Changeset 44076 in webkit for trunk/JavaScriptCore/runtime

Timestamp:

May 22, 2009, 6:48:32 PM (16 years ago)

Author:

[email protected]

Message:

2009-05-21 Gavin Barraclough <​[email protected]>

Reviewed by Geoff Garen.

op_method_check

Optimize method calls, by caching specific function values within the Structure.
The new opcode is used almost like an x86 opcode prefix byte to optimize op_get_by_id,
where the property access is being used to read a function to be passed to op-call (i.e.
'foo.bar();'). This patch modifies the Structure class such that when a property is
put to an object for the first time we will check if the value is a function. If it is,
we will cache the function value on the Structure. A Structure in such a state guarantees
that not only does a property with the given identifier exist on the object, but also that
its value is unchanged. Upon any further attempt to put a property with the same identifier
(but a different value) to the object, it will transition back to a normal Structure (where
it will guarantee the presence but not the value of the property).

op_method_check makes use of the new information made available by the Structure, by
augmenting the functionality of op_get_by_id. Upon generating a FunctionCallDotNode a
check will be emitted prior to the property access reading the function value, and the JIT
will generate an extra (initially unlinked but patchable) set of checks prior to the regular
JIT code for get_by_id. The new code will do inline structure and prototype structure check
(unlike a regular get_by_id, which can only handle 'self' accesses inline), and then performs
an immediate load of the function value, rather than using memory accesses to load the value
from the obejct's property storage array. If the method check fails it will revert, or if
the access is polymorphic, the op_get_by_id will continue to operate - and optimize itself -
just as any other regular op_get_by_id would.

~2.5% on v8-tests, due to a ~9% progression on richards.

• API/JSCallbackObjectFunctions.h: (JSC::::put): (JSC::::staticFunctionGetter):
• API/JSObjectRef.cpp: (JSObjectMakeConstructor):
• JavaScriptCore.exp:
• assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::differenceBetween):
• assembler/MacroAssemblerX86.h: (JSC::MacroAssemblerX86::moveWithPatch):
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dump):
• bytecode/CodeBlock.h: (JSC::getMethodCallLinkInfoReturnLocation): (JSC::CodeBlock::getMethodCallLinkInfo): (JSC::CodeBlock::addMethodCallLinkInfos): (JSC::CodeBlock::methodCallLinkInfo):
• bytecode/Opcode.h:
• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::emitMethodCheck):
• bytecompiler/BytecodeGenerator.h:
• interpreter/Interpreter.cpp: (JSC::Interpreter::privateExecute):
• jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases): (JSC::JIT::privateCompile):
• jit/JIT.h: (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
• jit/JITOpcodes.cpp:
• jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_method_check): (JSC::JIT::emitSlow_op_method_check): (JSC::JIT::emit_op_get_by_id): (JSC::JIT::emitSlow_op_get_by_id): (JSC::JIT::emit_op_put_by_id): (JSC::JIT::emitSlow_op_put_by_id): (JSC::JIT::compileGetByIdHotPath): (JSC::JIT::compileGetByIdSlowCase): (JSC::JIT::patchMethodCallProto):
• jit/JITStubs.cpp: (JSC::JITStubs::cti_op_get_by_id_method_check): (JSC::JITStubs::cti_op_get_by_id_method_check_second):
• jit/JITStubs.h:
• jsc.cpp: (GlobalObject::GlobalObject):
• parser/Nodes.cpp: (JSC::FunctionCallDotNode::emitBytecode):
• runtime/Arguments.cpp: (JSC::Arguments::put):
• runtime/ArrayConstructor.cpp: (JSC::ArrayConstructor::ArrayConstructor):
• runtime/BooleanConstructor.cpp: (JSC::BooleanConstructor::BooleanConstructor):
• runtime/DateConstructor.cpp: (JSC::DateConstructor::DateConstructor):
• runtime/ErrorConstructor.cpp: (JSC::ErrorConstructor::ErrorConstructor): (JSC::constructError):
• runtime/ErrorPrototype.cpp: (JSC::ErrorPrototype::ErrorPrototype):
• runtime/FunctionConstructor.cpp: (JSC::FunctionConstructor::FunctionConstructor):
• runtime/FunctionPrototype.cpp: (JSC::FunctionPrototype::FunctionPrototype):
• runtime/InternalFunction.cpp: (JSC::InternalFunction::InternalFunction):
• runtime/JSActivation.cpp: (JSC::JSActivation::put): (JSC::JSActivation::putWithAttributes):
• runtime/JSByteArray.cpp: (JSC::JSByteArray::JSByteArray):
• runtime/JSFunction.cpp: (JSC::JSFunction::JSFunction): (JSC::JSFunction::getOwnPropertySlot):
• runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::putWithAttributes): (JSC::JSGlobalObject::reset): (JSC::JSGlobalObject::mark):
• runtime/JSGlobalObject.h: (JSC::JSGlobalObject::JSGlobalObjectData::JSGlobalObjectData): (JSC::JSGlobalObject::methodCallDummy):
• runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::putWithAttributes): (JSC::JSObject::deleteProperty): (JSC::JSObject::defineGetter): (JSC::JSObject::defineSetter): (JSC::JSObject::getPropertyAttributes): (JSC::JSObject::getPropertySpecificFunction): (JSC::JSObject::putDirectFunction): (JSC::JSObject::putDirectFunctionWithoutTransition):
• runtime/JSObject.h: (JSC::getJSFunction): (JSC::JSObject::getDirectLocation): (JSC::JSObject::putDirect): (JSC::JSObject::putDirectWithoutTransition):
• runtime/LiteralParser.cpp: (JSC::LiteralParser::parseObject):
• runtime/Lookup.cpp: (JSC::setUpStaticFunctionSlot):
• runtime/Lookup.h: (JSC::lookupPut):
• runtime/MathObject.cpp: (JSC::MathObject::MathObject):
• runtime/NativeErrorConstructor.cpp: (JSC::NativeErrorConstructor::NativeErrorConstructor): (JSC::NativeErrorConstructor::construct):
• runtime/NativeErrorPrototype.cpp: (JSC::NativeErrorPrototype::NativeErrorPrototype):
• runtime/NumberConstructor.cpp: (JSC::NumberConstructor::NumberConstructor):
• runtime/ObjectConstructor.cpp: (JSC::ObjectConstructor::ObjectConstructor):
• runtime/PropertyMapHashTable.h: (JSC::PropertyMapEntry::PropertyMapEntry):
• runtime/PrototypeFunction.cpp: (JSC::PrototypeFunction::PrototypeFunction):
• runtime/PutPropertySlot.h: (JSC::PutPropertySlot::): (JSC::PutPropertySlot::PutPropertySlot): (JSC::PutPropertySlot::setNewProperty): (JSC::PutPropertySlot::setDespecifyFunctionProperty): (JSC::PutPropertySlot::isCacheable): (JSC::PutPropertySlot::cachedOffset):
• runtime/RegExpConstructor.cpp: (JSC::RegExpConstructor::RegExpConstructor):
• runtime/StringConstructor.cpp: (JSC::StringConstructor::StringConstructor):
• runtime/StringPrototype.cpp: (JSC::StringPrototype::StringPrototype):
• runtime/Structure.cpp: (JSC::Structure::Structure): (JSC::Structure::~Structure): (JSC::Structure::materializePropertyMap): (JSC::Structure::addPropertyTransitionToExistingStructure): (JSC::Structure::addPropertyTransition): (JSC::Structure::changeFunctionTransition): (JSC::Structure::addPropertyWithoutTransition): (JSC::Structure::get): (JSC::Structure::despecifyFunction): (JSC::Structure::put): (JSC::Structure::remove):
• runtime/Structure.h: (JSC::Structure::get): (JSC::Structure::specificFunction):
• runtime/StructureTransitionTable.h: (JSC::StructureTransitionTableHashTraits::emptyValue):
• wtf/Platform.h:

