Changeset 165141 in webkit

Timestamp:

Mar 5, 2014, 4:29:17 PM (11 years ago)

Author:

[email protected]

Message:

Support caching of custom setters
​https://bugs.webkit.org/show_bug.cgi?id=129519

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This patch adds caching of assignment to properties that
are backed by C functions. This provides most of the leg
work required to start supporting setters, and resolves
the remaining regressions from moving DOM properties up
the prototype chain.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/PolymorphicPutByIdList.cpp:

(JSC::PutByIdAccess::visitWeak):
(JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
(JSC::PolymorphicPutByIdList::from):

• bytecode/PolymorphicPutByIdList.h:

(JSC::PutByIdAccess::transition):
(JSC::PutByIdAccess::replace):
(JSC::PutByIdAccess::customSetter):
(JSC::PutByIdAccess::isCustom):
(JSC::PutByIdAccess::oldStructure):
(JSC::PutByIdAccess::chain):
(JSC::PutByIdAccess::stubRoutine):

• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::dump):

• bytecode/PutByIdStatus.h:

(JSC::PutByIdStatus::PutByIdStatus):
(JSC::PutByIdStatus::takesSlowPath):
(JSC::PutByIdStatus::makesCalls):

• bytecode/StructureStubInfo.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::emitPutById):
(JSC::DFG::ByteCodeParser::handlePutById):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGCommon.h:
• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasIdentifier):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileIn):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):

• jit/CCallHelpers.h:

(JSC::CCallHelpers::setupArgumentsWithExecState):

• jit/JITInlineCacheGenerator.cpp:

(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):

• jit/JITInlineCacheGenerator.h:

(JSC::JITGetByIdGenerator::JITGetByIdGenerator):

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):

• jit/Repatch.cpp:

(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::emitCustomSetterStub):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):

• jit/SpillRegistersMode.h: Added.
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/Lookup.h:

(JSC::putEntry):

• runtime/PutPropertySlot.h:

(JSC::PutPropertySlot::setCacheableCustomProperty):
(JSC::PutPropertySlot::customSetter):
(JSC::PutPropertySlot::isCacheablePut):
(JSC::PutPropertySlot::isCacheableCustomProperty):
(JSC::PutPropertySlot::cachedOffset):

Source/WebCore:

Add forwarding header

Tests: js/regress/assign-custom-setter-polymorphic.html

js/regress/assign-custom-setter.html

• ForwardingHeaders/jit/SpillRegistersMode.h: Added.

LayoutTests:

Add test cases.

• js/regress/assign-custom-setter-expected.txt: Added.
• js/regress/assign-custom-setter-polymorphic-expected.txt: Added.
• js/regress/assign-custom-setter-polymorphic.html: Added.
• js/regress/assign-custom-setter.html: Added.
• js/regress/script-tests/assign-custom-setter-polymorphic.js: Added.

(test):

• js/regress/script-tests/assign-custom-setter.js: Added.

