1. 02 Dec, 2013 1 commit
  2. 25 Jul, 2013 3 commits
    • oliver@apple.com's avatar
      fourthTier: DFG IR dumps should be easier to read · 237b1464
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=119050
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      Added a DumpContext that includes support for printing an endnote
      that describes all structures in full, while the main flow of the
      dump just uses made-up names for the structures. This is helpful
      since Structure::dump() may print a lot. The stuff it prints is
      useful, but if it's all inline with the surrounding thing you're
      dumping (often, a node in the DFG), then you get a ridiculously
      long print-out. All classes that dump structures (including
      Structure itself) now have dumpInContext() methods that use
      inContext() for dumping anything that might transitively print a
      structure. If Structure::dumpInContext() is called with a NULL
      context, it just uses dump() like before. Hence you don't have to
      know anything about DumpContext unless you want to.
      
      inContext(*structure, context) dumps something like %B4:Array,
      and the endnote will have something like:
      
          %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
      
      where B4 is the inferred name that StringHashDumpContext came up
      with.
      
      Also shortened a bunch of other dumps, removing information that
      isn't so important.
      
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ArrayProfile.cpp:
      (JSC::dumpArrayModes):
      * bytecode/CodeBlockHash.cpp:
      (JSC):
      (JSC::CodeBlockHash::CodeBlockHash):
      (JSC::CodeBlockHash::dump):
      * bytecode/CodeOrigin.cpp:
      (JSC::CodeOrigin::dumpInContext):
      (JSC):
      (JSC::InlineCallFrame::dumpInContext):
      (JSC::InlineCallFrame::dump):
      * bytecode/CodeOrigin.h:
      (CodeOrigin):
      (InlineCallFrame):
      * bytecode/Operands.h:
      (JSC::OperandValueTraits::isEmptyForDump):
      (Operands):
      (JSC::Operands::dump):
      (JSC):
      * bytecode/OperandsInlines.h: Added.
      (JSC):
      (JSC::::dumpInContext):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::dumpInContext):
      (JSC::StructureSet::dump):
      (StructureSet):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::dump):
      (DFG):
      (JSC::DFG::AbstractValue::dumpInContext):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::operator!):
      (AbstractValue):
      * dfg/DFGCFAPhase.cpp:
      (JSC::DFG::CFAPhase::performBlockCFA):
      * dfg/DFGCommon.cpp:
      * dfg/DFGCommon.h:
      (JSC::DFG::NodePointerTraits::isEmptyForDump):
      * dfg/DFGDisassembler.cpp:
      (JSC::DFG::Disassembler::createDumpList):
      * dfg/DFGDisassembler.h:
      (Disassembler):
      * dfg/DFGFlushFormat.h:
      (WTF::inContext):
      (WTF):
      * dfg/DFGFlushLivenessAnalysisPhase.cpp:
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dumpCodeOrigin):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::dumpBlockHeader):
      * dfg/DFGGraph.h:
      (Graph):
      * dfg/DFGLazyJSValue.cpp:
      (JSC::DFG::LazyJSValue::dumpInContext):
      (JSC::DFG::LazyJSValue::dump):
      (DFG):
      * dfg/DFGLazyJSValue.h:
      (LazyJSValue):
      * dfg/DFGNode.h:
      (JSC::DFG::nodeMapDump):
      (WTF::inContext):
      (WTF):
      * dfg/DFGOSRExitCompiler32_64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGOSRExitCompiler64.cpp:
      (JSC::DFG::OSRExitCompiler::compileExit):
      * dfg/DFGStructureAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::dumpInContext):
      (JSC::DFG::StructureAbstractValue::dump):
      (StructureAbstractValue):
      * ftl/FTLExitValue.cpp:
      (JSC::FTL::ExitValue::dumpInContext):
      (JSC::FTL::ExitValue::dump):
      (FTL):
      * ftl/FTLExitValue.h:
      (ExitValue):
      * ftl/FTLLowerDFGToLLVM.cpp:
      * ftl/FTLValueSource.cpp:
      (JSC::FTL::ValueSource::dumpInContext):
      (FTL):
      * ftl/FTLValueSource.h:
      (ValueSource):
      * runtime/DumpContext.cpp: Added.
      (JSC):
      (JSC::DumpContext::DumpContext):
      (JSC::DumpContext::~DumpContext):
      (JSC::DumpContext::isEmpty):
      (JSC::DumpContext::dump):
      * runtime/DumpContext.h: Added.
      (JSC):
      (DumpContext):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::dump):
      (JSC):
      (JSC::JSValue::dumpInContext):
      * runtime/JSCJSValue.h:
      (JSC):
      (JSValue):
      * runtime/Structure.cpp:
      (JSC::Structure::dumpInContext):
      (JSC):
      (JSC::Structure::dumpBrief):
      (JSC::Structure::dumpContextHeader):
      * runtime/Structure.h:
      (JSC):
      (Structure):
      
      Source/WTF:
      
      Reviewed by Mark Hahnenberg.
      
      Added support for dumping values within a context. By default, if you say
      print(inContext(value, context)) it calls value.dumpInContext(out, context)
      instead of value.dump(out).
      
      Hoisted the support for six-character hashes out of JSC::CodeBlockHash into
      WTF, in the form of SixCharacterHash.h.
      
      Added a helper for creating dump contexts where the inContext() dump will
      just use a short string hash to "name" the object being dumped, and then
      will print out the full dumps in an endnote to your dump.
      
      Added support for using CString as a hashtable key.
      
      * WTF.xcodeproj/project.pbxproj:
      * wtf/PrintStream.h:
      (WTF):
      (ValueInContext):
      (WTF::ValueInContext::ValueInContext):
      (WTF::ValueInContext::dump):
      (WTF::inContext):
      * wtf/SixCharacterHash.cpp: Added.
      (WTF):
      (WTF::sixCharacterHashStringToInteger):
      (WTF::integerToSixCharacterHashString):
      * wtf/SixCharacterHash.h: Added.
      (WTF):
      * wtf/StringHashDumpContext.h: Added.
      (WTF):
      (StringHashDumpContext):
      (WTF::StringHashDumpContext::StringHashDumpContext):
      (WTF::StringHashDumpContext::getID):
      (WTF::StringHashDumpContext::dumpBrief):
      (WTF::StringHashDumpContext::brief):
      (WTF::StringHashDumpContext::isEmpty):
      (WTF::StringHashDumpContext::dump):
      * wtf/text/CString.cpp:
      (WTF::CString::hash):
      (WTF):
      (WTF::operator<):
      (WTF::CStringHash::equal):
      * wtf/text/CString.h:
      (WTF::CString::CString):
      (CString):
      (WTF::CString::isHashTableDeletedValue):
      (WTF):
      (WTF::CStringHash::hash):
      (CStringHash):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153296 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      237b1464
    • oliver@apple.com's avatar
      fourthTier: Structure should have a dump() · 880e6c35
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117859
      
      Reviewed by Geoffrey Garen.
      
      This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
      we now print a bunch of other info as well. For example, for an object literal
      like "{f:42, g:64, h:24}", when we print the structure we'll now get:
      
          0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]
      
      This also changes a bunch of places to use the dump method.
      
