while (true) {
-        for (unsigned i = 0; i < m_setLocalQueue.size(); ++i)
-            m_setLocalQueue[i].execute(this);
-        m_setLocalQueue.resize(0);
+        processSetLocalQueue();
         
         // Don't extend over jump destinations.
@@ -2206 +2481 @@
             if (!cachedFunction 
                 || m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
-                || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadFunction)) {
+                || m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCell)) {
                 set(VirtualRegister(currentInstruction[1].u.operand), get(VirtualRegister(JSStack::Callee)));
             } else {
@@ -2212 +2487 @@
                 ASSERT(cachedFunction->inherits(JSFunction::info()));
                 Node* actualCallee = get(VirtualRegister(JSStack::Callee));
-                addToGraph(CheckFunction, OpInfo(frozen), actualCallee);
+                addToGraph(CheckCell, OpInfo(frozen), actualCallee);
                 set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(JSConstant, OpInfo(frozen)));
             }
@@ -2894 +3169 @@
             ASSERT(pointerIsFunction(currentInstruction[2].u.specialPointer));
             addToGraph(
-                CheckFunction,
+                CheckCell,
                 OpInfo(m_graph.freeze(static_cast<JSCell*>(actualPointerFor(
                     m_inlineStackTop->m_codeBlock, currentInstruction[2].u.specialPointer)))),
@@ -3318 +3593 @@
     }
     
-#if !ASSERT_DISABLED
-    block->isLinked = true;
-#endif
+    if (verbose)
+        dataLog("Marking ", RawPointer(block), " as linked (actually did linking)\n");
+    block->didLink();
 }
 
@@ -3326 +3601 @@
 {
     for (size_t i = 0; i < unlinkedBlocks.size(); ++i) {
+        if (verbose)
+            dataLog("Attempting to link ", RawPointer(unlinkedBlocks[i].m_block), "\n");
         if (unlinkedBlocks[i].m_needsNormalLinking) {
+            if (verbose)
+                dataLog("    Does need normal linking.\n");
             linkBlock(unlinkedBlocks[i].m_block, possibleTargets);
             unlinkedBlocks[i].m_needsNormalLinking = false;
@@ -3493 +3772 @@
 void ByteCodeParser::parseCodeBlock()
 {
-    prepareToParseBlock();
+    clearCaches();
     
     CodeBlock* codeBlock = m_inlineStackTop->m_codeBlock;
@@ -3559 +3838 @@
                     //    a peephole coalescing of this block in the if statement above. So, we're
                     //    generating suboptimal code and leaving more work for the CFG simplifier.
-                    ASSERT(m_inlineStackTop->m_unlinkedBlocks.isEmpty() || m_inlineStackTop->m_unlinkedBlocks.last().m_block->bytecodeBegin < m_currentIndex);
+                    if (!m_inlineStackTop->m_unlinkedBlocks.isEmpty()) {
+                        unsigned lastBegin =
+                            m_inlineStackTop->m_unlinkedBlocks.last().m_block->bytecodeBegin;
+                        ASSERT_UNUSED(
+                            lastBegin, lastBegin == UINT_MAX || lastBegin < m_currentIndex);
+                    }
                     m_inlineStackTop->m_unlinkedBlocks.append(UnlinkedBlock(block.get()));
                     m_inlineStackTop->m_blockLinkingTargets.append(block.get());

trunk/Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp

@@ -91 +91 @@
                     break;
                 case Phantom:
-                    if (!node->child1())
+                    if (!node->child1()) {
+                        m_graph.m_allocator.free(node);
                         continue;
+                    }
                     switch (node->child1()->op()) {
                     case Phi:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -145 +145 @@
     case MakeRope:
     case ValueToInt32:
+    case GetExecutable:
+    case BottomValue:
         def(PureValue(node));
         return;
@@ -240 +242 @@
         return;
         
-    case CheckFunction:
-        def(PureValue(CheckFunction, AdjacencyList(AdjacencyList::Fixed, node->child1()), node->function()));
-        return;
-        
-    case CheckExecutable:
-        def(PureValue(node, node->executable()));
+    case CheckCell:
+        def(PureValue(CheckCell, AdjacencyList(AdjacencyList::Fixed, node->child1()), node->cellOperand()));
         return;
         
@@ -264 +262 @@
     case Throw:
     case ForceOSRExit:
+    case CheckBadCell:
     case Return:
     case Unreachable:
@@ -359 +358 @@
     case Call:
     case Construct:
+    case ProfiledCall:
+    case ProfiledConstruct:
     case NativeCall:
     case NativeConstruct:

trunk/Source/JavaScriptCore/dfg/DFGCommon.h

@@ -62 +62 @@
     RefNode,
     DontRefNode
+};
+
+enum SwitchKind {
+    SwitchImm,
+    SwitchChar,
+    SwitchString,
+    SwitchCell
 };
 