(test):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress/assign-custom-setter-expected.txt (added)
• LayoutTests/js/regress/assign-custom-setter-polymorphic-expected.txt (added)
• LayoutTests/js/regress/assign-custom-setter-polymorphic.html (added)
• LayoutTests/js/regress/assign-custom-setter.html (added)
• LayoutTests/js/regress/script-tests/assign-custom-setter-polymorphic.js (added)
• LayoutTests/js/regress/script-tests/assign-custom-setter.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/PolymorphicPutByIdList.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/PolymorphicPutByIdList.h (modified) (9 diffs)
• Source/JavaScriptCore/bytecode/PutByIdStatus.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/PutByIdStatus.h (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/StructureStubInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGCommon.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (4 diffs)
• Source/JavaScriptCore/jit/CCallHelpers.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITInlineCacheGenerator.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/Repatch.cpp (modified) (9 diffs)
• Source/JavaScriptCore/jit/SpillRegistersMode.h (added)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Lookup.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/PutPropertySlot.h (modified) (3 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/ForwardingHeaders/jit/SpillRegistersMode.h (added)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-03-05  Oliver Hunt  <[email protected]>
+
+        Support caching of custom setters
+        https://bugs.webkit.org/show_bug.cgi?id=129519
+
+        Reviewed by Filip Pizlo.
+
+        Add test cases.
+
+        * js/regress/assign-custom-setter-expected.txt: Added.
+        * js/regress/assign-custom-setter-polymorphic-expected.txt: Added.
+        * js/regress/assign-custom-setter-polymorphic.html: Added.
+        * js/regress/assign-custom-setter.html: Added.
+        * js/regress/script-tests/assign-custom-setter-polymorphic.js: Added.
+        (test):
+        * js/regress/script-tests/assign-custom-setter.js: Added.
+        (test):
+
 2014-03-05  David Kilzer  <[email protected]>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-03-03  Oliver Hunt  <[email protected]>
+
+        Support caching of custom setters
+        https://bugs.webkit.org/show_bug.cgi?id=129519
+
+        Reviewed by Filip Pizlo.
+
+        This patch adds caching of assignment to properties that
+        are backed by C functions. This provides most of the leg
+        work required to start supporting setters, and resolves
+        the remaining regressions from moving DOM properties up
+        the prototype chain.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/PolymorphicPutByIdList.cpp:
+        (JSC::PutByIdAccess::visitWeak):
+        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
+        (JSC::PolymorphicPutByIdList::from):
+        * bytecode/PolymorphicPutByIdList.h:
+        (JSC::PutByIdAccess::transition):
+        (JSC::PutByIdAccess::replace):
+        (JSC::PutByIdAccess::customSetter):
+        (JSC::PutByIdAccess::isCustom):
+        (JSC::PutByIdAccess::oldStructure):
+        (JSC::PutByIdAccess::chain):
+        (JSC::PutByIdAccess::stubRoutine):
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeForStubInfo):
+        (JSC::PutByIdStatus::computeFor):
+        (JSC::PutByIdStatus::dump):
+        * bytecode/PutByIdStatus.h:
+        (JSC::PutByIdStatus::PutByIdStatus):
+        (JSC::PutByIdStatus::takesSlowPath):
+        (JSC::PutByIdStatus::makesCalls):
+        * bytecode/StructureStubInfo.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::emitPutById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGCommon.h:
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasIdentifier):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileIn):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::cachedGetById):
+        (JSC::DFG::SpeculativeJIT::cachedPutById):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/CCallHelpers.h:
+        (JSC::CCallHelpers::setupArgumentsWithExecState):
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITByIdGenerator::JITByIdGenerator):
+        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
+        * jit/JITInlineCacheGenerator.h:
+        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_id):
+        (JSC::JIT::emit_op_put_by_id):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_id):
+        (JSC::JIT::emit_op_put_by_id):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheGetByID):
+        (JSC::tryBuildGetByIDList):
+        (JSC::emitCustomSetterStub):
+        (JSC::tryCachePutByID):
+        (JSC::tryBuildPutByIdList):
+        * jit/SpillRegistersMode.h: Added.
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+        * runtime/PutPropertySlot.h:
+        (JSC::PutPropertySlot::setCacheableCustomProperty):
+        (JSC::PutPropertySlot::customSetter):
+        (JSC::PutPropertySlot::isCacheablePut):
+        (JSC::PutPropertySlot::isCacheableCustomProperty):
+        (JSC::PutPropertySlot::cachedOffset):
+
 2014-03-05  Mark Hahnenberg  <[email protected]>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1163 +1163 @@
                 A78507D617CBC6FD0011F6E7 /* MapData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A78507D417CBC6FD0011F6E7 /* MapData.cpp */; };
                 A78507D717CBC6FD0011F6E7 /* MapData.h in Headers */ = {isa = PBXBuildFile; fileRef = A78507D517CBC6FD0011F6E7 /* MapData.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                A785F6BC18C553FE00F10626 /* SpillRegistersMode.h in Headers */ = {isa = PBXBuildFile; fileRef = A7FF647A18C52E8500B55307 /* SpillRegistersMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 A78853F917972629001440E4 /* IntendedStructureChain.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A78853F717972629001440E4 /* IntendedStructureChain.cpp */; };
                 A78853FA17972629001440E4 /* IntendedStructureChain.h in Headers */ = {isa = PBXBuildFile; fileRef = A78853F817972629001440E4 /* IntendedStructureChain.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2802 +2803 @@
                 A7FB60A3103F7DC20017A286 /* PropertyDescriptor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PropertyDescriptor.cpp; sourceTree = "<group>"; };
                 A7FCC26C17A0B6AA00786D1A /* FTLSwitchCase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLSwitchCase.h; path = ftl/FTLSwitchCase.h; sourceTree = "<group>"; };
+                A7FF647A18C52E8500B55307 /* SpillRegistersMode.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SpillRegistersMode.h; sourceTree = "<group>"; };
                 A8A4748D151A8306004123FF /* libWTF.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; path = libWTF.a; sourceTree = BUILT_PRODUCTS_DIR; };
                 A8E894310CD0602400367179 /* JSCallbackObjectFunctions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCallbackObjectFunctions.h; sourceTree = "<group>"; };
@@ -3470 +3472 @@
                                 A7386553118697B400540279 /* ThunkGenerators.h */,
                                 65987F2F16828A7E003C2F8D /* UnusedPointer.h */,
+                                A7FF647A18C52E8500B55307 /* SpillRegistersMode.h */,
                         );
                         path = jit;
@@ -5524 +5527 @@
                                 BC18C4540E16F5CD00B34460 /* PropertyNameArray.h in Headers */,
                                 0FF7168C15A3B235008F5DAA /* PropertyOffset.h in Headers */,
+                                A785F6BC18C553FE00F10626 /* SpillRegistersMode.h in Headers */,
                                 BC18C4550E16F5CD00B34460 /* PropertySlot.h in Headers */,
                                 0FB7F39C15ED8E4600F167B2 /* PropertyStorage.h in Headers */,

trunk/Source/JavaScriptCore/bytecode/PolymorphicPutByIdList.cpp

@@ -78 +78 @@
             return false;
         break;
+    case CustomSetter:
+        if (!Heap::isMarked(m_oldStructure.get()))
+            return false;
+        if (m_chain && !Heap::isMarked(m_chain.get()))
+            return false;
+        break;
     default:
         RELEASE_ASSERT_NOT_REACHED();
@@ -89 +95 @@
     : m_kind(putKind)
 {
-    m_list.append(PutByIdAccess::fromStructureStubInfo(stubInfo));
+    if (stubInfo.accessType != access_unset)
+        m_list.append(PutByIdAccess::fromStructureStubInfo(stubInfo));
 }
 
