<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[278445] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/278445">278445</a></dd>
<dt>Author</dt> <dd>ross.kirsling@sony.com</dd>
<dt>Date</dt> <dd>2021-06-03 20:10:54 -0700 (Thu, 03 Jun 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>[JSC] Implement JIT ICs for InByVal
https://bugs.webkit.org/show_bug.cgi?id=226563

Reviewed by Saam Barati.

JSTests:

* microbenchmarks/in-by-val-int32.js: Added.
* microbenchmarks/in-by-val-string-index.js: Added.
* microbenchmarks/in-by-val-symbol.js: Added.

Source/JavaScriptCore:

Until now, InByVal has had few optimizations implemented:
DFG would attempt to convert string index lookups to InById and int32 lookups to HasIndexedProperty,
but there has been no inline caching nor any special handling for symbol lookups.

This has become a more urgent problem now, as `#x in obj` (i.e. HasPrivateName / HasPrivateBrand)
will need to mimic InByVal's inline caching strategy in order to be deemed performant enough to ship.

This patch thus implements inline caching for InByVal at all JIT tiers.
The result is a night-and-day difference for symbols, a nice boost for string indices, and no change for int32s:

in-by-val-symbol                  203.5572+-2.7647     ^     19.1035+-0.7498        ^ definitely 10.6555x faster
in-by-val-string-index             87.0368+-44.7766          45.9971+-32.0007         might be 1.8922x faster
in-by-val-int32                   110.9904+-1.7109     ?    111.3431+-1.7558        ?

* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/CheckPrivateBrandStatus.cpp:
(JSC::CheckPrivateBrandStatus::singleIdentifier const):
* bytecode/DeleteByStatus.cpp:
(JSC::DeleteByStatus::singleIdentifier const):
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::singleIdentifier const):
* bytecode/ICStatusMap.h:
* bytecode/ICStatusUtils.h:
(JSC::singleIdentifierForICStatus):
* bytecode/InByIdVariant.cpp:
(JSC::InByIdVariant::InByIdVariant):
(JSC::InByIdVariant::attemptToMerge):
(JSC::InByIdVariant::dumpInContext const):
* bytecode/InByIdVariant.h:
(JSC::InByIdVariant::identifier const):
(JSC::InByIdVariant::overlaps):
* bytecode/InByStatus.cpp: Renamed from Source/JavaScriptCore/bytecode/InByIdStatus.cpp.
(JSC::InByStatus::appendVariant):
(JSC::InByStatus::shrinkToFit):
(JSC::InByStatus::computeFor):
(JSC::InByStatus::computeForStubInfo):
(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::InByStatus::merge):
(JSC::InByStatus::filter):
(JSC::InByStatus::markIfCheap):
(JSC::InByStatus::finalize):
(JSC::InByStatus::singleIdentifier const):
(JSC::InByStatus::dump const):
* bytecode/InByStatus.h: Renamed from Source/JavaScriptCore/bytecode/InByIdStatus.h.
* bytecode/RecordedStatuses.cpp:
(JSC::RecordedStatuses::addInByStatus): Renamed from addInByIdStatus.
* bytecode/RecordedStatuses.h:
* bytecode/SetPrivateBrandStatus.cpp:
(JSC::SetPrivateBrandStatus::singleIdentifier const):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::reset):
* bytecode/StructureStubInfo.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addInByVal):
* dfg/DFGMayExit.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasInByStatus): Renamed from hasInByIdStatus.
(JSC::DFG::Node::inByStatus): Renamed from inByIdStatus.
* dfg/DFGNodeType.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInByVal):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGVarargsForwardingPhase.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileInBy):
(JSC::FTL::DFG::LowerDFGToB3::compileInById):
(JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
* jit/ICStats.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITInByValGenerator::JITInByValGenerator):
(JSC::JITInByValGenerator::generateFastPath):
(JSC::JITInByValGenerator::finalize):
(JSC::JITInByIdGenerator::JITInByIdGenerator):
* jit/JITInlineCacheGenerator.h:
(JSC::JITDelByIdGenerator::slowPathJump const):
(JSC::JITInByValGenerator::JITInByValGenerator):
(JSC::JITInByValGenerator::slowPathJump const):
* jit/JITOperations.cpp:
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitSlow_op_in_by_val):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitSlow_op_in_by_val):
* jit/Repatch.cpp:
(JSC::tryCacheInBy): Renamed from tryCacheInByID.
(JSC::repatchInBy): Renamed from repatchInByID.
(JSC::resetInBy): Renamed from resetInByID.
* jit/Repatch.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
* runtime/CommonSlowPaths.h:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreSourcestxt">trunk/Source/JavaScriptCore/Sources.txt</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCheckPrivateBrandStatuscpp">trunk/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeDeleteByStatuscpp">trunk/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeGetByStatuscpp">trunk/Source/JavaScriptCore/bytecode/GetByStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeICStatusMaph">trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeICStatusUtilsh">trunk/Source/JavaScriptCore/bytecode/ICStatusUtils.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeInByIdVariantcpp">trunk/Source/JavaScriptCore/bytecode/InByIdVariant.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeInByIdVarianth">trunk/Source/JavaScriptCore/bytecode/InByIdVariant.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeRecordedStatusescpp">trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeRecordedStatusesh">trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeSetPrivateBrandStatuscpp">trunk/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureStubInfocpp">trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureStubInfoh">trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGArgumentsEliminationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobbersExitStatecpp">trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilercpp">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilerh">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMayExitcpp">trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGVarargsForwardingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitICStatsh">trunk/Source/JavaScriptCore/jit/ICStats.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITh">trunk/Source/JavaScriptCore/jit/JIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlineCacheGeneratorcpp">trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlineCacheGeneratorh">trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchcpp">trunk/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchh">trunk/Source/JavaScriptCore/jit/Repatch.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathscpp">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathsh">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreterasm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonSlowPathsh">trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestsmicrobenchmarksinbyvalint32js">trunk/JSTests/microbenchmarks/in-by-val-int32.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarksinbyvalstringindexjs">trunk/JSTests/microbenchmarks/in-by-val-string-index.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarksinbyvalsymboljs">trunk/JSTests/microbenchmarks/in-by-val-symbol.js</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeInByStatuscpp">trunk/Source/JavaScriptCore/bytecode/InByStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeInByStatush">trunk/Source/JavaScriptCore/bytecode/InByStatus.h</a></li>
</ul>