      * bytecode/StructureSet.h:
      (JSC::StructureSet::dump):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGStructureAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::dump):
      * runtime/JSCJSValue.cpp:
      (JSC::JSValue::dump):
      * runtime/Structure.cpp:
      (JSC::Structure::dump):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153238 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      880e6c35
    • oliver@apple.com's avatar
      fourthTier: Clean up AbstractValue · db4f90d9
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117217
      
      Reviewed by Oliver Hunt.
      
      This started as an attempt to make it so that when AbstractValue becomes empty,
      its m_type always becomes SpecNone. I wanted this to happen naturally. That turns
      out to be basically impossible, since AbstractValue is a set that is dynamically
      computed from the intersection of several internal sets: so the value becomes
      empty when any of the sets go empty. It's OK if we're imprecise here because it's
      always safe for the AbstractValue to seem to overapproximate the set of values
      that we see. So I mostly gave up on cleaning up that aspect of AbstractValue. But
      while trying to make this happen, I encountered two bugs:
      
      - filterValueByType() ignores the case when m_type contravenes m_value. Namely,
        we might filter the AbstractValue against a SpeculatedType leading to m_value
        becoming inconsistent with the new m_type. This change fixes that case. This
        wasn't a symptomatic bug but it was a silly oversight.
      
      - filterFuturePossibleStructure() was never right. The one call to this method,
        in filter(Graph&, const StructureSet&), assumed that the previous notions of
        what structures the value could have in the future were still relevant. This
        could lead to a bug where we:
      
        1) CheckStructure(@foo, S1)
      
           Where S1 has a valid watchpoint. Now @foo's abstract value will have current
           and future structure = S1.
      
        2) Clobber the world.
      
           Now @foo's abstract value will have current structure = TOP, and future
           possible structure = S1.
      
        3) CheckStructure(@foo, S2)
      
           Now @foo's abstract value will have current structure = S2 and future
           possible structure = S1 intersect S2 = BOTTOM.
      
        Now we will think that any subsequent watchpoint on @foo is valid because the
        value is effectively BOTTOM. That would only be correct if we had actually set
        a watchpoint on S1. If we had done so, then (3) would only pass (i.e. @foo
        would only have structure S2) if S1's watchpoint fired, in which case (3)
        wouldn't have been reachable. But we didn't actually set a watchpoint on S1:
        we just observed that we *could* have set the watchpoint. Hence future possible
        structure should only be set to either the known structure at compile-time, or
        it should be the structure we just checked; in both cases it should only be set
        if the structure is watchable.
      
      Then, in addition to all of this, I changed AbstractValue's filtering methods to
      call clear() if the AbstractValue is effectively clear. This is just meant to
      simplify the recognition of truly empty AbstractValues, but doesn't actually have
      any other implications.
      
      * bytecode/StructureSet.h:
      (JSC::StructureSet::dump):
      * dfg/DFGAbstractValue.cpp:
      (JSC::DFG::AbstractValue::filter):
      (DFG):
      (JSC::DFG::AbstractValue::filterArrayModes):
      (JSC::DFG::AbstractValue::filterValueByType):
      (JSC::DFG::AbstractValue::filterArrayModesByType):
      (JSC::DFG::AbstractValue::shouldBeClear):
      (JSC::DFG::AbstractValue::normalizeClarity):
      (JSC::DFG::AbstractValue::checkConsistency):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::isClear):
      (AbstractValue):
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153208 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      db4f90d9
  3. 20 Oct, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should have some facility for recognizing redundant CheckArrays and Arrayifies · 372c6d51
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=99287
      
      Reviewed by Mark Hahnenberg.
      
      Adds reasoning about indexing type sets (i.e. ArrayModes) to AbstractValue, which
      then enables us to fold away CheckArray's and Arrayify's that are redundant.
      
      * bytecode/ArrayProfile.cpp:
      (JSC::arrayModesToString):
      (JSC):
      * bytecode/ArrayProfile.h:
      (JSC):
      (JSC::mergeArrayModes):
      (JSC::arrayModesAlreadyChecked):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::arrayModesFromStructures):
      (StructureSet):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::AbstractValue::AbstractValue):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (AbstractValue):
      (JSC::DFG::AbstractValue::setMostSpecific):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::operator==):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::filterArrayModes):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::dump):
      (JSC::DFG::AbstractValue::clobberArrayModes):
      (JSC::DFG::AbstractValue::clobberArrayModesSlow):
      (JSC::DFG::AbstractValue::setFuturePossibleStructure):
      (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
      * dfg/DFGArrayMode.cpp:
      (JSC::DFG::modeAlreadyChecked):
      * dfg/DFGArrayMode.h:
      (JSC::DFG::arrayModesFor):
      (DFG):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::foldConstants):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::arrayify):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@131982 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      372c6d51
  4. 05 Jul, 2012 1 commit
    • fpizlo@apple.com's avatar
      Inline property storage should not be wasted when it is exhausted · d68b1f84
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=90347
      
      Reviewed by Gavin Barraclough.
              
      Previously, if we switched an object from using inline storage to out-of-line
      storage, we would abandon the inline storage. This would have two main implications:
      (i) all accesses to the object, even for properties that were previously in inline
      storage, must now take an extra indirection; and (ii) we waste a non-trivial amount
      of space since we must allocate additional out-of-line storage to hold properties
      that would have fit in the inline storage. There's also the copying cost when
      switching to out-of-line storage - we must copy all inline properties into ouf-of-line
      storage.
              
      This patch changes the way that object property storage works so that we can use both
      inline and out-of-line storage concurrently. This is accomplished by introducing a
      new notion of property offset. This PropertyOffset is a 32-bit signed integer and it
      behaves as follows:
              
      offset == -1: invalid offset, indicating a property that does not exist.
              
      0 <= offset <= inlineStorageCapacity: offset into inline storage.
              
      inlineStorageCapacity < offset: offset into out-of-line storage.
              
      Because non-final objects don't have inline storage, the only valid PropertyOffsets
      for those objects' properties are -1 or > inlineStorageCapacity.
              
      This now means that the decision to use inline or out-of-line storage for an access is
      made based on the offset, rather than the structure. It also means that any access
      where the offset is a variable must have an extra branch, unless the type of the
      object is also known (if it's known to be a non-final object then we can just assert
      that the offset is >= inlineStorageCapacity).
              