@@ -99 +106 @@
     
     ASSERT(stubInfo.accessType == access_put_by_id_replace
-           || stubInfo.accessType == access_put_by_id_transition_normal
-           || stubInfo.accessType == access_put_by_id_transition_direct);
+        || stubInfo.accessType == access_put_by_id_transition_normal
+        || stubInfo.accessType == access_put_by_id_transition_direct
+        || stubInfo.accessType == access_unset);
     
     PolymorphicPutByIdList* result =

trunk/Source/JavaScriptCore/bytecode/PolymorphicPutByIdList.h

@@ -33 +33 @@
 #include "Opcode.h"
 #include "PutKind.h"
+#include "PutPropertySlot.h"
 #include "Structure.h"
 #include <wtf/Vector.h>
@@ -46 +47 @@
         Invalid,
         Transition,
-        Replace
+        Replace,
+        CustomSetter
     };
     
@@ -67 +69 @@
         result.m_newStructure.set(vm, owner, newStructure);
         result.m_chain.set(vm, owner, chain);
+        result.m_customSetter = 0;
         result.m_stubRoutine = stubRoutine;
         return result;
     }
-    
+
     static PutByIdAccess replace(
         VM& vm,
@@ -80 +83 @@
         result.m_type = Replace;
         result.m_oldStructure.set(vm, owner, structure);
+        result.m_customSetter = 0;
         result.m_stubRoutine = stubRoutine;
         return result;
     }
+
+
+    static PutByIdAccess customSetter(
+        VM& vm,
+        JSCell* owner,
+        Structure* structure,
+        StructureChain* chain,
+        PutPropertySlot::PutValueFunc customSetter,
+        PassRefPtr<JITStubRoutine> stubRoutine)
+    {
+        PutByIdAccess result;
+        result.m_oldStructure.set(vm, owner, structure);
+        result.m_type = CustomSetter;
+        if (chain)
+            result.m_chain.set(vm, owner, chain);
+        result.m_customSetter = customSetter;
+        result.m_stubRoutine = stubRoutine;
+        return result;
+    }
     
     static PutByIdAccess fromStructureStubInfo(StructureStubInfo&);
@@ -93 +116 @@
     bool isTransition() const { return m_type == Transition; }
     bool isReplace() const { return m_type == Replace; }
+    bool isCustom() const { return m_type == CustomSetter; }
     
     Structure* oldStructure() const
@@ -98 +122 @@
         // Using this instead of isSet() to make this assertion robust against the possibility
         // of additional access types being added.
-        ASSERT(isTransition() || isReplace());
+        ASSERT(isTransition() || isReplace() || isCustom());
         
         return m_oldStructure.get();
@@ -117 +141 @@
     StructureChain* chain() const
     {
-        ASSERT(isTransition());
+        ASSERT(isTransition() || isCustom());
         return m_chain.get();
     }
@@ -123 +147 @@
     JITStubRoutine* stubRoutine() const
     {
-        ASSERT(isTransition() || isReplace());
+        ASSERT(isTransition() || isReplace() || isCustom());
         return m_stubRoutine.get();
     }
-    
+
+    PutPropertySlot::PutValueFunc customSetter() const { ASSERT(isCustom()); return m_customSetter; }
+
     bool visitWeak() const;
     
@@ -136 +162 @@
     WriteBarrier<Structure> m_newStructure;
     WriteBarrier<StructureChain> m_chain;
+    PutPropertySlot::PutValueFunc m_customSetter;
     RefPtr<JITStubRoutine> m_stubRoutine;
 };

trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp

@@ -206 +206 @@
                 break;
             }
+            case PutByIdAccess::CustomSetter:
+                return PutByIdStatus(MakesCalls);
 
             default:
@@ -266 +268 @@
     PropertyOffset offset = structure->getConcurrently(vm, uid, attributes, specificValue);
     if (isValidOffset(offset)) {
+        if (attributes & CustomAccessor)
+            return PutByIdStatus(MakesCalls);
+
         if (attributes & (Accessor | ReadOnly))
             return PutByIdStatus(TakesSlowPath);
@@ -343 +348 @@
         out.print("(TakesSlowPath)");
         return;
+    case MakesCalls:
+        out.print("(MakesCalls)");
+        return;
     }
     

trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.h

@@ -48 +48 @@
         Simple,
         // It's known to often take slow path.
-        TakesSlowPath
+        TakesSlowPath,
+        // It's known to take paths that make calls.
+        MakesCalls
     };
     
@@ -59 +61 @@
         : m_state(state)
     {
-        ASSERT(m_state == NoInformation || m_state == TakesSlowPath);
+        ASSERT(m_state == NoInformation || m_state == TakesSlowPath || m_state == MakesCalls);
     }
     
@@ -78 +80 @@
     bool operator!() const { return m_state == NoInformation; }
     bool isSimple() const { return m_state == Simple; }
-    bool takesSlowPath() const { return m_state == TakesSlowPath; }
+    bool takesSlowPath() const { return m_state == TakesSlowPath || m_state == MakesCalls; }
+    bool makesCalls() const { return m_state == MakesCalls; }
     
     size_t numVariants() const { return m_variants.size(); }

trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h

@@ -34 +34 @@
 #include "PolymorphicAccessStructureList.h"
 #include "RegisterSet.h"
+#include "SpillRegistersMode.h"
 #include "Structure.h"
 #include "StructureStubClearingWatchpoint.h"
@@ -194 +195 @@
 
     struct {
-        int8_t registersFlushed;
+        SpillRegistersMode spillMode : 8;
         int8_t baseGPR;
 #if USE(JSVALUE32_64)