Location:

trunk/JavaScriptCore/runtime

Files:

• JSActivation.cpp (modified) (2 diffs)
• JSGlobalObject.cpp (modified) (6 diffs)
• JSGlobalObject.h (modified) (3 diffs)
• JSObject.cpp (modified) (10 diffs)
• JSObject.h (modified) (15 diffs)
• Lookup.cpp (modified) (1 diff)
• Lookup.h (modified) (1 diff)
• PropertyMapHashTable.h (modified) (1 diff)
• PutPropertySlot.h (modified) (2 diffs)
• Structure.cpp (modified) (19 diffs)
• Structure.h (modified) (6 diffs)
• StructureTransitionTable.h (modified) (2 diffs)

trunk/JavaScriptCore/runtime/JSActivation.cpp

@@ -119 +119 @@
 
 // FIXME: Make this function honor ReadOnly (const) and DontEnum
-void JSActivation::putWithAttributes(ExecState*, const Identifier& propertyName, JSValue value, unsigned attributes)
+void JSActivation::putWithAttributes(ExecState* exec, const Identifier& propertyName, JSValue value, unsigned attributes)
 {
     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
@@ -131 +131 @@
     ASSERT(!hasGetterSetterProperties());
     PutPropertySlot slot;
-    putDirect(propertyName, value, attributes, true, slot);
+    JSObject::putWithAttributes(exec, propertyName, value, attributes, true, slot);
 }
 

trunk/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -171 +171 @@
         JSValue valueAfter = getDirect(propertyName);
         if (valueAfter)
-            putDirect(propertyName, valueAfter, attributes);
+            JSObject::putWithAttributes(exec, propertyName, valueAfter, attributes);
     }
 }
@@ -240 +240 @@
     d()->regExpStructure = RegExpObject::createStructure(d()->regExpPrototype);
 
+    d()->methodCallDummy = constructEmptyObject(exec);
+
     ErrorPrototype* errorPrototype = new (exec) ErrorPrototype(exec, ErrorPrototype::createStructure(d()->objectPrototype), d()->prototypeFunctionStructure.get());
     d()->errorStructure = ErrorInstance::createStructure(errorPrototype);
@@ -254 +256 @@
     // Constructors
 
-    JSValue objectConstructor = new (exec) ObjectConstructor(exec, ObjectConstructor::createStructure(d()->functionPrototype), d()->objectPrototype);
-    JSValue functionConstructor = new (exec) FunctionConstructor(exec, FunctionConstructor::createStructure(d()->functionPrototype), d()->functionPrototype);
-    JSValue arrayConstructor = new (exec) ArrayConstructor(exec, ArrayConstructor::createStructure(d()->functionPrototype), d()->arrayPrototype);
-    JSValue stringConstructor = new (exec) StringConstructor(exec, StringConstructor::createStructure(d()->functionPrototype), d()->prototypeFunctionStructure.get(), d()->stringPrototype);
-    JSValue booleanConstructor = new (exec) BooleanConstructor(exec, BooleanConstructor::createStructure(d()->functionPrototype), d()->booleanPrototype);
-    JSValue numberConstructor = new (exec) NumberConstructor(exec, NumberConstructor::createStructure(d()->functionPrototype), d()->numberPrototype);
-    JSValue dateConstructor = new (exec) DateConstructor(exec, DateConstructor::createStructure(d()->functionPrototype), d()->prototypeFunctionStructure.get(), d()->datePrototype);
+    JSCell* objectConstructor = new (exec) ObjectConstructor(exec, ObjectConstructor::createStructure(d()->functionPrototype), d()->objectPrototype);
+    JSCell* functionConstructor = new (exec) FunctionConstructor(exec, FunctionConstructor::createStructure(d()->functionPrototype), d()->functionPrototype);
+    JSCell* arrayConstructor = new (exec) ArrayConstructor(exec, ArrayConstructor::createStructure(d()->functionPrototype), d()->arrayPrototype);
+    JSCell* stringConstructor = new (exec) StringConstructor(exec, StringConstructor::createStructure(d()->functionPrototype), d()->prototypeFunctionStructure.get(), d()->stringPrototype);
+    JSCell* booleanConstructor = new (exec) BooleanConstructor(exec, BooleanConstructor::createStructure(d()->functionPrototype), d()->booleanPrototype);
+    JSCell* numberConstructor = new (exec) NumberConstructor(exec, NumberConstructor::createStructure(d()->functionPrototype), d()->numberPrototype);
+    JSCell* dateConstructor = new (exec) DateConstructor(exec, DateConstructor::createStructure(d()->functionPrototype), d()->prototypeFunctionStructure.get(), d()->datePrototype);
 
     d()->regExpConstructor = new (exec) RegExpConstructor(exec, RegExpConstructor::createStructure(d()->functionPrototype), d()->regExpPrototype);
@@ -275 +277 @@
     d()->URIErrorConstructor = new (exec) NativeErrorConstructor(exec, nativeErrorStructure, URIErrorPrototype);
 