      This looks like a big Kraken speed-up and a slight V8 speed-up.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * assembler/ARMv7Assembler.h:
      (ARMv7Assembler):
      (JSC::ARMv7Assembler::ldrWide8BitImmediate):
      (JSC::ARMv7Assembler::replaceWithLoad):
      (JSC::ARMv7Assembler::replaceWithAddressComputation):
      * assembler/AbstractMacroAssembler.h:
      (AbstractMacroAssembler):
      (ConvertibleLoadLabel):
      (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::ConvertibleLoadLabel):
      (JSC::AbstractMacroAssembler::ConvertibleLoadLabel::isSet):
      (JSC::AbstractMacroAssembler::labelIgnoringWatchpoints):
      (JSC::AbstractMacroAssembler::replaceWithLoad):
      (JSC::AbstractMacroAssembler::replaceWithAddressComputation):
      * assembler/CodeLocation.h:
      (JSC):
      (CodeLocationCommon):
      (CodeLocationConvertibleLoad):
      (JSC::CodeLocationConvertibleLoad::CodeLocationConvertibleLoad):
      (JSC::CodeLocationCommon::convertibleLoadAtOffset):
      * assembler/LinkBuffer.cpp:
      (JSC::LinkBuffer::finalizeCodeWithDisassembly):
      * assembler/LinkBuffer.h:
      (LinkBuffer):
      (JSC::LinkBuffer::locationOf):
      * assembler/MacroAssemblerARMv7.h:
      (MacroAssemblerARMv7):
      (JSC::MacroAssemblerARMv7::convertibleLoadPtr):
      * assembler/MacroAssemblerX86.h:
      (JSC::MacroAssemblerX86::convertibleLoadPtr):
      (MacroAssemblerX86):
      * assembler/MacroAssemblerX86_64.h:
      (JSC::MacroAssemblerX86_64::convertibleLoadPtr):
      (MacroAssemblerX86_64):
      * assembler/RepatchBuffer.h:
      (RepatchBuffer):
      (JSC::RepatchBuffer::replaceWithLoad):
      (JSC::RepatchBuffer::replaceWithAddressComputation):
      (JSC::RepatchBuffer::setLoadInstructionIsActive):
      * assembler/X86Assembler.h:
      (JSC::X86Assembler::replaceWithLoad):
      (X86Assembler):
      (JSC::X86Assembler::replaceWithAddressComputation):
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::printGetByIdOp):
      (JSC::CodeBlock::dump):
      (JSC::CodeBlock::finalizeUnconditionally):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFromLLInt):
      (JSC::GetByIdStatus::computeForChain):
      (JSC::GetByIdStatus::computeFor):
      * bytecode/GetByIdStatus.h:
      (JSC::GetByIdStatus::GetByIdStatus):
      (JSC::GetByIdStatus::offset):
      (GetByIdStatus):
      * bytecode/Opcode.h:
      (JSC):
      (JSC::padOpcodeName):
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFromLLInt):
      (JSC::PutByIdStatus::computeFor):
      * bytecode/PutByIdStatus.h:
      (JSC::PutByIdStatus::PutByIdStatus):
      (JSC::PutByIdStatus::offset):
      (PutByIdStatus):
      * bytecode/ResolveGlobalStatus.cpp:
      (JSC):
      (JSC::computeForStructure):
      * bytecode/ResolveGlobalStatus.h:
      (JSC::ResolveGlobalStatus::ResolveGlobalStatus):
      (JSC::ResolveGlobalStatus::offset):
      (ResolveGlobalStatus):
      * bytecode/StructureSet.h:
      (StructureSet):
      * bytecode/StructureStubInfo.h:
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::handleGetByOffset):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCapabilities.h:
      (JSC::DFG::canCompileOpcode):
      * dfg/DFGJITCompiler.cpp:
      (JSC::DFG::JITCompiler::link):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
      (PropertyAccessRecord):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::dfgRepatchByIdSelfAccess):
      (JSC::DFG::generateProtoChainAccessStub):
      (JSC::DFG::tryCacheGetByID):
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::tryBuildGetByIDProtoList):
      (JSC::DFG::emitPutReplaceStub):
      (JSC::DFG::emitPutTransitionStub):
      (JSC::DFG::tryCachePutByID):
      (JSC::DFG::tryBuildPutByIdList):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::cachedGetById):
      (JSC::DFG::SpeculativeJIT::cachedPutById):
      (JSC::DFG::SpeculativeJIT::compile):
      * heap/MarkStack.cpp:
      (JSC::visitChildren):
      * interpreter/Interpreter.cpp:
      (JSC::Interpreter::tryCacheGetByID):
      (JSC::Interpreter::privateExecute):
      * jit/JIT.cpp:
      (JSC::JIT::privateCompileMainPass):
      (JSC::JIT::privateCompileSlowCases):
      (JSC::PropertyStubCompilationInfo::copyToStubInfo):
      * jit/JIT.h:
      (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
      (JSC::JIT::compileGetByIdProto):
      (JSC::JIT::compileGetByIdSelfList):
      (JSC::JIT::compileGetByIdProtoList):
      (JSC::JIT::compileGetByIdChainList):
      (JSC::JIT::compileGetByIdChain):
      (JSC::JIT::compilePutByIdTransition):
      (JIT):
      * jit/JITInlineMethods.h:
      (JSC::JIT::emitAllocateBasicJSObject):
      * jit/JITOpcodes.cpp:
      (JSC::JIT::emit_op_resolve_global):
      * jit/JITOpcodes32_64.cpp:
      (JSC::JIT::emit_op_resolve_global):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::emit_op_method_check):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::privateCompilePutByIdTransition):
      (JSC::JIT::patchGetByIdSelf):
      (JSC::JIT::patchPutByIdReplace):
      (JSC::JIT::privateCompileGetByIdProto):
      (JSC::JIT::privateCompileGetByIdSelfList):
      (JSC::JIT::privateCompileGetByIdProtoList):
      (JSC::JIT::privateCompileGetByIdChainList):
      (JSC::JIT::privateCompileGetByIdChain):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::emit_op_method_check):
      (JSC::JIT::compileGetByIdHotPath):
      (JSC::JIT::emit_op_put_by_id):
      (JSC::JIT::compilePutDirectOffset):
      (JSC::JIT::compileGetDirectOffset):
      (JSC::JIT::privateCompilePutByIdTransition):
      (JSC::JIT::patchGetByIdSelf):
      (JSC::JIT::patchPutByIdReplace):
      (JSC::JIT::privateCompileGetByIdProto):
      (JSC::JIT::privateCompileGetByIdSelfList):
      (JSC::JIT::privateCompileGetByIdProtoList):
      (JSC::JIT::privateCompileGetByIdChainList):
      (JSC::JIT::privateCompileGetByIdChain):
      (JSC::JIT::emit_op_get_by_pname):
      * jit/JITStubs.cpp:
      (JSC::JITThunks::tryCacheGetByID):
      (JSC::DEFINE_STUB_FUNCTION):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * llint/LowLevelInterpreter.asm:
      * llint/LowLevelInterpreter32_64.asm:
      * llint/LowLevelInterpreter64.asm:
      * offlineasm/x86.rb:
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      (JSC::JSGlobalObject::functionNameOffset):
      * runtime/JSObject.cpp:
      (JSC::JSObject::visitChildren):
      (JSC):
      (JSC::JSFinalObject::visitChildren):
      (JSC::JSObject::put):
      (JSC::JSObject::deleteProperty):
      (JSC::JSObject::getPropertySpecificValue):
      (JSC::JSObject::removeDirect):
      (JSC::JSObject::growOutOfLineStorage):
      (JSC::JSObject::getOwnPropertyDescriptor):
      * runtime/JSObject.h:
      (JSObject):
      (JSC::JSObject::getDirect):
      (JSC::JSObject::getDirectLocation):
      (JSC::JSObject::hasInlineStorage):
      (JSC::JSObject::inlineStorageUnsafe):
      (JSC::JSObject::inlineStorage):
      (JSC::JSObject::outOfLineStorage):
      (JSC::JSObject::locationForOffset):
      (JSC::JSObject::offsetForLocation):
      (JSC::JSObject::getDirectOffset):
      (JSC::JSObject::putDirectOffset):
      (JSC::JSObject::putUndefinedAtDirectOffset):
      (JSC::JSObject::addressOfOutOfLineStorage):
      (JSC::JSObject::finishCreation):
      (JSC::JSNonFinalObject::JSNonFinalObject):
      (JSC::JSNonFinalObject::finishCreation):
      (JSFinalObject):
      (JSC::JSFinalObject::finishCreation):
      (JSC::JSFinalObject::JSFinalObject):
      (JSC::JSObject::offsetOfOutOfLineStorage):
      (JSC::JSObject::setOutOfLineStorage):
      (JSC::JSObject::JSObject):
      (JSC):
      (JSC::JSCell::fastGetOwnProperty):
      (JSC::JSObject::putDirectInternal):
      (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
      (JSC::JSObject::putDirectWithoutTransition):
      (JSC::offsetRelativeToPatchedStorage):
      (JSC::indexRelativeToBase):
      (JSC::offsetRelativeToBase):
      * runtime/JSPropertyNameIterator.cpp:
      (JSC::JSPropertyNameIterator::create):
      * runtime/JSPropertyNameIterator.h:
      (JSPropertyNameIterator):
      (JSC::JSPropertyNameIterator::getOffset):
      (JSC::JSPropertyNameIterator::finishCreation):
      * runtime/JSValue.cpp:
      (JSC::JSValue::putToPrimitive):
      * runtime/Operations.h:
      (JSC::normalizePrototypeChain):
      * runtime/Options.cpp:
      (JSC):
      (JSC::Options::initialize):
      * runtime/PropertyMapHashTable.h:
      (PropertyMapEntry):
      (JSC::PropertyMapEntry::PropertyMapEntry):
      (PropertyTable):
      (JSC::PropertyTable::PropertyTable):
      (JSC::PropertyTable::getDeletedOffset):
      (JSC::PropertyTable::addDeletedOffset):
      (JSC::PropertyTable::nextOffset):
      (JSC):
      (JSC::PropertyTable::sizeInMemory):
      * runtime/PropertyOffset.h: Added.
      (JSC):
      (JSC::checkOffset):
      (JSC::validateOffset):
      (JSC::isValidOffset):
      (JSC::isInlineOffset):
      (JSC::isOutOfLineOffset):
      (JSC::offsetInInlineStorage):
      (JSC::offsetInOutOfLineStorage):
      (JSC::offsetInRespectiveStorage):
      (JSC::numberOfOutOfLineSlotsForLastOffset):
      (JSC::numberOfSlotsForLastOffset):
      (JSC::nextPropertyOffsetFor):
      (JSC::firstPropertyOffsetFor):
      * runtime/PropertySlot.h:
      (JSC::PropertySlot::cachedOffset):
      (JSC::PropertySlot::setValue):
      (JSC::PropertySlot::setCacheableGetterSlot):
      (JSC::PropertySlot::clearOffset):
      * runtime/PutPropertySlot.h:
      (JSC::PutPropertySlot::setExistingProperty):
      (JSC::PutPropertySlot::setNewProperty):
      (JSC::PutPropertySlot::cachedOffset):
      (PutPropertySlot):
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      (JSC::Structure::materializePropertyMap):
      (JSC::nextOutOfLineStorageCapacity):
      (JSC::Structure::growOutOfLineCapacity):
      (JSC::Structure::suggestedNewOutOfLineStorageCapacity):
      (JSC::Structure::addPropertyTransitionToExistingStructure):
      (JSC::Structure::addPropertyTransition):
      (JSC::Structure::removePropertyTransition):
      (JSC::Structure::flattenDictionaryStructure):
      (JSC::Structure::addPropertyWithoutTransition):
      (JSC::Structure::removePropertyWithoutTransition):
      (JSC::Structure::copyPropertyTableForPinning):
      (JSC::Structure::get):
      (JSC::Structure::putSpecificValue):
      (JSC::Structure::remove):
      * runtime/Structure.h:
      (Structure):
      (JSC::Structure::putWillGrowOutOfLineStorage):
      (JSC::Structure::previousID):
      (JSC::Structure::outOfLineCapacity):
      (JSC::Structure::outOfLineSizeForKnownFinalObject):
      (JSC::Structure::outOfLineSizeForKnownNonFinalObject):
      (JSC::Structure::outOfLineSize):
      (JSC::Structure::hasInlineStorage):
      (JSC::Structure::inlineCapacity):
      (JSC::Structure::inlineSizeForKnownFinalObject):
      (JSC::Structure::inlineSize):
      (JSC::Structure::totalStorageSize):
      (JSC::Structure::totalStorageCapacity):
      (JSC::Structure::firstValidOffset):
      (JSC::Structure::lastValidOffset):
      (JSC::Structure::isValidOffset):
      (JSC::Structure::isEmpty):
      (JSC::Structure::transitionCount):
      (JSC::Structure::get):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@121925 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      d68b1f84
  5. 15 Jun, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should be able to set watchpoints on structure transitions in the · 04e41152
      fpizlo@apple.com authored
      method check prototype chain
      https://bugs.webkit.org/show_bug.cgi?id=89058
      
