Changeset 36016 in webkit for trunk/JavaScriptCore/VM/Machine.cpp

Timestamp:

Sep 1, 2008, 2:22:54 PM (17 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2008-09-01 Geoffrey Garen <​[email protected]>

Reviewed by Darin Adler.

First cut at inline caching for access to vanilla JavaScript properties.

SunSpider says 4% faster. Tests heavy on dictionary-like access have
regressed a bit -- we have a lot of room to improve in this area,
but this patch is over-ripe as-is.

JSCells now have a StructureID that uniquely identifies their layout,
and holds their prototype.

JSValue::put takes a PropertySlot& argument, so it can fill in details
about where it put a value, for the sake of caching.

• VM/CodeGenerator.cpp: (KJS::CodeGenerator::CodeGenerator): Avoid calling removeDirect if we can, since it disables inline caching in the global object. This can probably improve in the future.

• kjs/JSGlobalObject.cpp: Nixed reset(), since it complicates caching, and wasn't really necessary.

• kjs/JSObject.cpp: Tweaked getter / setter behavior not to rely on the IsGetterSetter flag, since the flag was buggy. This is necessary in order to avoid accidentally accessing a getter / setter as a normal property.

Also changed getter / setter creation to honor ReadOnly, matching Mozilla.

• kjs/PropertyMap.cpp: Nixed clear(), since it complicates caching and isn't necessary.

• kjs/Shell.cpp: Moved SamplingTool dumping outside the loop. This allows you to aggregate sampling of multiple files (or the same file repeatedly), which helped me track down regressions.

• kjs/ustring.h: Moved IdentifierRepHash here to share it.

WebCore:

2008-09-01 Geoffrey Garen <​[email protected]>

Reviewed by Darin Adler.

First cut at inline caching for access to vanilla JavaScript properties.

Updated for JavaScriptCore changes. Mostly mechanical addition of StructureIDs
to WebCore classes, and PutPropertySlot& arguments to put functions.

(WebCore::JSCSSStyleDeclaration::customPut): Be sure to play nice with
inline caching for global properties, so global assignment can be optimized.

• ForwardingHeaders/kjs/StructureID.h: Added.
• bindings/js/JSDOMBinding.h: (WebCore::DOMObject::DOMObject):
• bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::put):
• bindings/js/JSDOMWindowBase.h:
• bindings/js/JSDOMWindowCustom.h: (WebCore::JSDOMWindow::customPut):
• bindings/js/JSDOMWindowShell.cpp: (WebCore::JSDOMWindowShell::JSDOMWindowShell): (WebCore::JSDOMWindowShell::put):
• bindings/js/JSDOMWindowShell.h:
• bindings/js/JSEventTargetBase.h: (WebCore::JSEventTargetBase::put):
• bindings/js/JSEventTargetNode.h: (WebCore::JSEventTargetNode::put):
• bindings/js/JSHTMLAppletElementCustom.cpp: (WebCore::JSHTMLAppletElement::customPut):
• bindings/js/JSHTMLEmbedElementCustom.cpp: (WebCore::JSHTMLEmbedElement::customPut):
• bindings/js/JSHTMLInputElementBase.cpp: (WebCore::JSHTMLInputElementBase::put):
• bindings/js/JSHTMLInputElementBase.h:
• bindings/js/JSHTMLObjectElementCustom.cpp: (WebCore::JSHTMLObjectElement::customPut):
• bindings/js/JSHistoryCustom.cpp: (WebCore::JSHistory::customPut):
• bindings/js/JSInspectedObjectWrapper.cpp: (WebCore::JSInspectedObjectWrapper::wrap): (WebCore::JSInspectedObjectWrapper::JSInspectedObjectWrapper):
• bindings/js/JSInspectedObjectWrapper.h:
• bindings/js/JSInspectorCallbackWrapper.cpp: (WebCore::JSInspectorCallbackWrapper::wrap): (WebCore::JSInspectorCallbackWrapper::JSInspectorCallbackWrapper):
• bindings/js/JSInspectorCallbackWrapper.h:
• bindings/js/JSLocationCustom.cpp: (WebCore::JSLocation::customPut):
• bindings/js/JSPluginElementFunctions.cpp: (WebCore::runtimeObjectCustomPut):
• bindings/js/JSPluginElementFunctions.h:
• bindings/js/JSQuarantinedObjectWrapper.cpp: (WebCore::JSQuarantinedObjectWrapper::JSQuarantinedObjectWrapper): (WebCore::JSQuarantinedObjectWrapper::put):
• bindings/js/JSQuarantinedObjectWrapper.h:
• bindings/js/JSStorageCustom.cpp: (WebCore::JSStorage::customPut):
• bindings/objc/WebScriptObject.mm: (-[WebScriptObject setValue:forKey:]):
• bindings/scripts/CodeGeneratorJS.pm:
• bridge/NP_jsobject.cpp: (_NPN_SetProperty):
• bridge/jni/jni_jsobject.mm: (JavaJSObject::setMember):
• bridge/objc/objc_class.mm: (KJS::Bindings::ObjcClass::fallbackObject):
• bridge/objc/objc_runtime.h:
• bridge/objc/objc_runtime.mm: (ObjcFallbackObjectImp::ObjcFallbackObjectImp): (ObjcFallbackObjectImp::put):
• bridge/runtime.cpp: (KJS::Bindings::Instance::createRuntimeObject):
• bridge/runtime_array.cpp: (RuntimeArray::put):
• bridge/runtime_array.h:
• bridge/runtime_object.cpp: (RuntimeObjectImp::RuntimeObjectImp): (RuntimeObjectImp::put):
• bridge/runtime_object.h:

