<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[211908] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/211908">211908</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2017-02-08 16:02:20 -0800 (Wed, 08 Feb 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>[JSC] op_in should have ArrayProfile
https://bugs.webkit.org/show_bug.cgi?id=164581
Reviewed by Filip Pizlo.
This patch adds an ArrayProfile to the op_in bytecode. In the
DFG, if we see that we the key is an int32 we will convert the In
DFG node to a HasIndexedProperty node instead.
This patch also flips the two arguments of op_in and the In node
to reflect the other property lookup bytecodes.
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finishCreation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitIn):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitIn): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::InNode::emitBytecode):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::convertToHasIndexedProperty):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::hasInternalMethodType):
(JSC::DFG::Node::internalMethodType):
(JSC::DFG::Node::setInternalMethodType):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileIn):
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LowLevelInterpreter.asm:
* parser/Nodes.h:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeListjson">trunk/Source/JavaScriptCore/bytecode/BytecodeList.json</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerNodesCodegencpp">trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreterasm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserNodesh">trunk/Source/JavaScriptCore/parser/Nodes.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathsh">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/ChangeLog 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1,3 +1,57 @@
</span><ins>+2017-02-08 Keith Miller <keith_miller@apple.com>
+
+ [JSC] op_in should have ArrayProfile
+ https://bugs.webkit.org/show_bug.cgi?id=164581
+
+ Reviewed by Filip Pizlo.
+
+ This patch adds an ArrayProfile to the op_in bytecode. In the
+ DFG, if we see that we the key is an int32 we will convert the In
+ DFG node to a HasIndexedProperty node instead.
+
+ This patch also flips the two arguments of op_in and the In node
+ to reflect the other property lookup bytecodes.
+
+ * bytecode/BytecodeList.json:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::finishCreation):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitIn):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::emitIn): Deleted.
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::InNode::emitBytecode):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasArrayMode):
+ (JSC::DFG::Node::hasInternalMethodType):
+ (JSC::DFG::Node::internalMethodType):
+ (JSC::DFG::Node::setInternalMethodType):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileIn):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileIn):
+ (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+ * jit/JITOperations.cpp:
+ * jit/JITOperations.h:
+ * llint/LowLevelInterpreter.asm:
+ * parser/Nodes.h:
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+ * runtime/CommonSlowPaths.h:
+ (JSC::CommonSlowPaths::opIn):
+
</ins><span class="cx"> 2017-02-08 Saam Barati <sbarati@apple.com>
</span><span class="cx">
</span><span class="cx"> Air IRC might spill a terminal that produces a value after the terminal
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeListjson"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeList.json (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -62,7 +62,7 @@
</span><span class="cx"> { "name" : "op_is_object_or_null", "length" : 3 },
</span><span class="cx"> { "name" : "op_is_function", "length" : 3 },
</span><span class="cx"> { "name" : "op_is_cell_with_type", "length" : 4 },
</span><del>- { "name" : "op_in", "length" : 4 },
</del><ins>+ { "name" : "op_in", "length" : 5 },
</ins><span class="cx"> { "name" : "op_get_array_length", "length" : 9 },
</span><span class="cx"> { "name" : "op_get_by_id", "length" : 9 },
</span><span class="cx"> { "name" : "op_get_by_id_proto_load", "length" : 9 },
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1105,6 +1105,7 @@
</span><span class="cx"> }
</span><span class="cx"> case op_in: {
</span><span class="cx"> printBinaryOp(out, exec, location, it, "in");
</span><ins>+ dumpArrayProfiling(out, it, hasPrintedProfiling);
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> case op_try_get_by_id: {
</span><span class="lines">@@ -2095,12 +2096,9 @@
</span><span class="cx"> linkValueProfile(i, opLength);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case op_put_by_val: {