      Source/JavaScriptCore: 
      
      Reviewed by Gavin Barraclough.
              
      This adds the ability to set watchpoints on Structures, and then does
      the most modest thing we can do with this ability: the DFG now sets
      watchpoints on structure transitions in the prototype chain of method
      checks.
              
      This appears to be a >1% speed-up on V8.
      
      * bytecode/PutByIdStatus.cpp:
      (JSC::PutByIdStatus::computeFromLLInt):
      (JSC::PutByIdStatus::computeFor):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::containsOnly):
      (StructureSet):
      * bytecode/Watchpoint.cpp:
      (JSC::WatchpointSet::WatchpointSet):
      (JSC::InlineWatchpointSet::add):
      (JSC):
      (JSC::InlineWatchpointSet::inflateSlow):
      (JSC::InlineWatchpointSet::freeFat):
      * bytecode/Watchpoint.h:
      (WatchpointSet):
      (JSC):
      (InlineWatchpointSet):
      (JSC::InlineWatchpointSet::InlineWatchpointSet):
      (JSC::InlineWatchpointSet::~InlineWatchpointSet):
      (JSC::InlineWatchpointSet::hasBeenInvalidated):
      (JSC::InlineWatchpointSet::isStillValid):
      (JSC::InlineWatchpointSet::startWatching):
      (JSC::InlineWatchpointSet::notifyWrite):
      (JSC::InlineWatchpointSet::isFat):
      (JSC::InlineWatchpointSet::fat):
      (JSC::InlineWatchpointSet::inflate):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::execute):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
      (CSEPhase):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGCommon.h:
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::isCellConstant):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::addWeakReferences):
      (JITCompiler):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::hasStructure):
      (Node):
      (JSC::DFG::Node::structure):
      * dfg/DFGNodeType.h:
      (DFG):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::propagate):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::emitPutTransitionStub):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * jit/JITStubs.cpp:
      (JSC::JITThunks::tryCachePutByID):
      * llint/LLIntSlowPaths.cpp:
      (JSC::LLInt::LLINT_SLOW_PATH_DECL):
      * runtime/Structure.cpp:
      (JSC::Structure::Structure):
      * runtime/Structure.h:
      (JSC::Structure::transitionWatchpointSetHasBeenInvalidated):
      (Structure):
      (JSC::Structure::transitionWatchpointSetIsStillValid):
      (JSC::Structure::addTransitionWatchpoint):
      (JSC::Structure::notifyTransitionFromThisStructure):
      (JSC::JSCell::setStructure):
      * runtime/SymbolTable.cpp:
      (JSC::SymbolTableEntry::attemptToWatch):
      
      LayoutTests: 
      
      Rubber stamped by Gavin Barraclough.
      