LayoutTests:

2008-09-01 Geoffrey Garen <​[email protected]>

Reviewed by Darin Adler.

First cut at inline caching for access to vanilla JavaScript properties.

Tests for things I broke along the way.

• fast/dom/getter-on-window-object2-expected.txt:
• fast/js/pic: Added.
• fast/js/pic/cached-deleted-properties-expected.txt: Added.
• fast/js/pic/cached-deleted-properties.html: Added.
• fast/js/pic/cached-getter-dictionary-and-proto-expected.txt: Added.
• fast/js/pic/cached-getter-dictionary-and-proto.html: Added.
• fast/js/pic/cached-getter-setter-expected.txt: Added.
• fast/js/pic/cached-getter-setter.html: Added.
• fast/js/pic/cached-prototype-setter-expected.txt: Added.
• fast/js/pic/cached-prototype-setter.html: Added.
• fast/js/pic/cached-single-entry-transition-expected.txt: Added.
• fast/js/pic/cached-single-entry-transition.html: Added.
• fast/js/pic/get-empty-string-expected.txt: Added.
• fast/js/pic/get-empty-string.html: Added.
• fast/js/pic/get-set-proxy-object-expected.txt: Added.
• fast/js/pic/get-set-proxy-object.html: Added.
• fast/js/pic/rehash-poisons-structure-expected.txt: Added.
• fast/js/pic/rehash-poisons-structure.html: Added.

File:

• trunk/JavaScriptCore/VM/Machine.cpp (modified) (10 diffs)

trunk/JavaScriptCore/VM/Machine.cpp

@@ -475 +475 @@
 {
     if (newCodeBlock->needsFullScopeChain) {
-        JSActivation* activation = new (exec) JSActivation(functionBodyNode, r);
+        JSActivation* activation = new (exec) JSActivation(exec, functionBodyNode, r);
         r[RegisterFile::OptionalCalleeActivation - RegisterFile::CallFrameHeaderSize - newCodeBlock->numLocals] = activation;
 
@@ -540 +540 @@
     void* storage = fastMalloc(sizeof(CollectorBlock));
 
-    JSArray* jsArray = new (storage) JSArray(jsNull(), 0);
+    JSArray* jsArray = new (storage) JSArray(JSArray::DummyConstruct);
     m_jsArrayVptr = jsArray->vptr();
     static_cast<JSCell*>(jsArray)->~JSCell();
@@ -626 +626 @@
 #endif
 