- int arrayProfileIndex = pc[opLength - 1].u.operand;
- m_arrayProfiles[arrayProfileIndex] = ArrayProfile(i);
- instructions[i + opLength - 1] = &m_arrayProfiles[arrayProfileIndex];
- break;
- }
</del><ins>+
+ case op_in:
+ case op_put_by_val:
</ins><span class="cx"> case op_put_by_val_direct: {
</span><span class="cx"> int arrayProfileIndex = pc[opLength - 1].u.operand;
</span><span class="cx"> m_arrayProfiles[arrayProfileIndex] = ArrayProfile(i);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -2571,6 +2571,17 @@
</span><span class="cx"> return dst;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+RegisterID* BytecodeGenerator::emitIn(RegisterID* dst, RegisterID* property, RegisterID* base)
+{
+ UnlinkedArrayProfile arrayProfile = newArrayProfile();
+ emitOpcode(op_in);
+ instructions().append(dst->index());
+ instructions().append(base->index());
+ instructions().append(property->index());
+ instructions().append(arrayProfile);
+ return dst;
+}
+
</ins><span class="cx"> RegisterID* BytecodeGenerator::emitTryGetById(RegisterID* dst, RegisterID* base, const Identifier& property)
</span><span class="cx"> {
</span><span class="cx"> ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties are not supported with tryGetById.");
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -628,7 +628,7 @@
</span><span class="cx"> RegisterID* emitInstanceOf(RegisterID* dst, RegisterID* value, RegisterID* basePrototype);
</span><span class="cx"> RegisterID* emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue);
</span><span class="cx"> RegisterID* emitTypeOf(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_typeof, dst, src); }
</span><del>- RegisterID* emitIn(RegisterID* dst, RegisterID* property, RegisterID* base) { return emitBinaryOp(op_in, dst, property, base, OperandTypes()); }
</del><ins>+ RegisterID* emitIn(RegisterID* dst, RegisterID* property, RegisterID* base);
</ins><span class="cx">
</span><span class="cx"> RegisterID* emitTryGetById(RegisterID* dst, RegisterID* base, const Identifier& property);
</span><span class="cx"> RegisterID* emitGetById(RegisterID* dst, RegisterID* base, const Identifier& property);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerNodesCodegencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -2042,6 +2042,17 @@
</span><span class="cx"> return dstReg.get();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+// ------------------------------ InNode ----------------------------
+
+RegisterID* InNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
+{
+ RefPtr<RegisterID> key = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
+ RefPtr<RegisterID> base = generator.emitNode(m_expr2);
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+ return generator.emitIn(generator.finalDestination(dst, key.get()), key.get(), base.get());
+}
+
+
</ins><span class="cx"> // ------------------------------ LogicalOpNode ----------------------------
</span><span class="cx">
</span><span class="cx"> RegisterID* LogicalOpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -5481,8 +5481,9 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case op_in: {
</span><ins>+ ArrayMode arrayMode = getArrayMode(currentInstruction[OPCODE_LENGTH(op_in) - 1].u.arrayProfile);
</ins><span class="cx"> set(VirtualRegister(currentInstruction[1].u.operand),
</span><del>- addToGraph(In, get(VirtualRegister(currentInstruction[2].u.operand)), get(VirtualRegister(currentInstruction[3].u.operand))));
</del><ins>+ addToGraph(In, OpInfo(arrayMode.asWord()), get(VirtualRegister(currentInstruction[2].u.operand)), get(VirtualRegister(currentInstruction[3].u.operand))));
</ins><span class="cx"> NEXT_OPCODE(op_in);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -5511,7 +5512,7 @@
</span><span class="cx"> Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
</span><span class="cx"> ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read);
</span><span class="cx"> Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
</span><del>- Node* hasIterableProperty = addToGraph(HasIndexedProperty, OpInfo(arrayMode.asWord()), base, property);
</del><ins>+ Node* hasIterableProperty = addToGraph(HasIndexedProperty, OpInfo(arrayMode.asWord()), OpInfo(static_cast<uint32_t>(PropertySlot::InternalMethodType::GetOwnProperty)), base, property);
</ins><span class="cx"> set(VirtualRegister(currentInstruction[1].u.operand), hasIterableProperty);
</span><span class="cx"> NEXT_OPCODE(op_has_indexed_property);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1363,10 +1363,12 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case In: {
</span><del>- // FIXME: We should at some point have array profiling on op_in, in which
- // case we would be able to turn this into a kind of GetByVal.