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1738 +1738 @@
         
     case PutById:
+    case PutByIdFlush:
     case PutByIdDirect:
         node->setCanExit(true);

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -181 +181 @@
         const GetByIdStatus&);
     void emitPutById(
-        Node* base, unsigned identifierNumber, Node* value, bool isDirect);
+        Node* base, unsigned identifierNumber, Node* value,  const PutByIdStatus&, bool isDirect);
     void handlePutById(
         Node* base, unsigned identifierNumber, Node* value, const PutByIdStatus&,
@@ -1944 +1944 @@
 
 void ByteCodeParser::emitPutById(
-    Node* base, unsigned identifierNumber, Node* value, bool isDirect)
+    Node* base, unsigned identifierNumber, Node* value, const PutByIdStatus& putByIdStatus, bool isDirect)
 {
     if (isDirect)
         addToGraph(PutByIdDirect, OpInfo(identifierNumber), base, value);
     else
-        addToGraph(PutById, OpInfo(identifierNumber), base, value);
+        addToGraph(putByIdStatus.makesCalls() ? PutByIdFlush : PutById, OpInfo(identifierNumber), base, value);
 }
 
@@ -1959 +1959 @@
         if (!putByIdStatus.isSet())
             addToGraph(ForceOSRExit);
-        emitPutById(base, identifierNumber, value, isDirect);
+        emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);
         return;
     }
@@ -1965 +1965 @@
     if (putByIdStatus.numVariants() > 1) {
         if (!isFTL(m_graph.m_plan.mode)) {
-            emitPutById(base, identifierNumber, value, isDirect);
+            emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);
             return;
         }
@@ -2002 +2002 @@
     }
     
-    ASSERT(variant.kind() == PutByIdVariant::Transition);
+    if (variant.kind() != PutByIdVariant::Transition) {
+        emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);
+        return;
+    }
+
     if (variant.structureChain() && !variant.structureChain()->isStillValid()) {
-        emitPutById(base, identifierNumber, value, isDirect);
+        emitPutById(base, identifierNumber, value, putByIdStatus, isDirect);
         return;
     }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -197 +197 @@
     case GetByIdFlush:
     case PutById:
+    case PutByIdFlush:
     case PutByIdDirect:
     case ArrayPush:

trunk/Source/JavaScriptCore/dfg/DFGCommon.h

@@ -96 +96 @@
 #endif
 }
-
-enum SpillRegistersMode { NeedToSpill, DontSpill };
 
 enum NoResultTag { NoResult };

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -225 +225 @@
                 
             case PutById:
+            case PutByIdFlush:
             case PutByIdDirect: {
                 NodeOrigin origin = node->origin;

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -852 +852 @@
             
         case PutById:
+        case PutByIdFlush:
         case PutByIdDirect: {
             fixEdge<CellUse>(node->child1());

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -655 +655 @@
         case GetByIdFlush:
         case PutById:
+        case PutByIdFlush:
         case PutByIdDirect:
             return true;

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -147 +147 @@
     macro(GetByIdFlush, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
     macro(PutById, NodeMustGenerate | NodeClobbersWorld) \
+    macro(PutByIdFlush, NodeMustGenerate | NodeMustGenerate | NodeClobbersWorld) \
     macro(PutByIdDirect, NodeMustGenerate | NodeClobbersWorld) \
     macro(CheckStructure, NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -551 +551 @@
         case Throw:
         case PutById:
+        case PutByIdFlush:
         case PutByIdDirect:
         case PutByOffset:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -156 +156 @@
     case GetByIdFlush:
     case PutById:
+    case PutByIdFlush:
     case PutByIdDirect:
     case CheckStructure:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -881 +881 @@
             stubInfo->patch.valueGPR = static_cast<int8_t>(resultGPR);
             stubInfo->patch.usedRegisters = usedRegisters();
-            stubInfo->patch.registersFlushed = false;
+            stubInfo->patch.spillMode = NeedToSpill;
             
             m_jit.addIn(InRecord(jump, done, slowPath.get(), stubInfo));

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -718 +718 @@
 #if USE(JSVALUE64)
     void cachedGetById(CodeOrigin, GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), SpillRegistersMode = NeedToSpill);
-    void cachedPutById(CodeOrigin, GPRReg base, GPRReg value, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
+    void cachedPutById(CodeOrigin, GPRReg base, GPRReg value, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), SpillRegistersMode = NeedToSpill);
 #elif USE(JSVALUE32_64)
     void cachedGetById(CodeOrigin, GPRReg baseTagGPROrNone, GPRReg basePayloadGPR, GPRReg resultTagGPR, GPRReg resultPayloadGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), SpillRegistersMode = NeedToSpill);
-    void cachedPutById(CodeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
+    void cachedPutById(CodeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), SpillRegistersMode = NeedToSpill);
 #endif
     