-#if !defined(NDEBUG) || HAVE(SAMPLING_TOOL)
+#if !defined(NDEBUG) || ENABLE(SAMPLING_TOOL)
 
 bool Machine::isOpcode(Opcode opcode)
@@ -889 +889 @@
     for (Node::VarStack::const_iterator it = varStack.begin(); it != varStackEnd; ++it) {
         const Identifier& ident = (*it).first;
-        if (!variableObject->hasProperty(exec, ident))
-            variableObject->put(exec, ident, jsUndefined());
+        if (!variableObject->hasProperty(exec, ident)) {
+            PutPropertySlot slot;
+            variableObject->put(exec, ident, jsUndefined(), slot);
+        }
     }
 
     const Node::FunctionStack& functionStack = codeBlock->ownerNode->functionStack();
     Node::FunctionStack::const_iterator functionStackEnd = functionStack.end();
-    for (Node::FunctionStack::const_iterator it = functionStack.begin(); it != functionStackEnd; ++it)
-        variableObject->put(exec, (*it)->m_ident, (*it)->makeFunction(exec, scopeChain));
+    for (Node::FunctionStack::const_iterator it = functionStack.begin(); it != functionStackEnd; ++it) {
+        PutPropertySlot slot;
+        variableObject->put(exec, (*it)->m_ident, (*it)->makeFunction(exec, scopeChain), slot);
+    }
 