-
- fixEdge<CellUse>(node->child2());
</del><ins>+ if (node->child2()->shouldSpeculateInt32()) {
+ convertToHasIndexedProperty(node);
+ break;
+ }
+
+ fixEdge<CellUse>(node->child1());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2652,7 +2654,7 @@
</span><span class="cx"> else
</span><span class="cx"> truncateConstantToInt32(node->child2());
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> bool attemptToMakeIntegerAdd(Node* node)
</span><span class="cx"> {
</span><span class="cx"> AddSpeculationMode mode = m_graph.addSpeculationMode(node, FixupPass);
</span><span class="lines">@@ -2743,7 +2745,25 @@
</span><span class="cx"> m_indexInBlock, SpecInt32Only, GetArrayLength, origin,
</span><span class="cx"> OpInfo(arrayMode.asWord()), Edge(child, KnownCellUse), Edge(storage));
</span><span class="cx"> }
</span><del>-
</del><ins>+
+ void convertToHasIndexedProperty(Node* node)
+ {
+ node->setOp(HasIndexedProperty);
+ node->clearFlags(NodeMustGenerate);
+ node->setArrayMode(
+ node->arrayMode().refine(
+ m_graph, node,
+ node->child1()->prediction(),
+ node->child2()->prediction(),
+ SpecNone));
+ node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
+
+ blessArrayOperation(node->child1(), node->child2(), node->child3());
+
+ fixEdge<CellUse>(node->child1());
+ fixEdge<Int32Use>(node->child2());
+ }
+
</ins><span class="cx"> bool attemptToMakeCallDOM(Node* node)
</span><span class="cx"> {
</span><span class="cx"> if (m_graph.hasExitSite(node->origin.semantic, BadType))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1788,6 +1788,7 @@
</span><span class="cx"> switch (op()) {
</span><span class="cx"> case GetIndexedPropertyStorage:
</span><span class="cx"> case GetArrayLength:
</span><ins>+ case In:
</ins><span class="cx"> case PutByValDirect:
</span><span class="cx"> case PutByVal:
</span><span class="cx"> case PutByValAlias:
</span><span class="lines">@@ -2421,6 +2422,23 @@
</span><span class="cx"> return m_opInfo.as<const DOMJIT::Signature*>();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool hasInternalMethodType() const
+ {
+ return op() == HasIndexedProperty;
+ }
+
+ PropertySlot::InternalMethodType internalMethodType() const
+ {
+ ASSERT(hasInternalMethodType());
+ return static_cast<PropertySlot::InternalMethodType>(m_opInfo2.as<uint32_t>());
+ }
+
+ void setInternalMethodType(PropertySlot::InternalMethodType type)
+ {
+ ASSERT(hasInternalMethodType());
+ m_opInfo2 = static_cast<uint32_t>(type);
+ }
+
</ins><span class="cx"> Node* replacement() const
</span><span class="cx"> {
</span><span class="cx"> return m_misc.replacement;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1037,10 +1037,10 @@
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::compileIn(Node* node)
</span><span class="cx"> {
</span><del>- SpeculateCellOperand base(this, node->child2());
</del><ins>+ SpeculateCellOperand base(this, node->child1());
</ins><span class="cx"> GPRReg baseGPR = base.gpr();
</span><span class="cx">
</span><del>- if (JSString* string = node->child1()->dynamicCastConstant<JSString*>(*m_jit.vm())) {
</del><ins>+ if (JSString* string = node->child2()->dynamicCastConstant<JSString*>(*m_jit.vm())) {
</ins><span class="cx"> if (string->tryGetValueImpl() && string->tryGetValueImpl()->isAtomic()) {
</span><span class="cx"> StructureStubInfo* stubInfo = m_jit.codeBlock()->addStubInfo(AccessType::In);
</span><span class="cx">
</span><span class="lines">@@ -1047,7 +1047,7 @@
</span><span class="cx"> GPRTemporary result(this);
</span><span class="cx"> GPRReg resultGPR = result.gpr();
</span><span class="cx">
</span><del>- use(node->child1());
</del><ins>+ use(node->child2());
</ins><span class="cx">
</span><span class="cx"> MacroAssembler::PatchableJump jump = m_jit.patchableJump();
</span><span class="cx"> MacroAssembler::Label done = m_jit.label();
</span><span class="lines">@@ -1079,7 +1079,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- JSValueOperand key(this, node->child1());
</del><ins>+ JSValueOperand key(this, node->child2());
</ins><span class="cx"> JSValueRegs regs = key.jsValueRegs();
</span><span class="cx">