      * fast/js/dfg-call-method-hit-watchpoint-expected.txt: Added.
      * fast/js/dfg-call-method-hit-watchpoint.html: Added.
      * fast/js/script-tests/dfg-call-method-hit-watchpoint.js: Added.
      (Thingy):
      (Thingy.prototype.foo):
      (callFoo):
      (.Thingy.prototype.foo):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@120499 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      04e41152
  6. 08 Jun, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should inline prototype chain accesses, and do the right things if the · fd598b9b
      fpizlo@apple.com authored
      specific function optimization is available
      https://bugs.webkit.org/show_bug.cgi?id=88594
      
      Reviewed by Gavin Barraclough.
              
      Looks like a 3% win on V8.
      
      * bytecode/CodeBlock.h:
      (JSC::Structure::prototypeForLookup):
      (JSC):
      * bytecode/GetByIdStatus.cpp:
      (JSC::GetByIdStatus::computeFromLLInt):
      (JSC):
      (JSC::GetByIdStatus::computeForChain):
      (JSC::GetByIdStatus::computeFor):
      * bytecode/GetByIdStatus.h:
      (JSC::GetByIdStatus::GetByIdStatus):
      (JSC::GetByIdStatus::isSimple):
      (JSC::GetByIdStatus::chain):
      (JSC::GetByIdStatus::specificValue):
      (GetByIdStatus):
      * bytecode/StructureSet.h:
      (StructureSet):
      (JSC::StructureSet::singletonStructure):
      * bytecode/StructureStubInfo.h:
      (JSC::StructureStubInfo::initGetByIdProto):
      (JSC::StructureStubInfo::initGetByIdChain):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleGetById):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryCacheGetByID):
      * jit/JITStubs.cpp:
      (JSC::JITThunks::tryCacheGetByID):
      * runtime/JSGlobalObject.h:
      (JSC::Structure::prototypeForLookup):
      (JSC):
      * runtime/Structure.h:
      (Structure):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@119779 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      fd598b9b
  7. 07 Jun, 2012 1 commit
    • fpizlo@apple.com's avatar
      PredictedType should be called SpeculatedType · 62336163
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=88477
      