     size_t oldSize = m_registerFile.size();
@@ -1086 +1090 @@
     Identifier& property = codeBlock->identifiers[(++vPC)->u.operand];
     JSValue* value = r[(++vPC)->u.operand].jsValue(exec);
-    JSObject* scope = new (exec) JSStaticScopeObject(property, value, DontDelete);
+    JSObject* scope = new (exec) JSStaticScopeObject(exec, property, value, DontDelete);
     r[dst] = scope;
     return scopeChain->push(scope);
+}
+
+StructureIDChain* cachePrototypeChain(StructureID* structureID)
+{
+    RefPtr<StructureIDChain> chain = StructureIDChain::create(static_cast<JSCell*>(structureID->prototype())->structureID());
+    structureID->setCachedPrototypeChain(chain.release());
+    return structureID->cachedPrototypeChain();
+}
+
+NEVER_INLINE void Machine::tryCachePutByID(CodeBlock* codeBlock, Instruction* vPC, JSValue* baseValue, const PutPropertySlot& slot)
+{
+    // Recursive invocation may already have specialized this instruction.
+    if (vPC[0].u.opcode != getOpcode(op_put_by_id))
+        return;
+
+    if (JSImmediate::isImmediate(baseValue))
+        return;
+
+    // Uncacheable: give up.
+    if (!slot.isCacheable()) {
+        vPC[0] = getOpcode(op_put_by_id_generic);
+        return;
+    }
+
+    // FIXME: Cache new property transitions, too.
+    if (slot.type() == PutPropertySlot::NewProperty) {
+        vPC[0] = getOpcode(op_put_by_id_generic);
+        return;
+    }
+    
+    JSCell* baseCell = static_cast<JSCell*>(baseValue);
+    StructureID* structureID = baseCell->structureID();
+
+    // FIXME: Remove this !structureID check once all objects have StructureIDs.
+    if (!structureID) {
+        vPC[0] = getOpcode(op_put_by_id_generic);
+        return;
+    }
+
+    if (structureID->isDictionary()) {
+        vPC[0] = getOpcode(op_put_by_id_generic);
+        return;
+    }
+
+    // Cache miss: record StructureID to compare against next time.
+    StructureID* lastStructureID = vPC[4].u.structureID;
+    if (structureID != lastStructureID) {
+        // First miss: record StructureID to compare against next time.
+        if (!lastStructureID) {
+            vPC[4] = structureID;
+            return;
+        }
+
+        // Second miss: give up.
+        vPC[0] = getOpcode(op_put_by_id_generic);
+        return;
+    }
+
+    // Cache hit: Specialize instruction and ref StructureIDs.
+
+    // If baseCell != slotBase, then baseCell must be a proxy for another object.
+    if (baseCell != slot.slotBase()) {
+        vPC[0] = getOpcode(op_put_by_id_generic);
+        return;
+    }
+    vPC[0] = getOpcode(op_put_by_id_replace);
+    vPC[5] = slot.cachedOffset();
+    codeBlock->refStructureIDs(vPC);
+}
+
+NEVER_INLINE void Machine::uncachePutByID(CodeBlock* codeBlock, Instruction* vPC)
+{
+    codeBlock->derefStructureIDs(vPC);
+    vPC[0] = getOpcode(op_put_by_id);
+    vPC[4] = 0;
+}
+
+NEVER_INLINE void Machine::tryCacheGetByID(CodeBlock* codeBlock, Instruction* vPC, JSValue* baseValue, const PropertySlot& slot)
+{
+    // Recursive invocation may already have specialized this instruction.
+    if (vPC[0].u.opcode != getOpcode(op_get_by_id))
+        return;
+
+    // Uncacheable: give up.
+    if (!slot.isCacheable()) {
+        vPC[0] = getOpcode(op_get_by_id_generic);
+        return;
+    }
+
+    // FIXME: Cache property access for immediates.
+    if (JSImmediate::isImmediate(baseValue)) {
+        vPC[0] = getOpcode(op_get_by_id_generic);
+        return;
+    }
+
+    JSCell* baseCell = static_cast<JSCell*>(baseValue);
+    StructureID* structureID = baseCell->structureID();
+
+    // FIXME: Remove this !structureID check once all JSCells have StructureIDs.
+    if (!structureID) {
+        vPC[0] = getOpcode(op_get_by_id_generic);
+        return;
+    }
+
+    if (structureID->isDictionary()) {
+        vPC[0] = getOpcode(op_get_by_id_generic);
+        return;
+    }
+
+    // Cache miss
+    StructureID* lastStructureID = vPC[4].u.structureID;
+    if (structureID != lastStructureID) {
+        // First miss: record StructureID to compare against next time.
+        if (!lastStructureID) {
+            vPC[4] = structureID;
+            return;
+        }
+
+        // Second miss: give up.
+        vPC[0] = getOpcode(op_get_by_id_generic);
+        return;
+    }
+
+    // Cache hit: Specialize instruction and ref StructureIDs.
+
+    JSValue* slotBase = slot.slotBase();
+    if (slotBase == baseCell) {
+        vPC[0] = getOpcode(op_get_by_id_self);
+        vPC[5] = slot.cachedOffset();
+
+        codeBlock->refStructureIDs(vPC);
+        return;
+    }
+
+    if (slotBase == structureID->prototype()) {
+        ASSERT(!JSImmediate::isImmediate(slotBase));
+
+        vPC[0] = getOpcode(op_get_by_id_proto);
+        vPC[5] = static_cast<JSCell*>(slotBase)->structureID();
+        vPC[6] = slot.cachedOffset();
+
+        codeBlock->refStructureIDs(vPC);
+        return;
+    }
+
+    size_t count = 0;
+    while (baseCell != slotBase) {
+        baseCell = static_cast<JSCell*>(baseCell->structureID()->prototype());
+        // If we didn't find slotBase in baseCell's prototype chain, then baseCell
+        // must be a proxy for another object.
+        if (baseCell == jsNull()) {
+            vPC[0] = getOpcode(op_get_by_id_generic);
+            return;
+        }
+        ++count;
+    }
+
+    StructureIDChain* chain = structureID->cachedPrototypeChain();
+    if (!chain)
+        chain = cachePrototypeChain(structureID);
+
+    vPC[0] = getOpcode(op_get_by_id_chain);
+    vPC[4] = structureID;
+    vPC[5] = chain;
+    vPC[6] = count;
+    vPC[7] = slot.cachedOffset();
+    codeBlock->refStructureIDs(vPC);
+}
+
+NEVER_INLINE void Machine::uncacheGetByID(CodeBlock* codeBlock, Instruction* vPC)
+{
+    codeBlock->derefStructureIDs(vPC);
+    vPC[0] = getOpcode(op_get_by_id);
+    vPC[4] = 0;
 }
 