</span><span class="cx"> GPRFlushedCallResult result(this);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1539,6 +1539,11 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_ECZZ operation, GPRReg result, GPRReg arg1, GPRReg arg2, int32_t constant)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImm32(constant));
+ return appendCallSetResult(operation, result);
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_ESsiCI operation, GPRReg result, StructureStubInfo* stubInfo, GPRReg arg1, const UniquedStringImpl* uid)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(TrustedImmPtr(stubInfo), arg1, TrustedImmPtr(uid));
</span><span class="lines">@@ -2074,6 +2079,11 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2);
</span><span class="cx"> return appendCallSetResult(operation, result.payloadGPR(), result.tagGPR());
</span><span class="cx"> }
</span><ins>+ JITCompiler::Call callOperation(J_JITOperation_ECZZ operation, JSValueRegs result, GPRReg arg1, GPRReg arg2, int32_t constant)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImm32(constant));
+ return appendCallSetResult(operation, result.payloadGPR(), result.tagGPR());
+ }
</ins><span class="cx"> JITCompiler::Call callOperation(J_JITOperation_EJscC operation, JSValueRegs result, GPRReg arg1, JSCell* cell)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, TrustedImmPtr::weakPointer(m_jit.graph(), cell));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -5280,7 +5280,7 @@
</span><span class="cx"> moveTrueTo(resultPayloadGPR);
</span><span class="cx"> MacroAssembler::Jump done = m_jit.jump();
</span><span class="cx">
</span><del>- addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, JSValueRegs(resultTagGPR, resultPayloadGPR), baseGPR, indexGPR));
</del><ins>+ addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, JSValueRegs(resultTagGPR, resultPayloadGPR), baseGPR, indexGPR, static_cast<int32_t>(node->internalMethodType())));
</ins><span class="cx">
</span><span class="cx"> done.link(&m_jit);
</span><span class="cx"> booleanResult(resultPayloadGPR, node);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -5476,7 +5476,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, resultGPR, baseGPR, indexGPR));
</del><ins>+ addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, resultGPR, baseGPR, indexGPR, static_cast<int32_t>(node->internalMethodType())));
</ins><span class="cx">
</span><span class="cx"> jsValueResult(resultGPR, node, DataFormatJSBoolean);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -8039,12 +8039,12 @@
</span><span class="cx">
</span><span class="cx"> void compileIn()
</span><span class="cx"> {
</span><del>- DFG_ASSERT(m_graph, m_node, m_node->child2().useKind() == CellUse);
</del><ins>+ DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == CellUse);
</ins><span class="cx">
</span><span class="cx"> Node* node = m_node;
</span><del>- Edge base = node->child2();
</del><ins>+ Edge base = node->child1();
</ins><span class="cx"> LValue cell = lowCell(base);
</span><del>- if (JSString* string = node->child1()->dynamicCastConstant<JSString*>(vm())) {
</del><ins>+ if (JSString* string = node->child2()->dynamicCastConstant<JSString*>(vm())) {
</ins><span class="cx"> if (string->tryGetValueImpl() && string->tryGetValueImpl()->isAtomic()) {
</span><span class="cx"> UniquedStringImpl* str = bitwise_cast<UniquedStringImpl*>(string->tryGetValueImpl());
</span><span class="cx"> B3::PatchpointValue* patchpoint = m_out.patchpoint(Int64);
</span><span class="lines">@@ -8116,7 +8116,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- setJSValue(vmCall(Int64, m_out.operation(operationGenericIn), m_callFrame, cell, lowJSValue(m_node->child1())));
</del><ins>+ setJSValue(vmCall(Int64, m_out.operation(operationGenericIn), m_callFrame, cell, lowJSValue(m_node->child2())));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileHasOwnProperty()
</span><span class="lines">@@ -8351,6 +8351,7 @@
</span><span class="cx"> LValue base = lowCell(m_node->child1());
</span><span class="cx"> LValue index = lowInt32(m_node->child2());
</span><span class="cx"> LValue storage = lowStorage(m_node->child3());