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -175 +175 @@
         m_jit.codeBlock(), codeOrigin, usedRegisters(),
         JSValueRegs(baseTagGPROrNone, basePayloadGPR),
-        JSValueRegs(resultTagGPR, resultPayloadGPR), spillMode != NeedToSpill);
+        JSValueRegs(resultTagGPR, resultPayloadGPR), spillMode);
     
     gen.generateFastPath(m_jit);
@@ -202 +202 @@
 }
 
-void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
+void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg basePayloadGPR, GPRReg valueTagGPR, GPRReg valuePayloadGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget, SpillRegistersMode spillMode)
 {
     JITPutByIdGenerator gen(
         m_jit.codeBlock(), codeOrigin, usedRegisters(),
         JSValueRegs::payloadOnly(basePayloadGPR), JSValueRegs(valueTagGPR, valuePayloadGPR),
-        scratchGPR, false, m_jit.ecmaModeFor(codeOrigin), putKind);
+        scratchGPR, spillMode, m_jit.ecmaModeFor(codeOrigin), putKind);
     
     gen.generateFastPath(m_jit);
@@ -3919 +3919 @@
         break;
     }
+
+    case PutByIdFlush: {
+        SpeculateCellOperand base(this, node->child1());
+        JSValueOperand value(this, node->child2());
+        GPRTemporary scratch(this);
+
+        GPRReg baseGPR = base.gpr();
+        GPRReg valueTagGPR = value.tagGPR();
+        GPRReg valuePayloadGPR = value.payloadGPR();
+        GPRReg scratchGPR = scratch.gpr();
+        flushRegisters();
+
+        cachedPutById(node->origin.semantic, baseGPR, valueTagGPR, valuePayloadGPR, scratchGPR, node->identifierNumber(), NotDirect, MacroAssembler::Jump(), DontSpill);
+
+        noResult(node);
+        break;
+    }
         
     case PutById: {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -38 +38 @@
 #include "JSCInlines.h"
 #include "ObjectPrototype.h"
+#include "SpillRegistersMode.h"
 
 namespace JSC { namespace DFG {
@@ -192 +193 @@
     JITGetByIdGenerator gen(
         m_jit.codeBlock(), codeOrigin, usedRegisters(), JSValueRegs(baseGPR),
-        JSValueRegs(resultGPR), spillMode != NeedToSpill);
+        JSValueRegs(resultGPR), spillMode);
     gen.generateFastPath(m_jit);
     
@@ -208 +209 @@
 }
 
-void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg baseGPR, GPRReg valueGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget)
+void SpeculativeJIT::cachedPutById(CodeOrigin codeOrigin, GPRReg baseGPR, GPRReg valueGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind putKind, JITCompiler::Jump slowPathTarget, SpillRegistersMode spillMode)
 {
     JITPutByIdGenerator gen(
         m_jit.codeBlock(), codeOrigin, usedRegisters(), JSValueRegs(baseGPR),
-        JSValueRegs(valueGPR), scratchGPR, false, m_jit.ecmaModeFor(codeOrigin), putKind);
+        JSValueRegs(valueGPR), scratchGPR, spillMode, m_jit.ecmaModeFor(codeOrigin), putKind);
+
     gen.generateFastPath(m_jit);
     
@@ -4249 +4251 @@
         break;
     }
+
+    case PutByIdFlush: {
+        SpeculateCellOperand base(this, node->child1());
+        JSValueOperand value(this, node->child2());
+        GPRTemporary scratch(this);
+
+        GPRReg baseGPR = base.gpr();
+        GPRReg valueGPR = value.gpr();
+        GPRReg scratchGPR = scratch.gpr();
+        flushRegisters();
+
+        cachedPutById(node->origin.semantic, baseGPR, valueGPR, scratchGPR, node->identifierNumber(), NotDirect, MacroAssembler::Jump(), DontSpill);
+
+        noResult(node);
+        break;
+    }
         
     case PutById: {

trunk/Source/JavaScriptCore/jit/CCallHelpers.h

@@ -372 +372 @@
         addCallArgument(arg3);
         addCallArgument(arg4);
+    }
+    
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImmPtr arg1, GPRReg arg2, TrustedImm32 arg3, GPRReg arg4, GPRReg arg5)
+    {
+        resetCallArguments();
+        addCallArgument(GPRInfo::callFrameRegister);
+        addCallArgument(arg1);
+        addCallArgument(arg2);
+        addCallArgument(arg3);
+        addCallArgument(arg4);
+        addCallArgument(arg5);
     }
 

trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp

@@ -50 +50 @@
 JITByIdGenerator::JITByIdGenerator(
     CodeBlock* codeBlock, CodeOrigin codeOrigin, const RegisterSet& usedRegisters,
-    JSValueRegs base, JSValueRegs value, bool registersFlushed)
+    JSValueRegs base, JSValueRegs value, SpillRegistersMode spillMode)
     : JITInlineCacheGenerator(codeBlock, codeOrigin)
     , m_base(base)
     , m_value(value)
 {
-    m_stubInfo->patch.registersFlushed = registersFlushed;
+    m_stubInfo->patch.spillMode = spillMode;
     m_stubInfo->patch.usedRegisters = usedRegisters;
     