@@ -1244 +1422 @@
         JSValue* src2 = r[(++vPC)->u.operand].jsValue(exec);
         if (JSImmediate::areBothImmediateNumbers(src1, src2))
-            r[dst] = jsBoolean(reinterpret_cast<intptr_t>(src1) != reinterpret_cast<intptr_t>(src2));
+            r[dst] = jsBoolean(src1 != src2);
         else {
             JSValue* result = jsBoolean(!equal(exec, src1, src2));
@@ -1935 +2113 @@
     }
     BEGIN_OPCODE(op_get_by_id) {
-        /* get_by_id dst(r) base(r) property(id)
-
-           Converts register base to Object, gets the property
-           named by identifier property from the object, and puts the
-           result in register dst.
-        */
-        int dst = (++vPC)->u.operand;
-        int base = (++vPC)->u.operand;
-        int property = (++vPC)->u.operand;
+        /* get_by_id dst(r) base(r) property(id) structureID(sID) nop(n) nop(n) nop(n)
+
+           Generic property access: Gets the property named by identifier
+           property from the value base, and puts the result in register dst.
+        */
+        int dst = vPC[1].u.operand;
+        int base = vPC[2].u.operand;
+        int property = vPC[3].u.operand;
 
         Identifier& ident = codeBlock->identifiers[property];
-        JSValue* result = r[base].jsValue(exec)->get(exec, ident);
+        JSValue* baseValue = r[base].jsValue(exec);
+        PropertySlot slot(baseValue);
+        JSValue* result = baseValue->get(exec, ident, slot);
         VM_CHECK_EXCEPTION();
+
+        tryCacheGetByID(codeBlock, vPC, baseValue, slot);
+
         r[dst] = result;
-        ++vPC;
+        vPC += 8;
+        NEXT_OPCODE;
+    }
+    BEGIN_OPCODE(op_get_by_id_self) {
+        /* op_get_by_id_self dst(r) base(r) property(id) structureID(sID) offset(n) nop(n) nop(n)
+
+           Cached property access: Attempts to get a cached property from the
+           value base. If the cache misses, op_get_by_id_self reverts to
+           op_get_by_id.
+        */
+        int base = vPC[2].u.operand;
+        JSValue* baseValue = r[base].jsValue(exec);
+
+        if (LIKELY(!JSImmediate::isImmediate(baseValue))) {
+            JSCell* baseCell = static_cast<JSCell*>(baseValue);
+            StructureID* structureID = vPC[4].u.structureID;
+
+            if (LIKELY(baseCell->structureID() == structureID)) {
+                ASSERT(baseCell->isObject());
+                JSObject* baseObject = static_cast<JSObject*>(baseCell);
+                int dst = vPC[1].u.operand;
+                int offset = vPC[5].u.operand;
+
+                ASSERT(baseObject->get(exec, codeBlock->identifiers[vPC[3].u.operand]) == baseObject->getDirectOffset(offset));
+                r[dst] = baseObject->getDirectOffset(offset);
+
+                vPC += 8;
+                NEXT_OPCODE;
+            }
+        }
+
+        uncacheGetByID(codeBlock, vPC);
+        NEXT_OPCODE;
+    }
+    BEGIN_OPCODE(op_get_by_id_proto) {
+        /* op_get_by_id_proto dst(r) base(r) property(id) structureID(sID) protoStructureID(sID) offset(n) nop(n)
+
+           Cached property access: Attempts to get a cached property from the
+           value base's prototype. If the cache misses, op_get_by_id_proto
+           reverts to op_get_by_id.
+        */
+        int base = vPC[2].u.operand;
+        JSValue* baseValue = r[base].jsValue(exec);
+
+        if (LIKELY(!JSImmediate::isImmediate(baseValue))) {
+            JSCell* baseCell = static_cast<JSCell*>(baseValue);
+            StructureID* structureID = vPC[4].u.structureID;
+
+            if (LIKELY(baseCell->structureID() == structureID)) {