</span><ins>+ LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
</ins><span class="cx">
</span><span class="cx"> IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
</span><span class="cx"> m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
</span><span class="lines">@@ -8376,7 +8377,7 @@
</span><span class="cx"> m_out.appendTo(slowCase, continuation);
</span><span class="cx"> ValueFromBlock slowResult = m_out.anchor(m_out.equal(
</span><span class="cx"> m_out.constInt64(JSValue::encode(jsBoolean(true))),
</span><del>- vmCall(Int64, m_out.operation(operationHasIndexedProperty), m_callFrame, base, index)));
</del><ins>+ vmCall(Int64, m_out.operation(operationHasIndexedProperty), m_callFrame, base, index, internalMethodType)));
</ins><span class="cx"> m_out.jump(continuation);
</span><span class="cx">
</span><span class="cx"> m_out.appendTo(continuation, lastNext);
</span><span class="lines">@@ -8387,6 +8388,7 @@
</span><span class="cx"> LValue base = lowCell(m_node->child1());
</span><span class="cx"> LValue index = lowInt32(m_node->child2());
</span><span class="cx"> LValue storage = lowStorage(m_node->child3());
</span><ins>+ LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
</ins><span class="cx">
</span><span class="cx"> IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
</span><span class="cx">
</span><span class="lines">@@ -8411,7 +8413,7 @@
</span><span class="cx"> m_out.appendTo(slowCase, continuation);
</span><span class="cx"> ValueFromBlock slowResult = m_out.anchor(m_out.equal(
</span><span class="cx"> m_out.constInt64(JSValue::encode(jsBoolean(true))),
</span><del>- vmCall(Int64, m_out.operation(operationHasIndexedProperty), m_callFrame, base, index)));
</del><ins>+ vmCall(Int64, m_out.operation(operationHasIndexedProperty), m_callFrame, base, index, internalMethodType)));
</ins><span class="cx"> m_out.jump(continuation);
</span><span class="cx">
</span><span class="cx"> m_out.appendTo(continuation, lastNext);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -321,7 +321,7 @@
</span><span class="cx"> VM* vm = &exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(vm, exec);
</span><span class="cx">
</span><del>- return JSValue::encode(jsBoolean(CommonSlowPaths::opIn(exec, JSValue::decode(key), base)));
</del><ins>+ return JSValue::encode(jsBoolean(CommonSlowPaths::opIn(exec, base, JSValue::decode(key))));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT_OPERATION operationPutByIdStrict(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl* uid)
</span><span class="lines">@@ -2254,12 +2254,12 @@
</span><span class="cx"> return JSValue::encode(jsBoolean(base->hasPropertyGeneric(exec, asString(propertyName)->toIdentifier(exec), PropertySlot::InternalMethodType::GetOwnProperty)));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState* exec, JSCell* baseCell, int32_t subscript)
</del><ins>+EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState* exec, JSCell* baseCell, int32_t subscript, int32_t internalMethodType)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx"> JSObject* object = baseCell->toObject(exec, exec->lexicalGlobalObject());
</span><del>- return JSValue::encode(jsBoolean(object->hasPropertyGeneric(exec, subscript, PropertySlot::InternalMethodType::GetOwnProperty)));
</del><ins>+ return JSValue::encode(jsBoolean(object->hasPropertyGeneric(exec, subscript, static_cast<PropertySlot::InternalMethodType>(internalMethodType))));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSCell* JIT_OPERATION operationGetPropertyEnumerator(ExecState* exec, JSCell* cell)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -131,6 +131,7 @@
</span><span class="cx"> typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_ECI)(ExecState*, JSCell*, UniquedStringImpl*);
</span><span class="cx"> typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_ECJ)(ExecState*, JSCell*, EncodedJSValue);
</span><span class="cx"> typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_ECZ)(ExecState*, JSCell*, int32_t);
</span><ins>+typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_ECZZ)(ExecState*, JSCell*, int32_t, int32_t);