@@ -130 +130 @@
 JITPutByIdGenerator::JITPutByIdGenerator(
     CodeBlock* codeBlock, CodeOrigin codeOrigin, const RegisterSet& usedRegisters,
-    JSValueRegs base, JSValueRegs value, GPRReg scratch, bool registersFlushed,
+    JSValueRegs base, JSValueRegs value, GPRReg scratch, SpillRegistersMode spillMode,
     ECMAMode ecmaMode, PutKind putKind)
-    : JITByIdGenerator(codeBlock, codeOrigin, usedRegisters, base, value, registersFlushed)
+    : JITByIdGenerator(codeBlock, codeOrigin, usedRegisters, base, value, spillMode)
     , m_scratch(scratch)
     , m_ecmaMode(ecmaMode)

trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h

@@ -58 +58 @@
     JITByIdGenerator(
         CodeBlock*, CodeOrigin, const RegisterSet&, JSValueRegs base, JSValueRegs value,
-        bool registersFlushed);
+        SpillRegistersMode spillMode);
     
 public:
@@ -96 +96 @@
 
     JITGetByIdGenerator(
-        CodeBlock* codeBlock, CodeOrigin codeOrigin, const RegisterSet& usedRegisters,
-        JSValueRegs base, JSValueRegs value, bool registersFlushed)
-        : JITByIdGenerator(codeBlock, codeOrigin, usedRegisters, base, value, registersFlushed)
+    CodeBlock* codeBlock, CodeOrigin codeOrigin, const RegisterSet& usedRegisters,
+    JSValueRegs base, JSValueRegs value, SpillRegistersMode spillMode)
+    : JITByIdGenerator(codeBlock, codeOrigin, usedRegisters, base, value, spillMode)
     {
     }
@@ -111 +111 @@
     JITPutByIdGenerator(
         CodeBlock*, CodeOrigin, const RegisterSet& usedRegisters, JSValueRegs base,
-        JSValueRegs value, GPRReg scratch, bool registersFlushed, ECMAMode, PutKind);
+        JSValueRegs, GPRReg scratch, SpillRegistersMode spillMode, ECMAMode, PutKind);
     
     void generateFastPath(MacroAssembler&);

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1731 +1731 @@
     // Covers implicit globals. Since they don't exist until they first execute, we didn't know how to cache them at compile time.
     if (modeAndType.type() == GlobalProperty || modeAndType.type() == GlobalPropertyWithVarInjectionChecks) {
-        if (slot.isCacheable() && slot.base() == scope && scope->structure()->propertyAccessesAreCacheable()) {
+        if (slot.isCacheablePut() && slot.base() == scope && scope->structure()->propertyAccessesAreCacheable()) {
             ConcurrentJITLocker locker(codeBlock->m_lock);
             pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), scope->structure());

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -36 +36 @@
 #include "MacroAssembler.h"
 #include "PutKind.h"
+#include "SpillRegistersMode.h"
 #include "StructureStubInfo.h"
 #include "VariableWatchpointSet.h"
+
 
 namespace JSC {

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -522 +522 @@
     JITGetByIdGenerator gen(
         m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
-        JSValueRegs(regT0), JSValueRegs(regT0), true);
+        JSValueRegs(regT0), JSValueRegs(regT0), DontSpill);
     gen.generateFastPath(*this);
     addSlowCase(gen.slowPathJump());
@@ -568 +568 @@
     JITPutByIdGenerator gen(
         m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
-        JSValueRegs(regT0), JSValueRegs(regT1), regT2, true, m_codeBlock->ecmaMode(),
+        JSValueRegs(regT0), JSValueRegs(regT1), regT2, DontSpill, m_codeBlock->ecmaMode(),
         direct ? Direct : NotDirect);
     

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -479 +479 @@
     JITGetByIdGenerator gen(
         m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
-        JSValueRegs::payloadOnly(regT0), JSValueRegs(regT1, regT0), true);
+        JSValueRegs::payloadOnly(regT0), JSValueRegs(regT1, regT0), DontSpill);
     gen.generateFastPath(*this);
     addSlowCase(gen.slowPathJump());
@@ -528 +528 @@
         m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
         JSValueRegs::payloadOnly(regT0), JSValueRegs(regT3, regT2),
-        regT1, true, m_codeBlock->ecmaMode(), direct ? Direct : NotDirect);
+        regT1, DontSpill, m_codeBlock->ecmaMode(), direct ? Direct : NotDirect);
     
     gen.generateFastPath(*this);

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -450 +450 @@
         return false;
 
-    if (!stubInfo.patch.registersFlushed) {
+    if (stubInfo.patch.spillMode == NeedToSpill) {
         // We cannot do as much inline caching if the registers were not flushed prior to this GetById. In particular,
         // non-Value cached properties require planting calls, which requires registers to have been flushed. Thus,
@@ -552 +552 @@
     
     if (slot.slotBase() == baseValue) {
-        if (!stubInfo.patch.registersFlushed) {
+        if (stubInfo.patch.spillMode == NeedToSpill) {
             // We cannot do as much inline caching if the registers were not flushed prior to this GetById. In particular,
             // non-Value cached properties require planting calls, which requires registers to have been flushed. Thus,
@@ -703 +703 @@
         return false;
     
-    if (!stubInfo.patch.registersFlushed) {
+    if (stubInfo.patch.spillMode == NeedToSpill) {
         // We cannot do as much inline caching if the registers were not flushed prior to this GetById. In particular,
         // non-Value cached properties require planting calls, which requires registers to have been flushed. Thus,
@@ -1130 +1130 @@
 }
 