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -143 +143 @@
             }
                 
-            case CheckFunction: {
-                if (m_state.forNode(node->child1()).value() != node->function()->value())
+            case CheckCell: {
+                if (m_state.forNode(node->child1()).value() != node->cellOperand()->value())
                     break;
                 node->convertToPhantom();
@@ -385 +385 @@
                 break;
             }
+                
+            case ProfiledCall:
+            case ProfiledConstruct: {
+                if (!m_state.forNode(m_graph.varArgChild(node, 0)).m_value)
+                    break;
+                
+                // If we were able to prove that the callee is a constant then the normal call
+                // inline cache will record this callee. This means that there is no need to do any
+                // additional profiling.
+                node->setOp(node->op() == ProfiledCall ? Call : Construct);
+                eliminated = true;
+                break;
+            }
 
             default:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -92 +92 @@
     case PutByIdDirect:
     case CheckStructure:
-    case CheckExecutable:
+    case GetExecutable:
     case GetButterfly:
     case CheckArray:
@@ -105 +105 @@
     case VariableWatchpoint:
     case VarInjectionWatchpoint:
-    case CheckFunction:
+    case CheckCell:
     case AllocationProfileWatchpoint:
     case RegExpExec:
@@ -120 +120 @@
     case NativeCall:
     case NativeConstruct:
+    case ProfiledCall:
+    case ProfiledConstruct:
     case Breakpoint:
     case ProfileWillCall:
@@ -196 +198 @@
     case FiatInt52:
     case BooleanToNumber:
+    case CheckBadCell:
+    case BottomValue:
         return false;
 

trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

@@ -90 +90 @@
     }
     
+    if (CallEdgeLog::isEnabled())
+        vm.ensureCallEdgeLog().processLog();
+    
     RefPtr<Plan> plan = adoptRef(
         new Plan(codeBlock, profiledDFGCodeBlock, mode, osrEntryBytecodeIndex, mustHandleValues));

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -737 +737 @@
                     fixEdge<StringUse>(node->child1());
                 break;
+            case SwitchCell:
+                if (node->child1()->shouldSpeculateCell())
+                    fixEdge<CellUse>(node->child1());
+                // else it's fine for this to have UntypedUse; we will handle this by just making
+                // non-cells take the default case.
+                break;
             }
             break;
@@ -898 +904 @@
         }
 
-        case CheckExecutable: {
+        case GetExecutable: {
             fixEdge<FunctionUse>(node->child1());
             break;
@@ -904 +910 @@
             
         case CheckStructure:
-        case CheckFunction:
+        case CheckCell:
         case CheckHasInstance:
         case CreateThis:
@@ -1121 +1127 @@
         case Call:
         case Construct:
+        case ProfiledCall:
+        case ProfiledConstruct:
         case NativeCall:
         case NativeConstruct:
@@ -1150 +1158 @@
         case CountExecution:
         case ForceOSRExit:
+        case CheckBadCell:
         case CheckWatchdogTimer:
         case Unreachable:
@@ -1160 +1169 @@
         case MovHint:
         case ZombieHint:
+        case BottomValue:
             break;
 #else

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -223 +223 @@
     if (node->hasTransition())
         out.print(comma, pointerDumpInContext(node->transition(), context));
-    if (node->hasFunction()) {
-        out.print(comma, "function(", pointerDump(node->function()), ", ");
-        if (node->function()->value().isCell()
-            && node->function()->value().asCell()->inherits(JSFunction::info())) {
-            JSFunction* function = jsCast<JSFunction*>(node->function()->value().asCell());
-            if (function->isHostFunction())
-                out.print("<host function>");
-            else
-                out.print(FunctionExecutableDump(function->jsExecutable()));
-        } else
-            out.print("<not JSFunction>");
-        out.print(")");
-    }
-    if (node->hasExecutable()) {
-        if (node->executable()->inherits(FunctionExecutable::info()))
-            out.print(comma, "executable(", FunctionExecutableDump(jsCast<FunctionExecutable*>(node->executable())), ")");
-        else
-            out.print(comma, "executable(not function: ", RawPointer(node->executable()), ")");
+    if (node->hasCellOperand()) {
+        if (!node->cellOperand()->value() || !node->cellOperand()->value().isCell())
+            out.print(comma, "invalid cell operand: ", node->cellOperand()->value());
+        else {
+            out.print(comma, pointerDump(node->cellOperand()->value().asCell()));
+            if (node->cellOperand()->value().isCell()) {
+                CallVariant variant(node->cellOperand()->value().asCell());
+                if (ExecutableBase* executable = variant.executable()) {
+                    if (executable->isHostFunction())
+                        out.print(comma, "<host function>");
+                    else if (FunctionExecutable* functionExecutable = jsDynamicCast<FunctionExecutable*>(executable))
+                        out.print(comma, FunctionExecutableDump(functionExecutable));
+                    else
+                        out.print(comma, "<non-function executable>");
+                }
+            }
+        }
     }
     if (node->hasFunctionDeclIndex()) {
@@ -986 +985 @@
             
             switch (node->op()) {
-            case CheckExecutable:
-                visitor.appendUnbarrieredReadOnlyPointer(node->executable());
-                break;
-                
             case CheckStructure:
                 for (unsigned i = node->structureSet().size(); i--;)