      Rubber stamped by Gavin Barraclough.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CodeBlock.cpp:
      (JSC::CodeBlock::shouldOptimizeNow):
      (JSC::CodeBlock::dumpValueProfiles):
      * bytecode/CodeBlock.h:
      (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
      * bytecode/LazyOperandValueProfile.cpp:
      (JSC::LazyOperandValueProfileParser::prediction):
      * bytecode/LazyOperandValueProfile.h:
      (LazyOperandValueProfileParser):
      * bytecode/PredictedType.cpp: Removed.
      * bytecode/PredictedType.h: Removed.
      * bytecode/SpeculatedType.cpp: Copied from Source/JavaScriptCore/bytecode/PredictedType.cpp.
      (JSC::speculationToString):
      (JSC::speculationToAbbreviatedString):
      (JSC::speculationFromClassInfo):
      (JSC::speculationFromStructure):
      (JSC::speculationFromCell):
      (JSC::speculationFromValue):
      * bytecode/SpeculatedType.h: Copied from Source/JavaScriptCore/bytecode/PredictedType.h.
      (JSC):
      (JSC::isAnySpeculation):
      (JSC::isCellSpeculation):
      (JSC::isObjectSpeculation):
      (JSC::isFinalObjectSpeculation):
      (JSC::isFinalObjectOrOtherSpeculation):
      (JSC::isFixedIndexedStorageObjectSpeculation):
      (JSC::isStringSpeculation):
      (JSC::isArraySpeculation):
      (JSC::isFunctionSpeculation):
      (JSC::isInt8ArraySpeculation):
      (JSC::isInt16ArraySpeculation):
      (JSC::isInt32ArraySpeculation):
      (JSC::isUint8ArraySpeculation):
      (JSC::isUint8ClampedArraySpeculation):
      (JSC::isUint16ArraySpeculation):
      (JSC::isUint32ArraySpeculation):
      (JSC::isFloat32ArraySpeculation):
      (JSC::isFloat64ArraySpeculation):
      (JSC::isArgumentsSpeculation):
      (JSC::isActionableIntMutableArraySpeculation):
      (JSC::isActionableFloatMutableArraySpeculation):
      (JSC::isActionableTypedMutableArraySpeculation):
      (JSC::isActionableMutableArraySpeculation):
      (JSC::isActionableArraySpeculation):
      (JSC::isArrayOrOtherSpeculation):
      (JSC::isMyArgumentsSpeculation):
      (JSC::isInt32Speculation):
      (JSC::isDoubleRealSpeculation):
      (JSC::isDoubleSpeculation):
      (JSC::isNumberSpeculation):
      (JSC::isBooleanSpeculation):
      (JSC::isOtherSpeculation):
      (JSC::isEmptySpeculation):
      (JSC::mergeSpeculations):
      (JSC::mergeSpeculation):
      * bytecode/StructureSet.h:
      (JSC::StructureSet::speculationFromStructures):
      * bytecode/ValueProfile.h:
      (JSC::ValueProfileBase::ValueProfileBase):
      (JSC::ValueProfileBase::dump):
      (JSC::ValueProfileBase::computeUpdatedPrediction):
      (ValueProfileBase):
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      * dfg/DFGAbstractState.h:
      (JSC::DFG::AbstractState::speculateInt32Unary):
      (JSC::DFG::AbstractState::speculateNumberUnary):
      (JSC::DFG::AbstractState::speculateBooleanUnary):
      (JSC::DFG::AbstractState::speculateInt32Binary):
      (JSC::DFG::AbstractState::speculateNumberBinary):
      * dfg/DFGAbstractValue.h:
      (JSC::DFG::StructureAbstractValue::filter):
      (JSC::DFG::StructureAbstractValue::speculationFromStructures):
      (JSC::DFG::AbstractValue::AbstractValue):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (JSC::DFG::AbstractValue::isTop):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::validateIgnoringValue):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::checkConsistency):
      (JSC::DFG::AbstractValue::dump):
      (AbstractValue):
      * dfg/DFGArgumentPosition.h:
      (JSC::DFG::ArgumentPosition::ArgumentPosition):
      (JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
      (JSC::DFG::ArgumentPosition::prediction):
      (ArgumentPosition):
      * dfg/DFGArgumentsSimplificationPhase.cpp:
      (JSC::DFG::ArgumentsSimplificationPhase::run):
      * dfg/DFGByteCodeParser.cpp:
      (ByteCodeParser):
      (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::addCall):
      (JSC::DFG::ByteCodeParser::getSpeculationWithoutOSRExit):
      (JSC::DFG::ByteCodeParser::getSpeculation):
      (InlineStackEntry):
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::handleIntrinsic):
      (JSC::DFG::ByteCodeParser::handleGetById):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::fixVariableAccessSpeculations):
      (JSC::DFG::ByteCodeParser::parse):
      * dfg/DFGCSEPhase.cpp:
      (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
      (JSC::DFG::CSEPhase::performNodeCSE):
      * dfg/DFGConstantFoldingPhase.cpp:
      (JSC::DFG::ConstantFoldingPhase::run):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      (JSC::DFG::FixupPhase::fixDoubleEdge):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::nameOfVariableAccessData):
      (JSC::DFG::Graph::dump):
      (JSC::DFG::Graph::predictArgumentTypes):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::getJSConstantSpeculation):
      (JSC::DFG::Graph::isPredictedNumerical):
      (JSC::DFG::Graph::byValIsPure):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::getSpeculation):
      * dfg/DFGNode.h:
      (JSC::DFG::Node::Node):
      (JSC::DFG::Node::getHeapPrediction):
      (JSC::DFG::Node::predictHeap):
      (JSC::DFG::Node::prediction):
      (JSC::DFG::Node::predict):
      (JSC::DFG::Node::shouldSpeculateInteger):
      (JSC::DFG::Node::shouldSpeculateDouble):
      (JSC::DFG::Node::shouldSpeculateNumber):
      (JSC::DFG::Node::shouldSpeculateBoolean):
      (JSC::DFG::Node::shouldSpeculateFinalObject):
      (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
      (JSC::DFG::Node::shouldSpeculateArray):
      (JSC::DFG::Node::shouldSpeculateArguments):
      (JSC::DFG::Node::shouldSpeculateInt8Array):
      (JSC::DFG::Node::shouldSpeculateInt16Array):
      (JSC::DFG::Node::shouldSpeculateInt32Array):
      (JSC::DFG::Node::shouldSpeculateUint8Array):
      (JSC::DFG::Node::shouldSpeculateUint8ClampedArray):
      (JSC::DFG::Node::shouldSpeculateUint16Array):
      (JSC::DFG::Node::shouldSpeculateUint32Array):
      (JSC::DFG::Node::shouldSpeculateFloat32Array):
      (JSC::DFG::Node::shouldSpeculateFloat64Array):
      (JSC::DFG::Node::shouldSpeculateArrayOrOther):
      (JSC::DFG::Node::shouldSpeculateObject):
      (JSC::DFG::Node::shouldSpeculateCell):
      (Node):
      * dfg/DFGPredictionPropagationPhase.cpp:
      (JSC::DFG::PredictionPropagationPhase::setPrediction):
      (JSC::DFG::PredictionPropagationPhase::mergePrediction):
      (JSC::DFG::PredictionPropagationPhase::propagate):
      (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::fillStorage):
      (JSC::DFG::SpeculativeJIT::writeBarrier):
      (JSC::DFG::GPRTemporary::GPRTemporary):
      (JSC::DFG::FPRTemporary::FPRTemporary):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
      (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      (JSC::DFG::SpeculativeJIT::compileValueToInt32):
      (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
      (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
      (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
      (JSC::DFG::SpeculativeJIT::compileInstanceOf):
      (JSC::DFG::SpeculativeJIT::compileAdd):
      (JSC::DFG::SpeculativeJIT::compileArithSub):
      (JSC::DFG::SpeculativeJIT::compileArithNegate):
      (JSC::DFG::SpeculativeJIT::compileArithMul):
      (JSC::DFG::SpeculativeJIT::compileArithMod):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileStrictEq):
      (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
      (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
      (JSC::DFG::SpeculativeJIT::compileRegExpExec):
      * dfg/DFGSpeculativeJIT.h:
      (DFG):
      (JSC::DFG::ValueSource::forSpeculation):
      (SpeculativeJIT):
      (GPRTemporary):
      (FPRTemporary):
      (JSC::DFG::SpecDoubleOperand::SpecDoubleOperand):
      (JSC::DFG::SpecDoubleOperand::~SpecDoubleOperand):
      (JSC::DFG::SpecDoubleOperand::fpr):
      (JSC::DFG::SpecCellOperand::SpecCellOperand):
      (JSC::DFG::SpecCellOperand::~SpecCellOperand):
      (JSC::DFG::SpecCellOperand::gpr):
      (JSC::DFG::SpecBooleanOperand::SpecBooleanOperand):
      (JSC::DFG::SpecBooleanOperand::~SpecBooleanOperand):
      (JSC::DFG::SpecBooleanOperand::gpr):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpecDouble):
      (JSC::DFG::SpeculativeJIT::fillSpecCell):
      (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
      (JSC::DFG::SpeculativeJIT::fillSpecDouble):
      (JSC::DFG::SpeculativeJIT::fillSpecCell):
      (JSC::DFG::SpeculativeJIT::fillSpecBoolean):
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
      (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGVariableAccessData.h:
      (JSC::DFG::VariableAccessData::VariableAccessData):
      (JSC::DFG::VariableAccessData::predict):
      (JSC::DFG::VariableAccessData::nonUnifiedPrediction):
      (JSC::DFG::VariableAccessData::prediction):
      (JSC::DFG::VariableAccessData::argumentAwarePrediction):
      (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
      (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
      (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
      (VariableAccessData):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@119660 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      62336163
  8. 09 Apr, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should not load the property storage if it is inline. · 16bba26e
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=83455
      
      Reviewed by Gavin Barraclough.
              
      We had previously decided to have all property storage accesses go through
      the property storage pointer even if they don't "really" have to, because
      we were thinking this would help GC barriers somehow. Well, we never ended
      up doing anything with that. Hence, doing these wasted loads of the
      property storage pointer when the storage is inline is just a waste of CPU
      cycles.
              
      This change makes the DFG's inline property accesses (GetByOffset and
      PutByOffset) go directly to the inline property storage if the structure(s)
      tell us that it's OK.
              
      This looks like an across-the-board 1% win.
      
      * bytecode/StructureSet.h:
      (JSC):
      (JSC::StructureSet::allAreUsingInlinePropertyStorage):
      (StructureSet):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::fillStorage):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@113557 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      16bba26e
  9. 22 Jan, 2012 1 commit
    • fpizlo@apple.com's avatar
      DFG should not have code that directly decodes the states of old JIT inline · 1f8917fd
      fpizlo@apple.com authored
      cache data structures
      https://bugs.webkit.org/show_bug.cgi?id=76768
      
      Reviewed by Sam Weinig.
              
      Introduced new classes (like GetByIdStatus) that encapsulate the set of things
      that the DFG would like to know about property accesses and calls. Whereas it
      previously got this information by directly decoding the data structures used
      by the old JIT for inline caching, it now uses these classes, which do the work
      for it. This should make it somewhat more straight forward to introduce new
      ways of profiling the same information.
              
      Also hoisted StructureSet into bytecode/ from dfg/, because it's now used by
      code in bytecode/.
              
      Making this work right involved carefully ensuring that the heuristics for
      choosing how to handle property accesses was at least as good as what we had
      before, since I completely restructured that code. Currently the performance
      looks neutral. Since I rewrote the code I did change some things that I never
      liked before, like previously if a put_bu_id had executed exactly once then
      we'd compile it as if it had taken slow-path. Executing once is special because
      then the inline cache is not baked in, so there is no information about how the
      DFG should optimize the code. Now this is rationalized: if the put_by_id does
      not offer enough information to be optimized (i.e. had executed 0 or 1 times)
      then we turn it into a forced OSR exit (i.e. a patch point). However, get_by_id
      still has the old behavior; I left it that way because I didn't want to make
      too many changes at once.
      