+                ASSERT(structureID->prototype()->isObject());
+                JSObject* protoObject = static_cast<JSObject*>(structureID->prototype());
+                StructureID* protoStructureID = vPC[5].u.structureID;
+
+                if (LIKELY(protoObject->structureID() == protoStructureID)) {
+                    int dst = vPC[1].u.operand;
+                    int offset = vPC[6].u.operand;
+
+                    ASSERT(protoObject->get(exec, codeBlock->identifiers[vPC[3].u.operand]) == protoObject->getDirectOffset(offset));
+                    r[dst] = protoObject->getDirectOffset(offset);
+
+                    vPC += 8;
+                    NEXT_OPCODE;
+                }
+            }
+        }
+
+        uncacheGetByID(codeBlock, vPC);
+        NEXT_OPCODE;
+    }
+    BEGIN_OPCODE(op_get_by_id_chain) {
+        /* op_get_by_id_chain dst(r) base(r) property(id) structureID(sID) structureIDChain(sIDc) count(n) offset(n)
+
+           Cached property access: Attempts to get a cached property from the
+           value base's prototype chain. If the cache misses, op_get_by_id_proto
+           reverts to op_get_by_id.
+        */
+        int base = vPC[2].u.operand;
+        JSValue* baseValue = r[base].jsValue(exec);
+
+        if (LIKELY(!JSImmediate::isImmediate(baseValue))) {
+            JSCell* baseCell = static_cast<JSCell*>(baseValue);
+            StructureID* structureID = vPC[4].u.structureID;
+
+            if (LIKELY(baseCell->structureID() == structureID)) {
+                RefPtr<StructureID>* it = vPC[5].u.structureIDChain->head();
+                size_t count = vPC[6].u.operand;
+                RefPtr<StructureID>* end = it + count;
+
+                while (1) {
+                    baseCell = static_cast<JSCell*>(baseCell->structureID()->prototype());
+                    if (UNLIKELY(baseCell->structureID() != (*it).get()))
+                        break;
+
+                    if (++it == end) {
+                        ASSERT(baseCell->isObject());
+                        JSObject* baseObject = static_cast<JSObject*>(baseCell);
+                        int dst = vPC[1].u.operand;
+                        int offset = vPC[7].u.operand;
+
+                        ASSERT(baseObject->get(exec, codeBlock->identifiers[vPC[3].u.operand]) == baseObject->getDirectOffset(offset));
+                        r[dst] = baseObject->getDirectOffset(offset);
+
+                        vPC += 8;
+                        NEXT_OPCODE;
+                    }
+                }
+            }
+        }
+
+        uncacheGetByID(codeBlock, vPC);
+        NEXT_OPCODE;
+    }
+    BEGIN_OPCODE(op_get_by_id_generic) {
+        /* op_get_by_id_generic dst(r) base(r) property(id) nop(sID) nop(n) nop(n) nop(n)
+
+           Generic property access: Gets the property named by identifier
+           property from the value base, and puts the result in register dst.
+        */
+        int dst = vPC[1].u.operand;
+        int base = vPC[2].u.operand;
+        int property = vPC[3].u.operand;
+
+        Identifier& ident = codeBlock->identifiers[property];
+        JSValue* baseValue = r[base].jsValue(exec);
+        PropertySlot slot(baseValue);
+        JSValue* result = baseValue->get(exec, ident, slot);
+        VM_CHECK_EXCEPTION();
+
+        r[dst] = result;
+        vPC += 8;
         NEXT_OPCODE;
     }
     BEGIN_OPCODE(op_put_by_id) {
-        /* put_by_id base(r) property(id) value(r)
+        /* put_by_id base(r) property(id) value(r) nop(n) nop(n)
 