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -189 +189 @@
         for (unsigned j = data.cases.size(); j--;) {
             SwitchCase& myCase = data.cases[j];
-            table.ctiOffsets[myCase.value.switchLookupValue() - table.min] =
+            table.ctiOffsets[myCase.value.switchLookupValue(data.kind) - table.min] =
                 linkBuffer.locationOf(m_blockHeads[myCase.target.block->index]);
         }

trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.cpp

@@ -114 +114 @@
 }
 
+uintptr_t LazyJSValue::switchLookupValue(SwitchKind kind) const
+{
+    // NB. Not every kind of JSValue will be able to give you a switch lookup
+    // value, and this method will assert, or do bad things, if you use it
+    // for a kind of value that can't.
+    switch (m_kind) {
+    case KnownValue:
+        switch (kind) {
+        case SwitchImm:
+            return value()->value().asInt32();
+        case SwitchCell:
+            return bitwise_cast<uintptr_t>(value()->value().asCell());
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            return 0;
+        }
+    case SingleCharacterString:
+        switch (kind) {
+        case SwitchChar:
+            return character();
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            return 0;
+        }
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+        return 0;
+    }
+}
+
 void LazyJSValue::dumpInContext(PrintStream& out, DumpContext* context) const
 {

trunk/Source/JavaScriptCore/dfg/DFGLazyJSValue.h

@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
+#include "DFGCommon.h"
 #include "DFGFrozenValue.h"
 #include <wtf/text/StringImpl.h>
@@ -96 +97 @@
     TriState strictEqual(const LazyJSValue& other) const;
     
-    unsigned switchLookupValue() const
-    {
-        // NB. Not every kind of JSValue will be able to give you a switch lookup
-        // value, and this method will assert, or do bad things, if you use it
-        // for a kind of value that can't.
-        switch (m_kind) {
-        case KnownValue:
-            return value()->value().asInt32();
-        case SingleCharacterString:
-            return character();
-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            return 0;
-        }
-    }
+    uintptr_t switchLookupValue(SwitchKind) const;
     
     void dump(PrintStream&) const;

trunk/Source/JavaScriptCore/dfg/DFGNode.cpp

@@ -114 +114 @@
         out.print("SwitchString");
         return;
+    case SwitchCell:
+        out.print("SwitchCell");
+        return;
     }
     RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -158 +158 @@
 };
 
-enum SwitchKind {
-    SwitchImm,
-    SwitchChar,
-    SwitchString
-};
-
 struct SwitchData {
     // Initializes most fields to obviously invalid values. Anyone
@@ -186 +180 @@
 // a constant index, argument, or identifier) from a Node*.
 struct OpInfo {
+    OpInfo() : m_value(0) { }
     explicit OpInfo(int32_t value) : m_value(static_cast<uintptr_t>(value)) { }
     explicit OpInfo(uint32_t value) : m_value(static_cast<uintptr_t>(value)) { }
@@ -1010 +1005 @@
         case Call:
         case Construct:
+        case ProfiledCall:
+        case ProfiledConstruct:
         case NativeCall:
         case NativeConstruct:
@@ -1045 +1042 @@
     }
     
-    bool canBeKnownFunction()
-    {
-        switch (op()) {
+    bool hasCellOperand()
+    {
+        switch (op()) {
+        case AllocationProfileWatchpoint:
+        case CheckCell:
         case NativeConstruct:
         case NativeCall:
@@ -1056 +1055 @@
     }
 
-    bool hasKnownFunction()
-    {
-        switch (op()) {
-        case NativeConstruct:
-        case NativeCall:
-            return (bool)m_opInfo;
-        default:
-            return false;
-        }
-    }
-    
-    JSFunction* knownFunction()
-    {
-        ASSERT(canBeKnownFunction());
-        return bitwise_cast<JSFunction*>(m_opInfo);
-    }
-
-    void giveKnownFunction(JSFunction* callData) 
-    {
-        ASSERT(canBeKnownFunction());
-        m_opInfo = bitwise_cast<uintptr_t>(callData);
-    }
-
-    bool hasFunction()
-    {
-        switch (op()) {
-        case CheckFunction:
-        case AllocationProfileWatchpoint:
-            return true;
-        default:
-            return false;
-        }
-    }
-
-    FrozenValue* function()
-    {
-        ASSERT(hasFunction());
+    FrozenValue* cellOperand()
+    {
+        ASSERT(hasCellOperand());
         return reinterpret_cast<FrozenValue*>(m_opInfo);
     }
     
-    bool hasExecutable()
-    {
-        return op() == CheckExecutable;
-    }
-    
-    ExecutableBase* executable()
-    {
-        return jsCast<ExecutableBase*>(reinterpret_cast<JSCell*>(m_opInfo));
+    void setCellOperand(FrozenValue* value)
+    {
+        ASSERT(hasCellOperand());
+        m_opInfo = bitwise_cast<uintptr_t>(value);
     }
     