+static void emitCustomSetterStub(ExecState* exec, const PutPropertySlot& slot,
+    StructureStubInfo& stubInfo, Structure* structure, StructureChain* prototypeChain,
+    CodeLocationLabel failureLabel, RefPtr<JITStubRoutine>& stubRoutine)
+{
+    VM* vm = &exec->vm();
+    ASSERT(stubInfo.patch.spillMode == DontSpill);
+    GPRReg baseGPR = static_cast<GPRReg>(stubInfo.patch.baseGPR);
+#if USE(JSVALUE32_64)
+    GPRReg valueTagGPR = static_cast<GPRReg>(stubInfo.patch.valueTagGPR);
+#endif
+    GPRReg valueGPR = static_cast<GPRReg>(stubInfo.patch.valueGPR);
+    TempRegisterSet tempRegisters(stubInfo.patch.usedRegisters);
+
+    CCallHelpers stubJit(vm);
+    GPRReg scratchGPR = tempRegisters.getFreeGPR();
+    RELEASE_ASSERT(scratchGPR != InvalidGPRReg);
+    RELEASE_ASSERT(scratchGPR != baseGPR);
+    RELEASE_ASSERT(scratchGPR != valueGPR);
+    MacroAssembler::JumpList failureCases;
+    failureCases.append(branchStructure(stubJit,
+        MacroAssembler::NotEqual,
+        MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()),
+        structure));
+    
+    if (prototypeChain) {
+        for (WriteBarrier<Structure>* it = prototypeChain->head(); *it; ++it)
+            addStructureTransitionCheck((*it)->storedPrototype(), exec->codeBlock(), stubInfo, stubJit, failureCases, scratchGPR);
+    }
+
+    // typedef void (*PutValueFunc)(ExecState*, JSObject* base, EncodedJSValue thisObject, EncodedJSValue value);
+#if USE(JSVALUE64)
+    stubJit.setupArgumentsWithExecState(MacroAssembler::TrustedImmPtr(slot.base()), baseGPR, valueGPR);
+#else
+    stubJit.setupArgumentsWithExecState(MacroAssembler::TrustedImmPtr(slot.base()), baseGPR, MacroAssembler::TrustedImm32(JSValue::CellTag), valueGPR, valueTagGPR);
+#endif
+
+    // Need to make sure that whenever this call is made in the future, we remember the
+    // place that we made it from. It just so happens to be the place that we are at
+    // right now!
+    stubJit.store32(MacroAssembler::TrustedImm32(exec->locationAsRawBits()),
+        CCallHelpers::tagFor(static_cast<VirtualRegister>(JSStack::ArgumentCount)));
+    stubJit.storePtr(GPRInfo::callFrameRegister, &vm->topCallFrame);
+
+    MacroAssembler::Call setterCall = stubJit.call();
+    
+    MacroAssembler::Jump success = stubJit.emitExceptionCheck(CCallHelpers::InvertedExceptionCheck);
+
+    stubJit.setupArguments(CCallHelpers::TrustedImmPtr(vm), GPRInfo::callFrameRegister);
+
+    MacroAssembler::Call handlerCall = stubJit.call();
+
+    stubJit.jumpToExceptionHandler();
+    LinkBuffer patchBuffer(*vm, &stubJit, exec->codeBlock());
+
+    patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
+    patchBuffer.link(failureCases, failureLabel);
+    patchBuffer.link(setterCall, FunctionPtr(slot.customSetter()));
+    patchBuffer.link(handlerCall, lookupExceptionHandler);
+
+    stubRoutine = createJITStubRoutine(
+        FINALIZE_CODE_FOR(exec->codeBlock(), patchBuffer, ("PutById custom setter stub for %s, return point %p",
+        toCString(*exec->codeBlock()).data(), stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone).executableAddress())), *vm, exec->codeBlock()->ownerExecutable(), structure);
+}
+
+
 static bool tryCachePutByID(ExecState* exec, JSValue baseValue, const Identifier& ident, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
 {
@@ -1141 +1206 @@
     Structure* oldStructure = structure->previousID();
     
-    if (!slot.isCacheable())
+    if (!slot.isCacheablePut() && !slot.isCacheableCustomProperty())
         return false;
     if (!structure->propertyAccessesAreCacheable())
@@ -1147 +1212 @@
 
     // Optimize self access.
-    if (slot.base() == baseValue) {
+    if (slot.base() == baseValue && slot.isCacheablePut()) {
         if (slot.type() == PutPropertySlot::NewProperty) {
             if (structure->isDictionary())
@@ -1194 +1259 @@
         return true;
     }
+    if (slot.isCacheableCustomProperty() && stubInfo.patch.spillMode == DontSpill) {
+        RefPtr<JITStubRoutine> stubRoutine;
+
+        StructureChain* prototypeChain = 0;
+        if (baseValue != slot.base()) {
+            PropertyOffset offsetIgnored;
+            if (normalizePrototypeChainForChainAccess(exec, baseCell, slot.base(), ident, offsetIgnored) == InvalidPrototypeChain)
+                return false;
+
+            prototypeChain = structure->prototypeChain(exec);
+        }
+        PolymorphicPutByIdList* list;
+        list = PolymorphicPutByIdList::from(putKind, stubInfo);
+
+        emitCustomSetterStub(exec, slot, stubInfo,
+            structure, prototypeChain,
+            stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase),
+            stubRoutine);
+
+        list->addAccess(PutByIdAccess::customSetter(*vm, codeBlock->ownerExecutable(), structure, prototypeChain, slot.customSetter(), stubRoutine));
+
+        RepatchBuffer repatchBuffer(codeBlock);
+        repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
+        repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateListBuildingPutByIdFunction(slot, putKind));
+        RELEASE_ASSERT(!list->isFull());
+        return true;
+    }
 
     return false;
@@ -1218 +1310 @@
     Structure* oldStructure = structure->previousID();
     