-    d()->objectPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, objectConstructor, DontEnum);
-    d()->functionPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, functionConstructor, DontEnum);
-    d()->arrayPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, arrayConstructor, DontEnum);
-    d()->booleanPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, booleanConstructor, DontEnum);
-    d()->stringPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, stringConstructor, DontEnum);
-    d()->numberPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, numberConstructor, DontEnum);
-    d()->datePrototype->putDirectWithoutTransition(exec->propertyNames().constructor, dateConstructor, DontEnum);
-    d()->regExpPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, d()->regExpConstructor, DontEnum);
-    errorPrototype->putDirectWithoutTransition(exec->propertyNames().constructor, d()->errorConstructor, DontEnum);
+    d()->objectPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, objectConstructor, DontEnum);
+    d()->functionPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, functionConstructor, DontEnum);
+    d()->arrayPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, arrayConstructor, DontEnum);
+    d()->booleanPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, booleanConstructor, DontEnum);
+    d()->stringPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, stringConstructor, DontEnum);
+    d()->numberPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, numberConstructor, DontEnum);
+    d()->datePrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, dateConstructor, DontEnum);
+    d()->regExpPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, d()->regExpConstructor, DontEnum);
+    errorPrototype->putDirectFunctionWithoutTransition(exec->propertyNames().constructor, d()->errorConstructor, DontEnum);
 
     evalErrorPrototype->putDirect(exec->propertyNames().constructor, d()->evalErrorConstructor, DontEnum);
@@ -296 +298 @@
     // FIXME: These properties could be handled by a static hash table.
 
-    putDirectWithoutTransition(Identifier(exec, "Object"), objectConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "Function"), functionConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "Array"), arrayConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "Boolean"), booleanConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "String"), stringConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "Number"), numberConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "Date"), dateConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "RegExp"), d()->regExpConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "Error"), d()->errorConstructor, DontEnum);
-    putDirectWithoutTransition(Identifier(exec, "EvalError"), d()->evalErrorConstructor);
-    putDirectWithoutTransition(Identifier(exec, "RangeError"), d()->rangeErrorConstructor);
-    putDirectWithoutTransition(Identifier(exec, "ReferenceError"), d()->referenceErrorConstructor);
-    putDirectWithoutTransition(Identifier(exec, "SyntaxError"), d()->syntaxErrorConstructor);
-    putDirectWithoutTransition(Identifier(exec, "TypeError"), d()->typeErrorConstructor);
-    putDirectWithoutTransition(Identifier(exec, "URIError"), d()->URIErrorConstructor);
+    putDirectFunctionWithoutTransition(Identifier(exec, "Object"), objectConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "Function"), functionConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "Array"), arrayConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "Boolean"), booleanConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "String"), stringConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "Number"), numberConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "Date"), dateConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "RegExp"), d()->regExpConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "Error"), d()->errorConstructor, DontEnum);
+    putDirectFunctionWithoutTransition(Identifier(exec, "EvalError"), d()->evalErrorConstructor);
+    putDirectFunctionWithoutTransition(Identifier(exec, "RangeError"), d()->rangeErrorConstructor);
+    putDirectFunctionWithoutTransition(Identifier(exec, "ReferenceError"), d()->referenceErrorConstructor);
+    putDirectFunctionWithoutTransition(Identifier(exec, "SyntaxError"), d()->syntaxErrorConstructor);
+    putDirectFunctionWithoutTransition(Identifier(exec, "TypeError"), d()->typeErrorConstructor);
+    putDirectFunctionWithoutTransition(Identifier(exec, "URIError"), d()->URIErrorConstructor);
 
     // Set global values.
@@ -388 +390 @@
     markIfNeeded(d()->regExpPrototype);
 
+    markIfNeeded(d()->methodCallDummy);
+
     markIfNeeded(d()->errorStructure);
 

trunk/JavaScriptCore/runtime/JSGlobalObject.h

@@ -80 +80 @@
                 , datePrototype(0)
                 , regExpPrototype(0)
+                , methodCallDummy(0)
             {
             }
@@ -120 +121 @@
             DatePrototype* datePrototype;
             RegExpPrototype* regExpPrototype;
+
+            JSObject* methodCallDummy;
 
             RefPtr<Structure> argumentsStructure;
@@ -202 +205 @@
         RegExpPrototype* regExpPrototype() const { return d()->regExpPrototype; }
 
+        JSObject* methodCallDummy() const { return d()->methodCallDummy; }
+
         Structure* argumentsStructure() const { return d()->argumentsStructure.get(); }
         Structure* arrayStructure() const { return d()->arrayStructure.get(); }

trunk/JavaScriptCore/runtime/JSObject.cpp

@@ -130 +130 @@
         prototype = obj->prototype();
         if (prototype.isNull()) {
-            putDirect(propertyName, value, 0, true, slot);
+            putDirectInternal(exec->globalData(), propertyName, value, 0, true, slot);
             return;
         }
@@ -136 +136 @@
     
     unsigned attributes;
-    if ((m_structure->get(propertyName, attributes) != WTF::notFound) && attributes & ReadOnly)
+    JSCell* specificValue;
+    if ((m_structure->get(propertyName, attributes, specificValue) != WTF::notFound) && attributes & ReadOnly)
         return;
 
@@ -166 +167 @@
     }
 
-    putDirect(propertyName, value, 0, true, slot);
+    putDirectInternal(exec->globalData(), propertyName, value, 0, true, slot);
     return;
 }
@@ -176 +177 @@
 }
 
-void JSObject::putWithAttributes(ExecState*, const Identifier& propertyName, JSValue value, unsigned attributes)
-{
-    putDirect(propertyName, value, attributes);
+void JSObject::putWithAttributes(ExecState* exec, const Identifier& propertyName, JSValue value, unsigned attributes, bool checkReadOnly, PutPropertySlot& slot)
+{
+    putDirectInternal(exec->globalData(), propertyName, value, attributes, checkReadOnly, slot);
+}
+
+void JSObject::putWithAttributes(ExecState* exec, const Identifier& propertyName, JSValue value, unsigned attributes)
+{
+    putDirectInternal(exec->globalData(), propertyName, value, attributes);
 }
 