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -154 +154 @@
     macro(PutByIdDirect, NodeMustGenerate | NodeClobbersWorld) \
     macro(CheckStructure, NodeMustGenerate) \
-    macro(CheckExecutable, NodeMustGenerate) \
+    macro(GetExecutable, NodeResultJS) \
     macro(PutStructure, NodeMustGenerate) \
     macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
@@ -186 +186 @@
     macro(VarInjectionWatchpoint, NodeMustGenerate) \
     macro(FunctionReentryWatchpoint, NodeMustGenerate) \
-    macro(CheckFunction, NodeMustGenerate) \
+    macro(CheckCell, NodeMustGenerate) \
+    macro(CheckBadCell, NodeMustGenerate) \
     macro(AllocationProfileWatchpoint, NodeMustGenerate) \
     macro(CheckInBounds, NodeMustGenerate) \
@@ -215 +216 @@
     macro(Call, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
     macro(Construct, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
+    macro(ProfiledCall, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
+    macro(ProfiledConstruct, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
     macro(NativeCall, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
     macro(NativeConstruct, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
@@ -287 +290 @@
     macro(ForceOSRExit, NodeMustGenerate) \
     \
+    /* Vends a bottom JS value. It is invalid to ever execute this. Useful for cases */\
+    /* where we know that we would have exited but we'd like to still track the control */\
+    /* flow. */\
+    macro(BottomValue, NodeResultJS) \
+    \
     /* Checks the watchdog timer. If the timer has fired, we OSR exit to the */ \
     /* baseline JIT to redo the watchdog timer check, and service the timer. */ \

trunk/Source/JavaScriptCore/dfg/DFGPhantomCanonicalizationPhase.cpp

@@ -93 +93 @@
                     }
                     
-                    if (node->children.isEmpty())
+                    if (node->children.isEmpty()) {
+                        m_graph.m_allocator.free(node);
                         continue;
+                    }
                     
                     node->convertToCheck();

trunk/Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp

@@ -126 +126 @@
                     
                     if (node->children.isEmpty()) {
+                        m_graph.m_allocator.free(node);
                         changed = true;
                         continue;
@@ -143 +144 @@
                     }
                     if (node->children.isEmpty()) {
+                        m_graph.m_allocator.free(node);
                         changed = true;
                         continue;
@@ -150 +152 @@
                     
                 case HardPhantom: {
-                    if (node->children.isEmpty())
+                    if (node->children.isEmpty()) {
+                        m_graph.m_allocator.free(node);
                         continue;
+                    }
                     break;
                 }

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -189 +189 @@
         case Call:
         case Construct:
+        case ProfiledCall:
+        case ProfiledConstruct:
         case NativeCall:
         case NativeConstruct:
@@ -197 +199 @@
         }
             
-        case GetGetterSetterByOffset: {
+        case GetGetterSetterByOffset:
+        case GetExecutable: {
             changed |= setPrediction(SpecCellOther);
             break;
@@ -643 +646 @@
         case SetArgument:
         case CheckStructure:
-        case CheckExecutable:
-        case CheckFunction:
+        case CheckCell:
+        case CheckBadCell:
         case PutStructure:
         case TearOffActivation:
@@ -666 +669 @@
             break;
             
+        // This gets ignored because it only pretends to produce a value.
+        case BottomValue:
+            break;
+            
         // This gets ignored because it already has a prediction.
         case ExtractOSREntryLocal:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -160 +160 @@
     case PutByIdDirect:
     case CheckStructure:
-    case CheckExecutable:
+    case GetExecutable:
     case GetButterfly:
     case CheckArray:
@@ -175 +175 @@
     case VariableWatchpoint:
     case VarInjectionWatchpoint:
-    case CheckFunction:
+    case CheckCell:
+    case CheckBadCell:
     case AllocationProfileWatchpoint:
     case RegExpExec:
@@ -188 +189 @@
     case Call:
     case Construct:
+    case ProfiledCall:
+    case ProfiledConstruct:
     case NewObject:
     case NewArray:
@@ -274 +277 @@
         return false; // TODO: add a check for already checked.  https://bugs.webkit.org/show_bug.cgi?id=133769
 
+    case BottomValue:
+        // If in doubt, assume that this isn't safe to execute, just because we have no way of
+        // compiling this node.
+        return false;
+
     case GetByVal:
     case GetIndexedPropertyStorage:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -5355 +5355 @@
         emitSwitchString(node, data);
         return;
+    }
+    case SwitchCell: {
+        DFG_CRASH(m_jit.graph(), node, "Bad switch kind");
+        return;
     } }
     RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -641 +641 @@
 void SpeculativeJIT::emitCall(Node* node)
 {
-    bool isCall = node->op() == Call;
+    bool isCall = node->op() == Call || node->op() == ProfiledCall;
     if (!isCall)
-        ASSERT(node->op() == Construct);
+        ASSERT(node->op() == Construct || node->op() == ProfiledConstruct);
 