-    if (!slot.isCacheable())
-        return false;
+    
+    if (!slot.isCacheablePut() && !slot.isCacheableCustomProperty())
+        return false;
+
     if (!structure->propertyAccessesAreCacheable())
         return false;
 
     // Optimize self access.
-    if (slot.base() == baseValue) {
+    if (slot.base() == baseValue && slot.isCacheablePut()) {
         PolymorphicPutByIdList* list;
         RefPtr<JITStubRoutine> stubRoutine;
@@ -1286 +1380 @@
     }
 
+    if (slot.isCacheableCustomProperty() && stubInfo.patch.spillMode == DontSpill) {
+        RefPtr<JITStubRoutine> stubRoutine;
+        StructureChain* prototypeChain = 0;
+        if (baseValue != slot.base()) {
+            PropertyOffset offsetIgnored;
+            if (normalizePrototypeChainForChainAccess(exec, baseCell, slot.base(), propertyName, offsetIgnored) == InvalidPrototypeChain)
+                return false;
+
+            prototypeChain = structure->prototypeChain(exec);
+        }
+        PolymorphicPutByIdList* list;
+        list = PolymorphicPutByIdList::from(putKind, stubInfo);
+
+        emitCustomSetterStub(exec, slot, stubInfo,
+            structure, prototypeChain,
+            CodeLocationLabel(list->currentSlowPathTarget()),
+            stubRoutine);
+
+        list->addAccess(PutByIdAccess::customSetter(*vm, codeBlock->ownerExecutable(), structure, prototypeChain, slot.customSetter(), stubRoutine));
+
+        RepatchBuffer repatchBuffer(codeBlock);
+        repatchBuffer.relink(stubInfo.callReturnLocation.jumpAtOffset(stubInfo.patch.deltaCallToJump), CodeLocationLabel(stubRoutine->code().code()));
+        if (list->isFull())
+            repatchCall(repatchBuffer, stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
+
+        return true;
+    }
     return false;
 }

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -629 +629 @@
     if (!LLINT_ALWAYS_ACCESS_SLOW
         && baseValue.isCell()
-        && slot.isCacheable()) {
+        && slot.isCacheablePut()) {
         
         JSCell* baseCell = baseValue.asCell();
@@ -1411 +1411 @@
     // Covers implicit globals. Since they don't exist until they first execute, we didn't know how to cache them at compile time.
     if (modeAndType.type() == GlobalProperty || modeAndType.type() == GlobalPropertyWithVarInjectionChecks) {
-        if (slot.isCacheable() && slot.base() == scope && scope->structure()->propertyAccessesAreCacheable()) {
+        if (slot.isCacheablePut() && slot.base() == scope && scope->structure()->propertyAccessesAreCacheable()) {
             ConcurrentJITLocker locker(codeBlock->m_lock);
             pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), scope->structure());

trunk/Source/JavaScriptCore/runtime/Lookup.h

@@ -307 +307 @@
         } else if (!(entry->attributes() & ReadOnly)) {
             entry->propertyPutter()(exec, base, JSValue::encode(slot.thisValue()), JSValue::encode(value));
-            slot.setCustomProperty(base, entry->propertyPutter());
+            slot.setCacheableCustomProperty(base, entry->propertyPutter());
         } else if (slot.isStrictMode())
             throwTypeError(exec, StrictModeReadonlyPropertyWriteError);

trunk/Source/JavaScriptCore/runtime/PutPropertySlot.h

@@ -39 +39 @@
     class PutPropertySlot {
     public:
-        enum Type { Uncachable, ExistingProperty, NewProperty, CustomProperty };
+        enum Type { Uncachable, ExistingProperty, NewProperty, CustomProperty, CacheableCustomProperty };
         enum Context { UnknownContext, PutById, PutByIdEval };
         typedef void (*PutValueFunc)(ExecState*, JSObject* base, EncodedJSValue thisObject, EncodedJSValue value);
@@ -73 +73 @@
             m_putFunction = function;
         }
-        
+
+        void setCacheableCustomProperty(JSObject* base, PutValueFunc function)
+        {
+            m_type = CacheableCustomProperty;
+            m_base = base;
+            m_putFunction = function;
+        }
+        PutValueFunc customSetter() const { return m_putFunction; }
+
         Context context() const { return static_cast<Context>(m_context); }
 
@@ -81 +89 @@
 
         bool isStrictMode() const { return m_isStrictMode; }
-        bool isCacheable() const { return m_type != Uncachable && m_type != CustomProperty; }
+        bool isCacheablePut() const { return m_type == NewProperty || m_type == ExistingProperty; }
+        bool isCacheableCustomProperty() const { return m_type == CacheableCustomProperty; }
+
         PropertyOffset cachedOffset() const
         {
-            ASSERT(isCacheable());
+            ASSERT(isCacheablePut());
             return m_offset;
         }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-03-05  Oliver Hunt  <[email protected]>
+
+        Support caching of custom setters
+        https://bugs.webkit.org/show_bug.cgi?id=129519
+
+        Reviewed by Filip Pizlo.
+
+        Add forwarding header
+
+        Tests: js/regress/assign-custom-setter-polymorphic.html
+               js/regress/assign-custom-setter.html
+
+        * ForwardingHeaders/jit/SpillRegistersMode.h: Added.
+
 2014-03-05  David Kilzer  <[email protected]>