      * CMakeLists.txt:
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * Target.pri:
      * bytecode/CallLinkStatus.cpp: Added.
      (JSC::CallLinkStatus::computeFor):
      * bytecode/CallLinkStatus.h: Added.
      (JSC::CallLinkStatus::CallLinkStatus):
      (JSC::CallLinkStatus::isSet):
      (JSC::CallLinkStatus::operator!):
      (JSC::CallLinkStatus::couldTakeSlowPath):
      (JSC::CallLinkStatus::callTarget):
      * bytecode/GetByIdStatus.cpp: Added.
      (JSC::GetByIdStatus::computeFor):
      * bytecode/GetByIdStatus.h: Added.
      (JSC::GetByIdStatus::GetByIdStatus):
      (JSC::GetByIdStatus::state):
      (JSC::GetByIdStatus::isSet):
      (JSC::GetByIdStatus::operator!):
      (JSC::GetByIdStatus::isSimpleDirect):
      (JSC::GetByIdStatus::takesSlowPath):
      (JSC::GetByIdStatus::makesCalls):
      (JSC::GetByIdStatus::structureSet):
      (JSC::GetByIdStatus::offset):
      * bytecode/MethodCallLinkStatus.cpp: Added.
      (JSC::MethodCallLinkStatus::computeFor):
      * bytecode/MethodCallLinkStatus.h: Added.
      (JSC::MethodCallLinkStatus::MethodCallLinkStatus):
      (JSC::MethodCallLinkStatus::isSet):
      (JSC::MethodCallLinkStatus::operator!):
      (JSC::MethodCallLinkStatus::needsPrototypeCheck):
      (JSC::MethodCallLinkStatus::structure):
      (JSC::MethodCallLinkStatus::prototypeStructure):
      (JSC::MethodCallLinkStatus::function):
      (JSC::MethodCallLinkStatus::prototype):
      * bytecode/PutByIdStatus.cpp: Added.
      (JSC::PutByIdStatus::computeFor):
      * bytecode/PutByIdStatus.h: Added.
      (JSC::PutByIdStatus::PutByIdStatus):
      (JSC::PutByIdStatus::state):
      (JSC::PutByIdStatus::isSet):
      (JSC::PutByIdStatus::operator!):
      (JSC::PutByIdStatus::isSimpleReplace):
      (JSC::PutByIdStatus::isSimpleTransition):
      (JSC::PutByIdStatus::takesSlowPath):
      (JSC::PutByIdStatus::oldStructure):
      (JSC::PutByIdStatus::newStructure):
      (JSC::PutByIdStatus::structureChain):
      (JSC::PutByIdStatus::offset):
      * bytecode/StructureSet.h: Added.
      (JSC::StructureSet::StructureSet):
      (JSC::StructureSet::clear):
      (JSC::StructureSet::add):
      (JSC::StructureSet::addAll):
      (JSC::StructureSet::remove):
      (JSC::StructureSet::contains):
      (JSC::StructureSet::isSubsetOf):
      (JSC::StructureSet::isSupersetOf):
      (JSC::StructureSet::size):
      (JSC::StructureSet::at):
      (JSC::StructureSet::operator[]):
      (JSC::StructureSet::last):
      (JSC::StructureSet::predictionFromStructures):
      (JSC::StructureSet::operator==):
      (JSC::StructureSet::dump):
      * dfg/DFGAbstractValue.h:
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::handleCall):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGStructureSet.h: Removed.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105581 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      1f8917fd
  10. 12 Oct, 2011 1 commit
    • fpizlo@apple.com's avatar
      DFG does not have flow-sensitive intraprocedural control flow analysis · 4ffd3956
      fpizlo@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=69690
      
      Reviewed by Gavin Barraclough.
      
      Implemented a control flow analysis (CFA). It currently propagates type
      proofs only. For example, if all predecessors to a basic block have
      checks that variable X is a JSFinalObject with structure 0xabcdef, then
      this basic block will now know this fact and will know that it does not
      have to emit either JSFinalObject checks or any structure checks since
      the structure is precisely known. The CFA takes heap side-effects into
      account (though somewhat conservatively), so that if the object pointed
      to by variable X could have possibly undergone a structure transition
      then this is reflected: the analysis may simply say that X's structure
      is unknown.
              
      This also propagates a wealth of other type information which is
      currently not being used. For example, we now know when a variable can
      only hold doubles. Even if a variable may hold other types at different
      points in its live range, we can still prove exactly when it will only
      be double.
              
      There's a bunch of stuff that the CFA could do that it still does not
      do, like precise handling of PutStructure (i.e. structure transitions),
      precise handling of CheckFunction and CheckMethod, etc. So this is
      very much intended to be a starting point rather than an end unto
      itself.
              