     // For constructors, the this argument is not passed but we have to make space
@@ -689 +689 @@
 
     m_jit.emitStoreCodeOrigin(node->origin.semantic);
+    
+    CallLinkInfo* info = m_jit.codeBlock()->addCallLinkInfo();
+
+    if (node->op() == ProfiledCall || node->op() == ProfiledConstruct) {
+        m_jit.vm()->callEdgeLog->emitLogCode(
+            m_jit, info->callEdgeProfile, callee.jsValueRegs());
+    }
     
     slowPath.append(branchNotCell(callee.jsValueRegs()));
@@ -714 +721 @@
         m_jit.move(calleeTagGPR, GPRInfo::regT1);
     }
-    CallLinkInfo* info = m_jit.codeBlock()->addCallLinkInfo();
     m_jit.move(MacroAssembler::TrustedImmPtr(info), GPRInfo::regT2);
     JITCompiler::Call slowCall = m_jit.nearCall();
@@ -3676 +3682 @@
         break;
         
-    case CheckFunction: {
+    case CheckCell: {
+        SpeculateCellOperand cell(this, node->child1());
+        speculationCheck(BadCell, JSValueSource::unboxedCell(cell.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, cell.gpr(), node->cellOperand()->value().asCell()));
+        noResult(node);
+        break;
+    }
+
+    case GetExecutable: {
         SpeculateCellOperand function(this, node->child1());
-        speculationCheck(BadFunction, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node->function()->value().asCell()));
-        noResult(node);
-        break;
-    }
-
-    case CheckExecutable: {
-        SpeculateCellOperand function(this, node->child1());
-        speculateCellType(node->child1(), function.gpr(), SpecFunction, JSFunctionType);
-        speculationCheck(BadExecutable, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node->executable()));
-        noResult(node);
+        GPRTemporary result(this, Reuse, function);
+        GPRReg functionGPR = function.gpr();
+        GPRReg resultGPR = result.gpr();
+        speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
+        m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutable()), resultGPR);
+        cellResult(resultGPR, node);
         break;
     }
@@ -4157 +4166 @@
     case Call:
     case Construct:
+    case ProfiledCall:
+    case ProfiledConstruct:
         emitCall(node);
         break;
@@ -4893 +4904 @@
     case NativeCall:
     case NativeConstruct:
+    case CheckBadCell:
+    case BottomValue:
         RELEASE_ASSERT_NOT_REACHED();
         break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -627 +627 @@
 void SpeculativeJIT::emitCall(Node* node)
 {
-
-    bool isCall = node->op() == Call;
+    bool isCall = node->op() == Call || node->op() == ProfiledCall;
     if (!isCall)
-        DFG_ASSERT(m_jit.graph(), node, node->op() == Construct);
+        DFG_ASSERT(m_jit.graph(), node, node->op() == Construct || node->op() == ProfiledConstruct);
     
     // For constructors, the this argument is not passed but we have to make space
@@ -671 +670 @@
     m_jit.emitStoreCodeOrigin(node->origin.semantic);
     
+    CallLinkInfo* callLinkInfo = m_jit.codeBlock()->addCallLinkInfo();
+    
+    if (node->op() == ProfiledCall || node->op() == ProfiledConstruct) {
+        m_jit.vm()->callEdgeLog->emitLogCode(
+            m_jit, callLinkInfo->callEdgeProfile, JSValueRegs(calleeGPR));
+    }
+
     slowPath = m_jit.branchPtrWithPatch(MacroAssembler::NotEqual, calleeGPR, targetToCheck, MacroAssembler::TrustedImmPtr(0));
 
@@ -683 +689 @@
     
     m_jit.move(calleeGPR, GPRInfo::regT0); // Callee needs to be in regT0
-    CallLinkInfo* callLinkInfo = m_jit.codeBlock()->addCallLinkInfo();
     m_jit.move(MacroAssembler::TrustedImmPtr(callLinkInfo), GPRInfo::regT2); // Link info needs to be in regT2
     JITCompiler::Call slowCall = m_jit.nearCall();
@@ -3769 +3774 @@
         break;
         