@@ -202 +208 @@
 {
     unsigned attributes;
-    if (m_structure->get(propertyName, attributes) != WTF::notFound) {
+    JSCell* specificValue;
+    if (m_structure->get(propertyName, attributes, specificValue) != WTF::notFound) {
         if ((attributes & DontDelete))
             return false;
@@ -305 +312 @@
     PutPropertySlot slot;
     GetterSetter* getterSetter = new (exec) GetterSetter;
-    putDirect(propertyName, getterSetter, None, true, slot);
+    putDirectInternal(exec->globalData(), propertyName, getterSetter, None, true, slot);
 
     // putDirect will change our Structure if we add a new property. For
@@ -332 +339 @@
     PutPropertySlot slot;
     GetterSetter* getterSetter = new (exec) GetterSetter;
-    putDirect(propertyName, getterSetter, None, true, slot);
+    putDirectInternal(exec->globalData(), propertyName, getterSetter, None, true, slot);
 
     // putDirect will change our Structure if we add a new property. For
@@ -414 +421 @@
 bool JSObject::getPropertyAttributes(ExecState* exec, const Identifier& propertyName, unsigned& attributes) const
 {
-    if (m_structure->get(propertyName, attributes) != WTF::notFound)
+    JSCell* specificValue;
+    if (m_structure->get(propertyName, attributes, specificValue) != WTF::notFound)
         return true;
     
@@ -427 +435 @@
 }
 
+bool JSObject::getPropertySpecificValue(ExecState*, const Identifier& propertyName, JSCell*& specificValue) const
+{
+    unsigned attributes;
+    if (m_structure->get(propertyName, attributes, specificValue) != WTF::notFound)
+        return true;
+
+    // This could be a function within the static table? - should probably
+    // also look in the hash?  This currently should not be a problem, since
+    // we've currently always call 'get' first, which should have populated
+    // the normal storage.
+    return false;
+}
+
 void JSObject::getPropertyNames(ExecState* exec, PropertyNameArray& propertyNames)
 {
@@ -486 +507 @@
 void JSObject::putDirectFunction(ExecState* exec, InternalFunction* function, unsigned attr)
 {
-    putDirect(Identifier(exec, function->name(&exec->globalData())), function, attr);
+    putDirectFunction(Identifier(exec, function->name(&exec->globalData())), function, attr);
 }
 
 void JSObject::putDirectFunctionWithoutTransition(ExecState* exec, InternalFunction* function, unsigned attr)
 {
-    putDirectWithoutTransition(Identifier(exec, function->name(&exec->globalData())), function, attr);
+    putDirectFunctionWithoutTransition(Identifier(exec, function->name(&exec->globalData())), function, attr);
 }
 

trunk/JavaScriptCore/runtime/JSObject.h

@@ -33 +33 @@
 #include "ScopeChain.h"
 #include "Structure.h"
+#include "JSGlobalData.h"
 
 namespace JSC {
+
+    inline JSCell* getJSFunction(JSGlobalData& globalData, JSValue value)
+    {
+        if (value.isCell() && (value.asCell()->vptr() == globalData.jsFunctionVPtr))
+            return value.asCell();
+        return 0;
+    }
 
     class InternalFunction;
@@ -94 +102 @@
         virtual void put(ExecState*, unsigned propertyName, JSValue value);
 
+        virtual void putWithAttributes(ExecState*, const Identifier& propertyName, JSValue value, unsigned attributes, bool checkReadOnly, PutPropertySlot& slot);
         virtual void putWithAttributes(ExecState*, const Identifier& propertyName, JSValue value, unsigned attributes);
         virtual void putWithAttributes(ExecState*, unsigned propertyName, JSValue value, unsigned attributes);
@@ -123 +132 @@
 
         virtual bool getPropertyAttributes(ExecState*, const Identifier& propertyName, unsigned& attributes) const;
+        bool getPropertySpecificValue(ExecState* exec, const Identifier& propertyName, JSCell*& specificFunction) const;
 
         // This get function only looks at the property map.
@@ -144 +154 @@
         JSValue* getDirectLocation(const Identifier& propertyName, unsigned& attributes)
         {
-            size_t offset = m_structure->get(propertyName, attributes);
+            JSCell* specificFunction;
+            size_t offset = m_structure->get(propertyName, attributes, specificFunction);
             return offset != WTF::notFound ? locationForOffset(offset) : 0;
         }
@@ -169 +180 @@
         bool hasGetterSetterProperties() { return m_structure->hasGetterSetterProperties(); }
 
+        void putDirect(const Identifier& propertyName, JSValue value, unsigned attr, bool checkReadOnly, PutPropertySlot& slot);
         void putDirect(const Identifier& propertyName, JSValue value, unsigned attr = 0);
-        void putDirect(const Identifier& propertyName, JSValue value, unsigned attr, bool checkReadOnly, PutPropertySlot& slot);
+
+        void putDirectFunction(const Identifier& propertyName, JSCell* value, unsigned attr = 0);
+        void putDirectFunction(const Identifier& propertyName, JSCell* value, unsigned attr, bool checkReadOnly, PutPropertySlot& slot);
         void putDirectFunction(ExecState* exec, InternalFunction* function, unsigned attr = 0);
+
         void putDirectWithoutTransition(const Identifier& propertyName, JSValue value, unsigned attr = 0);
+        void putDirectFunctionWithoutTransition(const Identifier& propertyName, JSCell* value, unsigned attr = 0);
         void putDirectFunctionWithoutTransition(ExecState* exec, InternalFunction* function, unsigned attr = 0);
 
@@ -208 +224 @@
 
     private:
+        void putDirectInternal(const Identifier& propertyName, JSValue value, unsigned attr, bool checkReadOnly, PutPropertySlot& slot, JSCell*);
+        void putDirectInternal(JSGlobalData&, const Identifier& propertyName, JSValue value, unsigned attr, bool checkReadOnly, PutPropertySlot& slot);
+        void putDirectInternal(JSGlobalData&, const Identifier& propertyName, JSValue value, unsigned attr = 0);
+
         bool inlineGetOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);
 