            Sets register value on register base as the property named
@@ -1961 +2272 @@
            the register file.
         */
-        int base = (++vPC)->u.operand;
-        int property = (++vPC)->u.operand;
-        int value = (++vPC)->u.operand;
-
+
+        int base = vPC[1].u.operand;
+        int property = vPC[2].u.operand;
+        int value = vPC[3].u.operand;
+
+        JSValue* baseValue = r[base].jsValue(exec);
+
+        PutPropertySlot slot;
         Identifier& ident = codeBlock->identifiers[property];
-        r[base].jsValue(exec)->put(exec, ident, r[value].jsValue(exec));
-
+        baseValue->put(exec, ident, r[value].jsValue(exec), slot);
         VM_CHECK_EXCEPTION();
-        ++vPC;
+
+        tryCachePutByID(codeBlock, vPC, baseValue, slot);
+
+        vPC += 6;
+        NEXT_OPCODE;
+    }
+    BEGIN_OPCODE(op_put_by_id_replace) {
+        /* op_put_by_id_replace base(r) property(id) value(r) structureID(sID) offset(n)
+
+           Sets register value on register base as the property named
+           by identifier property. Base is converted to object first.
+
+           Unlike many opcodes, this one does not write any output to
+           the register file.
+        */
+        int base = vPC[1].u.operand;
+        JSValue* baseValue = r[base].jsValue(exec);
+
+        if (LIKELY(!JSImmediate::isImmediate(baseValue))) {
+            JSCell* baseCell = static_cast<JSCell*>(baseValue);
+            StructureID* structureID = vPC[4].u.structureID;
+
+            if (LIKELY(baseCell->structureID() == structureID)) {
+                ASSERT(baseCell->isObject());
+                JSObject* baseObject = static_cast<JSObject*>(baseCell);
+                int value = vPC[3].u.operand;
+                unsigned offset = vPC[5].u.operand;
+                
+                ASSERT(baseObject->offsetForLocation(baseObject->getDirectLocation(codeBlock->identifiers[vPC[2].u.operand])) == offset);
+                baseObject->putDirectOffset(offset, r[value].jsValue(exec));
+
+                vPC += 6;
+                NEXT_OPCODE;
+            }
+        }
+
+        uncachePutByID(codeBlock, vPC);
+        NEXT_OPCODE;
+    }
+    BEGIN_OPCODE(op_put_by_id_generic) {
+        /* op_put_by_id_generic base(r) property(id) value(r) nop(n) nop(n)
+
+           Sets register value on register base as the property named
+           by identifier property. Base is converted to object first.
+
+           Unlike many opcodes, this one does not write any output to
+           the register file.
+        */
+        int base = vPC[1].u.operand;
+        int property = vPC[2].u.operand;
+        int value = vPC[3].u.operand;
+
+        JSValue* baseValue = r[base].jsValue(exec);
+
+        PutPropertySlot slot;
+        Identifier& ident = codeBlock->identifiers[property];
+        baseValue->put(exec, ident, r[value].jsValue(exec), slot);
+        VM_CHECK_EXCEPTION();
+
+        vPC += 6;
         NEXT_OPCODE;
     }
@@ -2065 +2438 @@
         } else {
             Identifier property(exec, subscript->toString(exec));
-            if (!exec->hadException()) // Don't put to an object if toString threw an exception.
-                baseValue->put(exec, property, r[value].jsValue(exec));
+            if (!exec->hadException()) { // Don't put to an object if toString threw an exception.
+                PutPropertySlot slot;
+                baseValue->put(exec, property, r[value].jsValue(exec), slot);
+            }
         }
 
@@ -2934 +3309 @@
     if (!activation) {
         CodeBlock* codeBlock = &function->m_body->generatedByteCode();
-        activation = new (exec) JSActivation(function->m_body, callFrame + RegisterFile::CallFrameHeaderSize + codeBlock->numLocals);
+        activation = new (exec) JSActivation(exec, function->m_body, callFrame + RegisterFile::CallFrameHeaderSize + codeBlock->numLocals);
         callFrame[RegisterFile::OptionalCalleeActivation] = activation;
     }