      This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
      and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
      Neutral on SunSpider.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/ActionablePrediction.h: Removed.
      * bytecode/PredictedType.cpp:
      (JSC::predictionToString):
      * bytecode/PredictedType.h:
      * dfg/DFGAbstractState.cpp: Added.
      (JSC::DFG::AbstractState::AbstractState):
      (JSC::DFG::AbstractState::~AbstractState):
      (JSC::DFG::AbstractState::beginBasicBlock):
      (JSC::DFG::AbstractState::initialize):
      (JSC::DFG::AbstractState::endBasicBlock):
      (JSC::DFG::AbstractState::reset):
      (JSC::DFG::AbstractState::execute):
      (JSC::DFG::AbstractState::clobberStructures):
      (JSC::DFG::AbstractState::mergeStateAtTail):
      (JSC::DFG::AbstractState::merge):
      (JSC::DFG::AbstractState::mergeToSuccessors):
      (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
      (JSC::DFG::AbstractState::dump):
      * dfg/DFGAbstractState.h: Added.
      (JSC::DFG::AbstractState::forNode):
      (JSC::DFG::AbstractState::isValid):
      * dfg/DFGAbstractValue.h: Added.
      (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
      (JSC::DFG::StructureAbstractValue::clear):
      (JSC::DFG::StructureAbstractValue::makeTop):
      (JSC::DFG::StructureAbstractValue::top):
      (JSC::DFG::StructureAbstractValue::add):
      (JSC::DFG::StructureAbstractValue::addAll):
      (JSC::DFG::StructureAbstractValue::contains):
      (JSC::DFG::StructureAbstractValue::isSubsetOf):
      (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
      (JSC::DFG::StructureAbstractValue::isSupersetOf):
      (JSC::DFG::StructureAbstractValue::filter):
      (JSC::DFG::StructureAbstractValue::isClear):
      (JSC::DFG::StructureAbstractValue::isTop):
      (JSC::DFG::StructureAbstractValue::size):
      (JSC::DFG::StructureAbstractValue::at):
      (JSC::DFG::StructureAbstractValue::operator[]):
      (JSC::DFG::StructureAbstractValue::last):
      (JSC::DFG::StructureAbstractValue::predictionFromStructures):
      (JSC::DFG::StructureAbstractValue::operator==):
      (JSC::DFG::StructureAbstractValue::dump):
      (JSC::DFG::AbstractValue::AbstractValue):
      (JSC::DFG::AbstractValue::clear):
      (JSC::DFG::AbstractValue::isClear):
      (JSC::DFG::AbstractValue::makeTop):
      (JSC::DFG::AbstractValue::clobberStructures):
      (JSC::DFG::AbstractValue::isTop):
      (JSC::DFG::AbstractValue::top):
      (JSC::DFG::AbstractValue::set):
      (JSC::DFG::AbstractValue::operator==):
      (JSC::DFG::AbstractValue::merge):
      (JSC::DFG::AbstractValue::filter):
      (JSC::DFG::AbstractValue::validate):
      (JSC::DFG::AbstractValue::dump):
      * dfg/DFGBasicBlock.h: Added.
      (JSC::DFG::BasicBlock::BasicBlock):
      (JSC::DFG::BasicBlock::getBytecodeBegin):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::getLocal):
      (JSC::DFG::ByteCodeParser::setLocal):
      (JSC::DFG::ByteCodeParser::getArgument):
      (JSC::DFG::ByteCodeParser::setArgument):
      (JSC::DFG::ByteCodeParser::parseBlock):
      (JSC::DFG::ByteCodeParser::processPhiStack):
      (JSC::DFG::ByteCodeParser::setupPredecessors):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      * dfg/DFGJITCodeGenerator.h:
      (JSC::DFG::block):
      * dfg/DFGJITCodeGenerator32_64.cpp:
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
      * dfg/DFGJITCodeGenerator64.cpp:
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
      (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
      * dfg/DFGJITCompiler.h:
      (JSC::DFG::JITCompiler::noticeOSREntry):
      * dfg/DFGNode.h:
      (JSC::DFG::NodeIndexTraits::defaultValue):
      (JSC::DFG::Node::variableAccessData):
      (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
      (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
      (JSC::DFG::Node::setTakenBlockIndex):
      (JSC::DFG::Node::setNotTakenBlockIndex):
      (JSC::DFG::Node::takenBlockIndex):
      (JSC::DFG::Node::notTakenBlockIndex):
      * dfg/DFGOSREntry.cpp:
      (JSC::DFG::prepareOSREntry):
      * dfg/DFGOSREntry.h:
      * dfg/DFGOperands.h: Added.
      (JSC::DFG::operandIsArgument):
      (JSC::DFG::OperandValueTraits::defaultValue):
      (JSC::DFG::Operands::Operands):
      (JSC::DFG::Operands::numberOfArguments):
      (JSC::DFG::Operands::numberOfLocals):
      (JSC::DFG::Operands::argument):
      (JSC::DFG::Operands::local):
      (JSC::DFG::Operands::setLocal):
      (JSC::DFG::Operands::setArgumentFirstTime):
      (JSC::DFG::Operands::setLocalFirstTime):
      (JSC::DFG::Operands::operand):
      (JSC::DFG::Operands::setOperand):
      (JSC::DFG::Operands::clear):
      (JSC::DFG::dumpOperands):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::fixpoint):
      (JSC::DFG::Propagator::propagateArithNodeFlags):
      (JSC::DFG::Propagator::propagateNodePredictions):
      (JSC::DFG::Propagator::propagatePredictions):
      (JSC::DFG::Propagator::performBlockCFA):
      (JSC::DFG::Propagator::performForwardCFA):
      (JSC::DFG::Propagator::globalCFA):
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
      (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compileObjectEquality):
      (JSC::DFG::SpeculativeJIT::compare):
      (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
      (JSC::DFG::SpeculativeJIT::compileLogicalNot):
      (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
      (JSC::DFG::SpeculativeJIT::emitBranch):
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureSet.h:
      (JSC::DFG::StructureSet::clear):
      (JSC::DFG::StructureSet::predictionFromStructures):
      (JSC::DFG::StructureSet::operator==):
      (JSC::DFG::StructureSet::dump):
      * dfg/DFGVariableAccessData.h: Added.
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@97218 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      4ffd3956
  11. 03 Oct, 2011 1 commit
    • fpizlo@apple.com's avatar
      DFG should speculate more aggressively on obvious cases on · 752f7d98
      fpizlo@apple.com authored
      polymorphic get_by_id
      https://bugs.webkit.org/show_bug.cgi?id=69235
      
      Reviewed by Oliver Hunt.
              
      This implements trivial polymorphic get_by_id. It also fixes
      problems in the CSE for CheckStructure in the put_by_id
      transition case.
              
      Doing this required knowing whether a polymorphic get_by_id stub
      was doing a direct access rather than a call of some kind.
              
      Slight speed-up on Kraken and SunSpider. 0.5% speed-up in the
      scaled mean of all benchmarks.
      
      * GNUmakefile.list.am:
      * JavaScriptCore.xcodeproj/project.pbxproj:
      * bytecode/Instruction.h:
      (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
      (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
      * dfg/DFGByteCodeParser.cpp:
      (JSC::DFG::ByteCodeParser::cellConstant):
      (JSC::DFG::ByteCodeParser::parseBlock):
      * dfg/DFGGraph.cpp:
      (JSC::DFG::Graph::dump):
      * dfg/DFGGraph.h:
      (JSC::DFG::Graph::addStructureSet):
      (JSC::DFG::Graph::addStructureTransitionData):
      * dfg/DFGNode.h:
      (JSC::DFG::StructureTransitionData::StructureTransitionData):
      (JSC::DFG::Node::hasStructureTransitionData):
      (JSC::DFG::Node::structureTransitionData):
      (JSC::DFG::Node::hasStructureSet):
      (JSC::DFG::Node::structureSet):
      * dfg/DFGPropagator.cpp:
      (JSC::DFG::Propagator::checkStructureLoadElimination):
      (JSC::DFG::Propagator::performNodeCSE):
      * dfg/DFGRepatch.cpp:
      (JSC::DFG::tryBuildGetByIDList):
      (JSC::DFG::tryBuildGetByIDProtoList):
      * dfg/DFGSpeculativeJIT32_64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGSpeculativeJIT64.cpp:
      (JSC::DFG::SpeculativeJIT::compile):
      * dfg/DFGStructureSet.h: Added.
      (JSC::DFG::StructureSet::StructureSet):
      (JSC::DFG::StructureSet::add):
      (JSC::DFG::StructureSet::addAll):
      (JSC::DFG::StructureSet::remove):
      (JSC::DFG::StructureSet::contains):
      (JSC::DFG::StructureSet::isSubsetOf):
      (JSC::DFG::StructureSet::isSupersetOf):
      (JSC::DFG::StructureSet::size):
      (JSC::DFG::StructureSet::at):
      (JSC::DFG::StructureSet::operator[]):
      (JSC::DFG::StructureSet::last):
      * jit/JITPropertyAccess.cpp:
      (JSC::JIT::privateCompileGetByIdSelfList):
      (JSC::JIT::privateCompileGetByIdProtoList):
      (JSC::JIT::privateCompileGetByIdChainList):
      * jit/JITPropertyAccess32_64.cpp:
      (JSC::JIT::privateCompileGetByIdSelfList):
      (JSC::JIT::privateCompileGetByIdProtoList):
      (JSC::JIT::privateCompileGetByIdChainList):
      * jit/JITStubs.cpp:
      (JSC::DEFINE_STUB_FUNCTION):
      (JSC::getPolymorphicAccessStructureListSlot):
      
      
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96527 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      752f7d98