@@ -397 +417 @@
 }
 
-inline void JSObject::putDirect(const Identifier& propertyName, JSValue value, unsigned attr)
-{
-    PutPropertySlot slot;
-    putDirect(propertyName, value, attr, false, slot);
-}
-
-inline void JSObject::putDirect(const Identifier& propertyName, JSValue value, unsigned attributes, bool checkReadOnly, PutPropertySlot& slot)
+inline void JSObject::putDirectInternal(const Identifier& propertyName, JSValue value, unsigned attributes, bool checkReadOnly, PutPropertySlot& slot, JSCell* specificFunction)
 {
     ASSERT(value);
@@ -410 +424 @@
     if (m_structure->isDictionary()) {
         unsigned currentAttributes;
-        size_t offset = m_structure->get(propertyName, currentAttributes);
+        JSCell* currentSpecificFunction;
+        size_t offset = m_structure->get(propertyName, currentAttributes, currentSpecificFunction);
         if (offset != WTF::notFound) {
             if (checkReadOnly && currentAttributes & ReadOnly)
@@ -420 +435 @@
 
         size_t currentCapacity = m_structure->propertyStorageCapacity();
-        offset = m_structure->addPropertyWithoutTransition(propertyName, attributes);
+        offset = m_structure->addPropertyWithoutTransition(propertyName, attributes, specificFunction);
         if (currentCapacity != m_structure->propertyStorageCapacity())
             allocatePropertyStorage(currentCapacity, m_structure->propertyStorageCapacity());
@@ -426 +441 @@
         ASSERT(offset < m_structure->propertyStorageCapacity());
         putDirectOffset(offset, value);
-        slot.setNewProperty(this, offset);
+        // See comment on setNewProperty call below.
+        if (!specificFunction)
+            slot.setNewProperty(this, offset);
         return;
     }
@@ -432 +449 @@
     size_t offset;
     size_t currentCapacity = m_structure->propertyStorageCapacity();
-    if (RefPtr<Structure> structure = Structure::addPropertyTransitionToExistingStructure(m_structure, propertyName, attributes, offset)) {
+    if (RefPtr<Structure> structure = Structure::addPropertyTransitionToExistingStructure(m_structure, propertyName, attributes, specificFunction, offset)) {    
         if (currentCapacity != structure->propertyStorageCapacity())
             allocatePropertyStorage(currentCapacity, structure->propertyStorageCapacity());
@@ -439 +456 @@
         setStructure(structure.release());
         putDirectOffset(offset, value);
-        slot.setNewProperty(this, offset);
-        slot.setWasTransition(true);
+        // See comment on setNewProperty call below.
+        if (!specificFunction)
+            slot.setNewProperty(this, offset);
         return;
     }
 
     unsigned currentAttributes;
-    offset = m_structure->get(propertyName, currentAttributes);
+    JSCell* currentSpecificFunction;
+    offset = m_structure->get(propertyName, currentAttributes, currentSpecificFunction);
     if (offset != WTF::notFound) {
         if (checkReadOnly && currentAttributes & ReadOnly)
             return;
+
+        if (currentSpecificFunction && (specificFunction != currentSpecificFunction)) {
+            setStructure(Structure::changeFunctionTransition(m_structure, propertyName));
+            putDirectOffset(offset, value);
+            // Function transitions are not currently cachable, so leave the slot in an uncachable state.
+            return;
+        }
         putDirectOffset(offset, value);
         slot.setExistingProperty(this, offset);
@@ -454 +480 @@
     }
 
-    RefPtr<Structure> structure = Structure::addPropertyTransition(m_structure, propertyName, attributes, offset);
+    RefPtr<Structure> structure = Structure::addPropertyTransition(m_structure, propertyName, attributes, specificFunction, offset);
     if (currentCapacity != structure->propertyStorageCapacity())
         allocatePropertyStorage(currentCapacity, structure->propertyStorageCapacity());
@@ -461 +487 @@
     setStructure(structure.release());
     putDirectOffset(offset, value);
-    slot.setNewProperty(this, offset);
-    slot.setWasTransition(true);
+    // Function transitions are not currently cachable, so leave the slot in an uncachable state.
+    if (!specificFunction)
+        slot.setNewProperty(this, offset);
+}
+
+inline void JSObject::putDirectInternal(JSGlobalData& globalData, const Identifier& propertyName, JSValue value, unsigned attributes, bool checkReadOnly, PutPropertySlot& slot)
+{
+    ASSERT(value);
+    ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
+
+    putDirectInternal(propertyName, value, attributes, checkReadOnly, slot, getJSFunction(globalData, value));
+}
+
+inline void JSObject::putDirectInternal(JSGlobalData& globalData, const Identifier& propertyName, JSValue value, unsigned attributes)
+{
+    PutPropertySlot slot;
+    putDirectInternal(propertyName, value, attributes, false, slot, getJSFunction(globalData, value));
+}
+
+inline void JSObject::putDirect(const Identifier& propertyName, JSValue value, unsigned attributes, bool checkReadOnly, PutPropertySlot& slot)
+{
+    ASSERT(value);
+    ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
+
+    putDirectInternal(propertyName, value, attributes, checkReadOnly, slot, 0);
+}
+
+inline void JSObject::putDirect(const Identifier& propertyName, JSValue value, unsigned attributes)
+{
+    PutPropertySlot slot;
+    putDirectInternal(propertyName, value, attributes, false, slot, 0);
+}
+
+inline void JSObject::putDirectFunction(const Identifier& propertyName, JSCell* value, unsigned attributes, bool checkReadOnly, PutPropertySlot& slot)
+{
+    putDirectInternal(propertyName, value, attributes, checkReadOnly, slot, value);
+}
+
+inline void JSObject::putDirectFunction(const Identifier& propertyName, JSCell* value, unsigned attr)
+{
+    PutPropertySlot slot;
+    putDirectInternal(propertyName, value, attr, false, slot, value);
 }
 