</ins><span class="cx"> typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EDA)(ExecState*, double, JSArray*);
</span><span class="cx"> typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EE)(ExecState*, ExecState*);
</span><span class="cx"> typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EGReoJ)(ExecState*, JSGlobalObject*, RegExpObject*, EncodedJSValue);
</span><span class="lines">@@ -435,7 +436,7 @@
</span><span class="cx"> int32_t JIT_OPERATION operationInstanceOfCustom(ExecState*, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance) WTF_INTERNAL;
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationHasGenericProperty(ExecState*, EncodedJSValue, JSCell*);
</span><del>-EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState*, JSCell*, int32_t);
</del><ins>+EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState*, JSCell*, int32_t, int32_t);
</ins><span class="cx"> JSCell* JIT_OPERATION operationGetPropertyEnumerator(ExecState*, JSCell*);
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationNextEnumeratorPname(ExecState*, JSCell*, int32_t);
</span><span class="cx"> JSCell* JIT_OPERATION operationToIndexString(ExecState*, int32_t);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1391,7 +1391,7 @@
</span><span class="cx"> _llint_op_in:
</span><span class="cx"> traceExecution()
</span><span class="cx"> callOpcodeSlowPath(_slow_path_in)
</span><del>- dispatch(4)
</del><ins>+ dispatch(5)
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> _llint_op_try_get_by_id:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserNodesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Nodes.h (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Nodes.h 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/parser/Nodes.h 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -1152,6 +1152,9 @@
</span><span class="cx"> class InNode : public ThrowableBinaryOpNode {
</span><span class="cx"> public:
</span><span class="cx"> InNode(const JSTokenLocation&, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments);
</span><ins>+
+ private:
+ RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> class EqualNode : public BinaryOpNode {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -40,6 +40,7 @@
</span><span class="cx"> #include "ExceptionFuzz.h"
</span><span class="cx"> #include "GetterSetter.h"
</span><span class="cx"> #include "HostCallReturnValue.h"
</span><ins>+#include "ICStats.h"
</ins><span class="cx"> #include "Interpreter.h"
</span><span class="cx"> #include "IteratorOperations.h"
</span><span class="cx"> #include "JIT.h"
</span><span class="lines">@@ -620,7 +621,7 @@
</span><span class="cx"> SLOW_PATH_DECL(slow_path_in)
</span><span class="cx"> {
</span><span class="cx"> BEGIN();
</span><del>- RETURN(jsBoolean(CommonSlowPaths::opIn(exec, OP_C(2).jsValue(), OP_C(3).jsValue())));
</del><ins>+ RETURN(jsBoolean(CommonSlowPaths::opIn(exec, OP_C(2).jsValue(), OP_C(3).jsValue(), pc[4].u.arrayProfile)));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> SLOW_PATH_DECL(slow_path_del_by_val)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h (211907 => 211908)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h 2017-02-08 23:51:04 UTC (rev 211907)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h 2017-02-09 00:02:20 UTC (rev 211908)
</span><span class="lines">@@ -71,7 +71,7 @@
</span><span class="cx"> return paddedStackSpace;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-inline bool opIn(ExecState* exec, JSValue propName, JSValue baseVal)
</del><ins>+inline bool opIn(ExecState* exec, JSValue baseVal, JSValue propName, ArrayProfile* arrayProfile = nullptr)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="lines">@@ -81,6 +81,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSObject* baseObj = asObject(baseVal);
</span><ins>+ if (arrayProfile)
+ arrayProfile->observeStructure(baseObj->structure(vm));
</ins><span class="cx">
</span><span class="cx"> uint32_t i;
</span><span class="cx"> if (propName.getUInt32(i)) {
</span></span></pre>
</div>
</div>
</body>
</html>