-    case CheckFunction: {
+    case CheckCell: {
+        SpeculateCellOperand cell(this, node->child1());
+        speculationCheck(BadCell, JSValueSource::unboxedCell(cell.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, cell.gpr(), node->cellOperand()->value().asCell()));
+        noResult(node);
+        break;
+    }
+        
+    case GetExecutable: {
         SpeculateCellOperand function(this, node->child1());
-        speculationCheck(BadFunction, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, function.gpr(), node->function()->value().asCell()));
-        noResult(node);
-        break;
-    }
-        
-    case CheckExecutable: {
-        SpeculateCellOperand function(this, node->child1());
-        speculateCellType(node->child1(), function.gpr(), SpecFunction, JSFunctionType);
-        speculationCheck(BadExecutable, JSValueSource::unboxedCell(function.gpr()), node->child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node->executable()));
-        noResult(node);
+        GPRTemporary result(this, Reuse, function);
+        GPRReg functionGPR = function.gpr();
+        GPRReg resultGPR = result.gpr();
+        speculateCellType(node->child1(), functionGPR, SpecFunction, JSFunctionType);
+        m_jit.loadPtr(JITCompiler::Address(functionGPR, JSFunction::offsetOfExecutable()), resultGPR);
+        cellResult(resultGPR, node);
         break;
     }
@@ -4220 +4228 @@
     case Call:
     case Construct:
+    case ProfiledCall:
+    case ProfiledConstruct:
         emitCall(node);
         break;
-
+        
     case CreateActivation: {
         DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
@@ -4971 +4981 @@
     case MultiPutByOffset:
     case FiatInt52:
-        DFG_CRASH(m_jit.graph(), node, "Unexpected FTL node");
+    case CheckBadCell:
+    case BottomValue:
+        DFG_CRASH(m_jit.graph(), node, "Unexpected node");
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp

@@ -63 +63 @@
             
                 switch (node->op()) {
-                case CheckExecutable:
-                    registerStructure(node->executable()->structure());
-                    break;
-                
                 case CheckStructure:
                     registerStructures(node->structureSet());

trunk/Source/JavaScriptCore/dfg/DFGTierUpCheckInjectionPhase.cpp

@@ -51 +51 @@
             return false;
         
-        if (m_graph.m_profiledBlock->m_didFailFTLCompilation)
+        if (m_graph.m_profiledBlock->m_didFailFTLCompilation) {
+            removeFTLProfiling();
             return false;
+        }
         
 #if ENABLE(FTL_JIT)
         FTL::CapabilityLevel level = FTL::canCompile(m_graph);
-        if (level == FTL::CannotCompile)
+        if (level == FTL::CannotCompile) {
+            removeFTLProfiling();
             return false;
+        }
         
         if (!Options::enableOSREntryToFTL())
@@ -119 +123 @@
 #endif // ENABLE(FTL_JIT)
     }
+
+private:
+    void removeFTLProfiling()
+    {
+        for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+            BasicBlock* block = m_graph.block(blockIndex);
+            if (!block)
+                continue;
+            
+            for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
+                Node* node = block->at(nodeIndex);
+                switch (node->op()) {
+                case ProfiledCall:
+                    node->setOp(Call);
+                    break;
+                    
+                case ProfiledConstruct:
+                    node->setOp(Construct);
+                    break;
+                    
+                default:
+                    break;
+                }
+            }
+        }
+    }
 };
 

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -201 +201 @@
                 VALIDATE((node), !mayExit(m_graph, node) || node->origin.forExit.isSet());
                 VALIDATE((node), !node->hasStructure() || !!node->structure());
-                VALIDATE((node), !node->hasFunction() || node->function()->value().isFunction());
+                VALIDATE((node), !node->hasCellOperand() || node->cellOperand()->value().isCell());
+                VALIDATE((node), !node->hasCellOperand() || !!node->cellOperand()->value());
                  
                 if (!(node->flags() & NodeHasVarArgs)) {

trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -115 +115 @@
             
         case AllocationProfileWatchpoint:
-            addLazily(jsCast<JSFunction*>(m_node->function()->value())->allocationProfileWatchpointSet());
+            addLazily(jsCast<JSFunction*>(m_node->cellOperand()->value())->allocationProfileWatchpointSet());
             break;
             

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -105 +105 @@
     case InvalidationPoint:
     case StringCharAt:
-    case CheckFunction:
+    case CheckCell:
+    case CheckBadCell:
     case StringCharCodeAt:
     case AllocatePropertyStorage:
@@ -127 +128 @@
     case Check:
     case CountExecution:
-    case CheckExecutable:
+    case GetExecutable:
     case GetScope:
     case AllocationProfileWatchpoint:
@@ -167 +168 @@
     case GetEnumeratorPname:
     case ToIndexString:
+    case BottomValue:
         // These are OK.
+        break;
+    case ProfiledCall:
+    case ProfiledConstruct:
+        // These are OK not because the FTL can support them, but because if the DFG sees one of
+        // these then the FTL will see a normal Call/Construct.
         break;
     case Identity:
@@ -327 +334 @@
         case SwitchImm:
         case SwitchChar:
+        case SwitchCell:
             break;
         default:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -68 +68 @@
     CodeBlock* codeBlock, BlockIndex blockIndex, unsigned nodeIndex)
 {
-    
     dataLog("Crashing in thought-to-be-unreachable FTL-generated code for ", pointerDump(codeBlock), " at basic block #", blockIndex);
     if (nodeIndex != UINT_MAX)
@@ -154 +153 @@
             BasicBlock* block = depthFirst[blockIndex];
             for (unsigned nodeIndex = block->size(); nodeIndex--; ) {
-                Node* m_node = block->at(nodeIndex);
-                if (m_node->hasKnownFunction()) {
+                Node* node = block->at(nodeIndex);
+                switch (node->op()) {
+                case NativeCall:
+                case NativeConstruct: {
                     int numArgs = m_node->numChildren();
                     if (numArgs > maxNumberOfArguments)
                         maxNumberOfArguments = numArgs;
+                    break;
+                }
+                default:
+                    break;
                 }
             }
@@ -469 +474 @@
             compileCheckStructure();
             break;
-        case CheckFunction:
-            compileCheckFunction();
-            break;
-        case CheckExecutable:
-            compileCheckExecutable();
+        case CheckCell:
+            compileCheckCell();
+            break;
+        case CheckBadCell:
+            compileCheckBadCell();
+            break;
+        case GetExecutable:
+            compileGetExecutable();
             break;
         case ArrayifyToStructure:
@@ -1744 +1752 @@
     }
     