@@ -468 +534 @@
 {
     size_t currentCapacity = m_structure->propertyStorageCapacity();
-    size_t offset = m_structure->addPropertyWithoutTransition(propertyName, attributes);
+    size_t offset = m_structure->addPropertyWithoutTransition(propertyName, attributes, 0);
+    if (currentCapacity != m_structure->propertyStorageCapacity())
+        allocatePropertyStorage(currentCapacity, m_structure->propertyStorageCapacity());
+    putDirectOffset(offset, value);
+}
+
+inline void JSObject::putDirectFunctionWithoutTransition(const Identifier& propertyName, JSCell* value, unsigned attributes)
+{
+    size_t currentCapacity = m_structure->propertyStorageCapacity();
+    size_t offset = m_structure->addPropertyWithoutTransition(propertyName, attributes, value);
     if (currentCapacity != m_structure->propertyStorageCapacity())
         allocatePropertyStorage(currentCapacity, m_structure->propertyStorageCapacity());

trunk/JavaScriptCore/runtime/Lookup.cpp

@@ -72 +72 @@
     if (!location) {
         InternalFunction* function = new (exec) NativeFunctionWrapper(exec, exec->lexicalGlobalObject()->prototypeFunctionStructure(), entry->functionLength(), propertyName, entry->function());
-        thisObj->putDirect(propertyName, function, entry->attributes());
+
+        thisObj->putDirectFunction(propertyName, function, entry->attributes());
         location = thisObj->getDirectLocation(propertyName);
     }

trunk/JavaScriptCore/runtime/Lookup.h

@@ -230 +230 @@
             return false;
 
-        if (entry->attributes() & Function) // function: put as override property
-            thisObj->putDirect(propertyName, value);
-        else if (!(entry->attributes() & ReadOnly))
+        if (entry->attributes() & Function) { // function: put as override property
+            if (LIKELY(value.isCell()))
+                thisObj->putDirectFunction(propertyName, value.asCell());
+            else
+                thisObj->putDirect(propertyName, value);
+        } else if (!(entry->attributes() & ReadOnly))
             entry->propertyPutter()(exec, thisObj, value);
 

trunk/JavaScriptCore/runtime/PropertyMapHashTable.h

@@ -31 +31 @@
         unsigned offset;
         unsigned attributes;
+        JSCell* specificValue;
         unsigned index;
 
-        PropertyMapEntry(UString::Rep* key, unsigned attributes)
+        PropertyMapEntry(UString::Rep* key, unsigned attributes, JSCell* specificValue)
             : key(key)
             , offset(0)
             , attributes(attributes)
+            , specificValue(specificValue)
             , index(0)
         {
         }
 
-        PropertyMapEntry(UString::Rep* key, unsigned offset, unsigned attributes, unsigned index)
+        PropertyMapEntry(UString::Rep* key, unsigned offset, unsigned attributes, JSCell* specificValue, unsigned index)
             : key(key)
             , offset(offset)
             , attributes(attributes)
+            , specificValue(specificValue)
             , index(index)
         {

trunk/JavaScriptCore/runtime/PutPropertySlot.h

@@ -33 +33 @@
     
     class JSObject;
+    class JSFunction;
     
     class PutPropertySlot {
     public:
-        enum Type { Invalid, ExistingProperty, NewProperty };
+        enum Type { Uncachable, ExistingProperty, NewProperty };
 
         PutPropertySlot()
-            : m_type(Invalid)
+            : m_type(Uncachable)
             , m_base(0)
-            , m_wasTransition(false)
         {
         }
@@ -62 +62 @@
         JSObject* base() const { return m_base; }
 
-        bool isCacheable() const { return m_type != Invalid; }
+        bool isCacheable() const { return m_type != Uncachable; }
         size_t cachedOffset() const {
             ASSERT(isCacheable());
             return m_offset;
         }
-        
-        bool wasTransition() const { return m_wasTransition; }
-        void setWasTransition(bool wasTransition) { m_wasTransition = wasTransition; }
     private:
         Type m_type;
         JSObject* m_base;
-        bool m_wasTransition;
         size_t m_offset;
     };

trunk/JavaScriptCore/runtime/Structure.cpp

@@ -124 +124 @@
     : m_typeInfo(typeInfo)
     , m_prototype(prototype)
+    , m_specificValueInPrevious(0)
     , m_propertyTable(0)
     , m_propertyStorageCapacity(JSObject::inlineStorageCapacity)
@@ -159 +160 @@
             m_previous->m_transitions.singleTransition = 0;
         } else {
-            ASSERT(m_previous->m_transitions.table->contains(make_pair(m_nameInPrevious.get(), m_attributesInPrevious)));
-            m_previous->m_transitions.table->remove(make_pair(m_nameInPrevious.get(), m_attributesInPrevious));
+            ASSERT(m_previous->m_transitions.table->contains(make_pair(m_nameInPrevious.get(), make_pair(m_attributesInPrevious, m_specificValueInPrevious))));
+            m_previous->m_transitions.table->remove(make_pair(m_nameInPrevious.get(), make_pair(m_attributesInPrevious, m_specificValueInPrevious)));
         }
     }
@@ -280 +281 @@
         structure = structures[i];
         structure->m_nameInPrevious->ref();
-        PropertyMapEntry entry(structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, ++m_propertyTable->lastIndexUsed); 
+        PropertyMapEntry entry(structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious, ++m_propertyTable->lastIndexUsed);
         insertIntoPropertyMapHashTable(entry);
     }
@@ -327 +328 @@
 }
 
-PassRefPtr<Structure> Structure::addPropertyTransitionToExistingStructure(Structure* structure, const Identifier& propertyName, unsigned attributes, size_t& offset)
+PassRefPtr<Structure> Structure::addPropertyTransitionToExistingStructure(Structure* structure, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset)
 {
     ASSERT(!structure->m_isDictionary);
@@ -334 +335 @@
     if (structure->m_usingSingleTransitionSlot) {
         Structure* existingTransition = structure->m_transitions.singleTransition;
-        if (existingTransition && existingTransition->m_nameInPrevious.get() == propertyName.ustring().rep() && existingTransition->m_attributesInPrevious == attributes) {
+        if (existingTransition && existingTransition->m_nameInPrevious.get() == propertyName.ustring().rep()
+            && existingTransition->m_attributesInPrevious == attributes
+            && existingTransition->m_specificValueInPrevious == specificValue) {
+
             ASSERT(structure->m_transitions.singleTransition->m_offset != noOffset);
             offset = structure->m_transitions.singleTransition->m_offset;
@@ -340 +344 @@
         }
     } else {
-        if (Structure* existingTransition = structure->m_transitions.table->get(make_pair(propertyName.ustring().rep(), attributes))) {
+        if (Structure* existingTransition = structure->m_transitions.table->get(make_pair(propertyName.ustring().rep(), make_pair(attributes, specificValue)))) {
             ASSERT(existingTransition->m_offset != noOffset);
             offset = existingTransition->m_offset;
@@ -350 +354 @@
 }
 
-PassRefPtr<Structure> Structure::addPropertyTransition(Structure* structure, const Identifier& propertyName, unsigned attributes, size_t& offset)
+PassRefPtr<Structure> Structure::addPropertyTransition(Structure* structure, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset)
 {
     ASSERT(!structure->m_isDictionary);
     ASSERT(structure->typeInfo().type() == ObjectType);
-    ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, offset));
+    ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, specificValue, offset));
 
     if (structure->transitionCount() > s_maxTransitionLength) {
         RefPtr<Structure> transition = toDictionaryTransition(structure);
-        offset = transition->put(propertyName, attributes);
+        offset = transition->put(propertyName, attributes, specificValue);
         if (transition->propertyStorageSize() > transition->propertyStorageCapacity())
             transition->growPropertyStorageCapacity();
@@ -365 +369 @@
 
     RefPtr<Structure> transition = create(structure->m_prototype, structure->typeInfo());
+
     transition->m_cachedPrototypeChain = structure->m_cachedPrototypeChain;
     transition->m_previous = structure;
     transition->m_nameInPrevious = propertyName.ustring().rep();
     transition->m_attributesInPrevious = attributes;
+    transition->m_specificValueInPrevious = specificValue;
     transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
     transition->m_hasGetterSetterProperties = structure->m_hasGetterSetterProperties;
@@ -386 +392 @@
     }
 
-    offset = transition->put(propertyName, attributes);
+    offset = transition->put(propertyName, attributes, specificValue);
     if (transition->propertyStorageSize() > transition->propertyStorageCapacity())
         transition->growPropertyStorageCapacity();
@@ -402 +408 @@
         StructureTransitionTable* transitionTable = new StructureTransitionTable;
         structure->m_transitions.table = transitionTable;
-        transitionTable->add(make_pair(existingTransition->m_nameInPrevious.get(), existingTransition->m_attributesInPrevious), existingTransition);
-    }
-    structure->m_transitions.table->add(make_pair(propertyName.ustring().rep(), attributes), transition.get());
+        transitionTable->add(make_pair(existingTransition->m_nameInPrevious.get(), make_pair(existingTransition->m_attributesInPrevious, existingTransition->m_specificValueInPrevious)), existingTransition);
+    }
+    structure->m_transitions.table->add(make_pair(propertyName.ustring().rep(), make_pair(attributes, specificValue)), transition.get());
     return transition.release();
 }
@@ -431 +437 @@
     transition->m_propertyTable = structure->copyPropertyTable();
     transition->m_isPinnedPropertyTable = true;
+
+    return transition.release();
+}
+
+PassRefPtr<Structure> Structure::changeFunctionTransition(Structure* structure, const Identifier& replaceFunction)
+{
+    RefPtr<Structure> transition = create(structure->storedPrototype(), structure->typeInfo());
+
+    transition->m_propertyStorageCapacity = structure->m_propertyStorageCapacity;
+    transition->m_hasGetterSetterProperties = structure->m_hasGetterSetterProperties;
+
+    // Don't set m_offset, as one can not transition to this.
+
+    structure->materializePropertyMapIfNecessary();
+    transition->m_propertyTable = structure->copyPropertyTable();
+    transition->m_isPinnedPropertyTable = true;
+
+    bool removed = transition->despecifyFunction(replaceFunction);
+    ASSERT_UNUSED(removed, removed);
 
     return transition.release();
@@ -482 +507 @@
 }
 
-size_t Structure::addPropertyWithoutTransition(const Identifier& propertyName, unsigned attributes)
+size_t Structure::addPropertyWithoutTransition(const Identifier& propertyName, unsigned attributes, JSCell* specificValue)
 {
     ASSERT(!m_transitions.singleTransition);
@@ -489 +514 @@
 
     m_isPinnedPropertyTable = true;
-    size_t offset = put(propertyName, attributes);
+    size_t offset = put(propertyName, attributes, specificValue);
     if (propertyStorageSize() > propertyStorageCapacity())
         growPropertyStorageCapacity();
@@ -565 +590 @@
 }
 
-size_t Structure::get(const Identifier& propertyName, unsigned& attributes)
-{
-    ASSERT(!propertyName.isNull());
-
+size_t Structure::get(const UString::Rep* rep, unsigned& attributes, JSCell*& specificValue)
+{
     materializePropertyMapIfNecessary();
     if (!m_propertyTable)
         return notFound;
 
-    UString::Rep* rep = propertyName._ustring.rep();
-
     unsigned i = rep->computedHash();
 
@@ -587 +608 @@
     if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
         attributes = m_propertyTable->entries()[entryIndex - 1].attributes;
+        specificValue = m_propertyTable->entries()[entryIndex - 1].specificValue;
         return m_propertyTable->entries()[entryIndex - 1].offset;
     }
@@ -609 +631 @@
         if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
             attributes = m_propertyTable->entries()[entryIndex - 1].attributes;
+            specificValue = m_propertyTable->entries()[entryIndex - 1].specificValue;
             return m_propertyTable->entries()[entryIndex - 1].offset;
         }
@@ -614 +637 @@
 }
 
-size_t Structure::put(const Identifier& propertyName, unsigned attributes)
+bool Structure::despecifyFunction(const Identifier& propertyName)
+{
+    ASSERT(!propertyName.isNull());
+
+    materializePropertyMapIfNecessary();
+    if (!m_propertyTable)
+        return false;
+
+    UString::Rep* rep = propertyName._ustring.rep();
+
+    unsigned i = rep->computedHash();
+
+#if DUMP_PROPERTYMAP_STATS
+    ++numProbes;
+#endif
+
+    unsigned entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
+    if (entryIndex == emptyEntryIndex)
+        return false;
+
+    if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
+        ASSERT(m_propertyTable->entries()[entryIndex - 1].specificValue);
+        m_propertyTable->entries()[entryIndex - 1].specificValue = 0;
+        return true;
+    }
+
+#if DUMP_PROPERTYMAP_STATS
+    ++numCollisions;
+#endif
+
+    unsigned k = 1 | doubleHash(rep->computedHash());
+
+    while (1) {
+        i += k;
+
+#if DUMP_PROPERTYMAP_STATS
+        ++numRehashes;
+#endif
+
+        entryIndex = m_propertyTable->entryIndices[i & m_propertyTable->sizeMask];
+        if (entryIndex == emptyEntryIndex)
+            return false;
+
+        if (rep == m_propertyTable->entries()[entryIndex - 1].key) {
+            ASSERT(m_propertyTable->entries()[entryIndex - 1].specificValue);
+            m_propertyTable->entries()[entryIndex - 1].specificValue = 0;
+            return true;
+        }
+    }
+}
+
+size_t Structure::put(const Identifier& propertyName, unsigned attributes, JSCell* specificValue)
 {
     ASSERT(!propertyName.isNull());
@@ -684 +758 @@
     m_propertyTable->entries()[entryIndex - 1].key = rep;
     m_propertyTable->entries()[entryIndex - 1].attributes = attributes;
+    m_propertyTable->entries()[entryIndex - 1].specificValue = specificValue;
     m_propertyTable->entries()[entryIndex - 1].index = ++m_propertyTable->lastIndexUsed;
 