-    void compileCheckFunction()
+    void compileCheckCell()
     {
         LValue cell = lowCell(m_node->child1());
         
         speculate(
-            BadFunction, jsValueValue(cell), m_node->child1().node(),
-            m_out.notEqual(cell, weakPointer(m_node->function()->value().asCell())));
-    }
-    
-    void compileCheckExecutable()
+            BadCell, jsValueValue(cell), m_node->child1().node(),
+            m_out.notEqual(cell, weakPointer(m_node->cellOperand()->value().asCell())));
+    }
+    
+    void compileCheckBadCell()
+    {
+        terminate(BadCell);
+    }
+    
+    void compileGetExecutable()
     {
         LValue cell = lowCell(m_node->child1());
-        
         speculateFunction(m_node->child1(), cell);
-        
-        speculate(
-            BadExecutable, jsValueValue(cell), m_node->child1().node(),
-            m_out.notEqual(
-                m_out.loadPtr(cell, m_heaps.JSFunction_executable),
-                weakPointer(m_node->executable())));
+        setJSValue(m_out.loadPtr(cell, m_heaps.JSFunction_executable));
     }
     
@@ -3674 +3681 @@
         int numArgs = numPassedArgs + dummyThisArgument;
 
-        ASSERT(m_node->hasKnownFunction());
-
-        JSFunction* knownFunction = m_node->knownFunction();
+        JSFunction* knownFunction = jsCast<JSFunction*>(m_node->cellOperand()->value().asCell());
         NativeFunction function = knownFunction->nativeFunction();
 
@@ -3919 +3924 @@
         }
         
-        case SwitchString:
+        case SwitchString: {
             DFG_CRASH(m_graph, m_node, "Unimplemented");
-            break;
-        }
+            return;
+        }
+            
+        case SwitchCell: {
+            LValue cell;
+            switch (m_node->child1().useKind()) {
+            case CellUse: {
+                cell = lowCell(m_node->child1());
+                break;
+            }
+                
+            case UntypedUse: {
+                LValue value = lowJSValue(m_node->child1());
+                LBasicBlock cellCase = FTL_NEW_BLOCK(m_out, ("Switch/SwitchCell cell case"));
+                m_out.branch(
+                    isCell(value), unsure(cellCase), unsure(lowBlock(data->fallThrough.block)));
+                m_out.appendTo(cellCase);
+                cell = value;
+                break;
+            }
+                
+            default:
+                DFG_CRASH(m_graph, m_node, "Bad use kind");
+                return;
+            }
+            
+            buildSwitch(m_node->switchData(), m_out.intPtr, cell);
+            return;
+        } }
         
         DFG_CRASH(m_graph, m_node, "Bad switch kind");
@@ -5187 +5219 @@
         for (unsigned i = 0; i < data->cases.size(); ++i) {
             cases.append(SwitchCase(
-                constInt(type, data->cases[i].value.switchLookupValue()),
+                constInt(type, data->cases[i].value.switchLookupValue(data->kind)),
                 lowBlock(data->cases[i].target.block), Weight(data->cases[i].target.count)));
         }

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -985 +985 @@
     }
     
+    if (vm()->callEdgeLog) {
+        DeferGCForAWhile awhile(*this);
+        vm()->callEdgeLog->processLog();
+    }
+    
     RELEASE_ASSERT(!m_deferralDepth);
     ASSERT(vm()->currentThreadIsHoldingAPILock());

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -89 +89 @@
     }
     
+    void storeValue(JSValueRegs regs, void* address)
+    {
+#if USE(JSVALUE64)
+        store64(regs.gpr(), address);
+#else
+        store32(regs.payloadGPR(), bitwise_cast<void*>(bitwise_cast<uintptr_t>(address) + PayloadOffset));
+        store32(regs.tagGPR(), bitwise_cast<void*>(bitwise_cast<uintptr_t>(address) + TagOffset));
+#endif
+    }
+    
+    void loadValue(Address address, JSValueRegs regs)
+    {
+#if USE(JSVALUE64)
+        load64(address, regs.gpr());
+#else
+        if (address.base == regs.payloadGPR()) {
+            load32(address.withOffset(TagOffset), regs.tagGPR());
+            load32(address.withOffset(PayloadOffset), regs.payloadGPR());
+        } else {
+            load32(address.withOffset(PayloadOffset), regs.payloadGPR());
+            load32(address.withOffset(TagOffset), regs.tagGPR());
+        }
+#endif
+    }
+    
     void moveTrustedValue(JSValue value, JSValueRegs regs)
     {