@@ -756 +831 @@
     m_propertyTable->entries()[entryIndex - 1].key = 0;
     m_propertyTable->entries()[entryIndex - 1].attributes = 0;
+    m_propertyTable->entries()[entryIndex - 1].specificValue = 0;
     m_propertyTable->entries()[entryIndex - 1].offset = 0;
 

trunk/JavaScriptCore/runtime/Structure.h

@@ -62 +62 @@
         static void dumpStatistics();
 
-        static PassRefPtr<Structure> addPropertyTransition(Structure*, const Identifier& propertyName, unsigned attributes, size_t& offset);
-        static PassRefPtr<Structure> addPropertyTransitionToExistingStructure(Structure*, const Identifier& propertyName, unsigned attributes, size_t& offset);
+        static PassRefPtr<Structure> addPropertyTransition(Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset);
+        static PassRefPtr<Structure> addPropertyTransitionToExistingStructure(Structure*, const Identifier& propertyName, unsigned attributes, JSCell* specificValue, size_t& offset);
         static PassRefPtr<Structure> removePropertyTransition(Structure*, const Identifier& propertyName, size_t& offset);
         static PassRefPtr<Structure> changePrototypeTransition(Structure*, JSValue prototype);
+        static PassRefPtr<Structure> changeFunctionTransition(Structure*, const Identifier&);        
         static PassRefPtr<Structure> getterSetterTransition(Structure*);
         static PassRefPtr<Structure> toDictionaryTransition(Structure*);
@@ -79 +80 @@
 
         // These should be used with caution.  
-        size_t addPropertyWithoutTransition(const Identifier& propertyName, unsigned attributes);
+        size_t addPropertyWithoutTransition(const Identifier& propertyName, unsigned attributes, JSCell* specificValue);
         size_t removePropertyWithoutTransition(const Identifier& propertyName);
         void setPrototypeWithoutTransition(JSValue prototype) { m_prototype = prototype; }
@@ -99 +100 @@
 
         size_t get(const Identifier& propertyName);
-        size_t get(const Identifier& propertyName, unsigned& attributes);
+        size_t get(const UString::Rep* rep, unsigned& attributes, JSCell*& specificValue);
+        size_t get(const Identifier& propertyName, unsigned& attributes, JSCell*& specificValue)
+        {
+            ASSERT(!propertyName.isNull());
+            return get(propertyName._ustring.rep(), attributes, specificValue);
+        }
+
         void getEnumerablePropertyNames(ExecState*, PropertyNameArray&, JSObject*);
 
@@ -107 +114 @@
         bool isEmpty() const { return m_propertyTable ? !m_propertyTable->keyCount : m_offset == noOffset; }
 
+        JSCell* specificValue() { return m_specificValueInPrevious; }
+
     private:
         Structure(JSValue prototype, const TypeInfo&);
 
-        size_t put(const Identifier& propertyName, unsigned attributes);
+        size_t put(const Identifier& propertyName, unsigned attributes, JSCell* specificValue);
         size_t remove(const Identifier& propertyName);
         void getEnumerableNamesFromPropertyTable(PropertyNameArray&);
@@ -123 +132 @@
         void checkConsistency();
 
+        bool despecifyFunction(const Identifier&);
+
         PropertyMapHashTable* copyPropertyTable();
         void materializePropertyMap();
@@ -160 +171 @@
             StructureTransitionTable* table;
         } m_transitions;
+        JSCell* m_specificValueInPrevious;
 
         RefPtr<PropertyNameArrayData> m_cachedPropertyNameArrayData;

trunk/JavaScriptCore/runtime/StructureTransitionTable.h

@@ -38 +38 @@
 
     struct StructureTransitionTableHash {
-        typedef std::pair<RefPtr<UString::Rep>, unsigned> Key;
+        typedef std::pair<RefPtr<UString::Rep>, std::pair<unsigned, JSCell*> > Key;
         static unsigned hash(const Key& p)
         {
@@ -54 +54 @@
     struct StructureTransitionTableHashTraits {
         typedef WTF::HashTraits<RefPtr<UString::Rep> > FirstTraits;
-        typedef WTF::GenericHashTraits<unsigned> SecondTraits;
-        typedef std::pair<FirstTraits::TraitType, SecondTraits::TraitType> TraitType;
+        typedef WTF::GenericHashTraits<unsigned> SecondFirstTraits;
+        typedef WTF::GenericHashTraits<JSCell*> SecondSecondTraits;
+        typedef std::pair<FirstTraits::TraitType, std::pair<SecondFirstTraits::TraitType, SecondSecondTraits::TraitType> > TraitType;
 
-        static const bool emptyValueIsZero = FirstTraits::emptyValueIsZero && SecondTraits::emptyValueIsZero;
-        static TraitType emptyValue() { return std::make_pair(FirstTraits::emptyValue(), SecondTraits::emptyValue()); }
+        static const bool emptyValueIsZero = FirstTraits::emptyValueIsZero && SecondFirstTraits::emptyValueIsZero && SecondSecondTraits::emptyValueIsZero;
+        static TraitType emptyValue() { return std::make_pair(FirstTraits::emptyValue(), std::make_pair(SecondFirstTraits::emptyValue(), SecondSecondTraits::emptyValue())); }
 
-        static const bool needsDestruction = FirstTraits::needsDestruction || SecondTraits::needsDestruction;
+        static const bool needsDestruction = FirstTraits::needsDestruction || SecondFirstTraits::needsDestruction || SecondSecondTraits::needsDestruction;
 
         static void constructDeletedValue(TraitType& slot) { FirstTraits::constructDeletedValue(slot.first); }