trunk/Source/JavaScriptCore/jit/CCallHelpers.h

@@ -1667 +1667 @@
     }
 #endif
+    
+    void setupArguments(JSValueRegs arg1)
+    {
+#if USE(JSVALUE64)
+        setupArguments(arg1.gpr());
+#else
+        setupArguments(arg1.payloadGPR(), arg1.tagGPR());
+#endif
+    }
 
     void setupResults(GPRReg destA, GPRReg destB)

trunk/Source/JavaScriptCore/jit/GPRInfo.h

@@ -61 +61 @@
     GPRReg payloadGPR() const { return m_gpr; }
     
+    bool uses(GPRReg gpr) const { return m_gpr == gpr; }
+    
 private:
     GPRReg m_gpr;
@@ -170 +172 @@
     }
 
+    bool uses(GPRReg gpr) const { return m_tagGPR == gpr || m_payloadGPR == gpr; }
+    
 private:
     int8_t m_tagGPR;

trunk/Source/JavaScriptCore/jit/JITCall.cpp

@@ -213 +213 @@
 
     store64(regT0, Address(stackPointerRegister, JSStack::Callee * static_cast<int>(sizeof(Register)) - sizeof(CallerFrameAndPC)));
+    
+    CallLinkInfo* info = m_codeBlock->addCallLinkInfo();
+
+    if (CallEdgeLog::isEnabled() && shouldEmitProfiling()
+        && Options::baselineDoesCallEdgeProfiling())
+        m_vm->ensureCallEdgeLog().emitLogCode(*this, info->callEdgeProfile, JSValueRegs(regT0));
 
     if (opcodeID == op_call_eval) {
@@ -224 +230 @@
 
     ASSERT(m_callCompilationInfo.size() == callLinkInfoIndex);
-    CallLinkInfo* info = m_codeBlock->addCallLinkInfo();
     info->callType = CallLinkInfo::callTypeFor(opcodeID);
     info->codeOrigin = CodeOrigin(m_bytecodeOffset);

trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp

@@ -301 +301 @@
     store32(regT1, Address(stackPointerRegister, JSStack::Callee * static_cast<int>(sizeof(Register)) + TagOffset - sizeof(CallerFrameAndPC)));
 
+    CallLinkInfo* info = m_codeBlock->addCallLinkInfo();
+
+    if (CallEdgeLog::isEnabled() && shouldEmitProfiling()
+        && Options::baselineDoesCallEdgeProfiling()) {
+        m_vm->ensureCallEdgeLog().emitLogCode(
+            *this, info->callEdgeProfile, JSValueRegs(regT1, regT0));
+    }
+
     if (opcodeID == op_call_eval) {
         compileCallEval(instruction);
@@ -314 +322 @@
 
     ASSERT(m_callCompilationInfo.size() == callLinkInfoIndex);
-    CallLinkInfo* info = m_codeBlock->addCallLinkInfo();
     info->callType = CallLinkInfo::callTypeFor(opcodeID);
     info->codeOrigin = CodeOrigin(m_bytecodeOffset);

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -168 +168 @@
     v(bool, enablePolyvariantDevirtualization, true) \
     v(bool, enablePolymorphicAccessInlining, true) \
+    v(bool, enablePolymorphicCallInlining, true) \
+    v(bool, callStatusShouldUseCallEdgeProfile, true) \
+    v(bool, callEdgeProfileReallyProcessesLog, true) \
+    v(bool, baselineDoesCallEdgeProfiling, false) \
+    v(bool, dfgDoesCallEdgeProfiling, true) \
+    v(bool, enableCallEdgeProfiling, true) \
+    v(unsigned, frequentCallThreshold, 2) \
     v(bool, optimizeNativeCalls, false) \
     \

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -374 +374 @@
 }
 
+CallEdgeLog& VM::ensureCallEdgeLog()
+{
+    if (!callEdgeLog)
+        callEdgeLog = std::make_unique<CallEdgeLog>();
+    return *callEdgeLog;
+}
+
 #if ENABLE(JIT)
 static ThunkGenerator thunkGeneratorForIntrinsic(Intrinsic intrinsic)

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -73 +73 @@
     class ArityCheckFailReturnThunks;
     class BuiltinExecutables;
+    class CallEdgeLog;
     class CodeBlock;
     class CodeCache;
@@ -234 +235 @@
         OwnPtr<DFG::LongLivedState> dfgState;
 #endif // ENABLE(DFG_JIT)
+        
+        std::unique_ptr<CallEdgeLog> callEdgeLog;
+        CallEdgeLog& ensureCallEdgeLog();
 
         VMType vmType;