<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCorebytecodeInByIdStatuscpp">trunk/Source/JavaScriptCore/bytecode/InByIdStatus.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeInByIdStatush">trunk/Source/JavaScriptCore/bytecode/InByIdStatus.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/JSTests/ChangeLog     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2021-06-03  Ross Kirsling  <ross.kirsling@sony.com>
+
+        [JSC] Implement JIT ICs for InByVal
+        https://bugs.webkit.org/show_bug.cgi?id=226563
+
+        Reviewed by Saam Barati.
+
+        * microbenchmarks/in-by-val-int32.js: Added.
+        * microbenchmarks/in-by-val-string-index.js: Added.
+        * microbenchmarks/in-by-val-symbol.js: Added.
+
</ins><span class="cx"> 2021-06-03  Mark Lam  <mark.lam@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Fix an ASSERT in objectPrototypeHasOwnProperty() to account for TerminationException.
</span></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksinbyvalint32js"></a>
<div class="addfile"><h4>Added: trunk/JSTests/microbenchmarks/in-by-val-int32.js (0 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/in-by-val-int32.js                         (rev 0)
+++ trunk/JSTests/microbenchmarks/in-by-val-int32.js    2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+//@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py
+function test(object)
+{
+    if (1 in object)
+        return object[1];
+    return 0;
+}
+noInline(test);
+
+var o1 = [42];
+var o2 = [42, 41];
+
+for (var i = 0; i < 1e6; ++i) {
+    test(o1);
+    test(o2);
+}
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksinbyvalstringindexjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/microbenchmarks/in-by-val-string-index.js (0 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/in-by-val-string-index.js                          (rev 0)
+++ trunk/JSTests/microbenchmarks/in-by-val-string-index.js     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+//@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py
+function test(object)
+{
+    if ('1' in object)
+        return object[1];
+    return 0;
+}
+noInline(test);
+
+var o1 = [42];
+var o2 = [42, 41];
+
+for (var i = 0; i < 1e6; ++i) {
+    test(o1);
+    test(o2);
+}
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksinbyvalsymboljs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/microbenchmarks/in-by-val-symbol.js (0 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/in-by-val-symbol.js                                (rev 0)
+++ trunk/JSTests/microbenchmarks/in-by-val-symbol.js   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+//@ skip if $model == "Apple Watch Series 3" # added by mark-jsc-stress-test.py
+const cocoaSymbol = Symbol('cocoa');
+const cappuccinoSymbol = Symbol('cappuccino');
+
+function test(object)
+{
+    if (cocoaSymbol in object)
+        return object[cocoaSymbol];
+    return 0;
+}
+noInline(test);
+
+var o1 = {
+    [cocoaSymbol]: 42
+};
+var o2 = {
+    [cappuccinoSymbol]: 41
+};
+
+for (var i = 0; i < 1e6; ++i) {
+    test(o1);
+    test(o2);
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/ChangeLog       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1,3 +1,143 @@
</span><ins>+2021-06-03  Ross Kirsling  <ross.kirsling@sony.com>
+
+        [JSC] Implement JIT ICs for InByVal
+        https://bugs.webkit.org/show_bug.cgi?id=226563
+
+        Reviewed by Saam Barati.
+
+        Until now, InByVal has had few optimizations implemented:
+        DFG would attempt to convert string index lookups to InById and int32 lookups to HasIndexedProperty,
+        but there has been no inline caching nor any special handling for symbol lookups.
+
+        This has become a more urgent problem now, as `#x in obj` (i.e. HasPrivateName / HasPrivateBrand)
+        will need to mimic InByVal's inline caching strategy in order to be deemed performant enough to ship.
+
+        This patch thus implements inline caching for InByVal at all JIT tiers.
+        The result is a night-and-day difference for symbols, a nice boost for string indices, and no change for int32s: 
+
+        in-by-val-symbol                  203.5572+-2.7647     ^     19.1035+-0.7498        ^ definitely 10.6555x faster
+        in-by-val-string-index             87.0368+-44.7766          45.9971+-32.0007         might be 1.8922x faster
+        in-by-val-int32                   110.9904+-1.7109     ?    111.3431+-1.7558        ?
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/CheckPrivateBrandStatus.cpp:
+        (JSC::CheckPrivateBrandStatus::singleIdentifier const):
+        * bytecode/DeleteByStatus.cpp:
+        (JSC::DeleteByStatus::singleIdentifier const):
+        * bytecode/GetByStatus.cpp:
+        (JSC::GetByStatus::singleIdentifier const):
+        * bytecode/ICStatusMap.h:
+        * bytecode/ICStatusUtils.h:
+        (JSC::singleIdentifierForICStatus):
+        * bytecode/InByIdVariant.cpp:
+        (JSC::InByIdVariant::InByIdVariant):
+        (JSC::InByIdVariant::attemptToMerge):
+        (JSC::InByIdVariant::dumpInContext const):
+        * bytecode/InByIdVariant.h:
+        (JSC::InByIdVariant::identifier const):
+        (JSC::InByIdVariant::overlaps):
+        * bytecode/InByStatus.cpp: Renamed from Source/JavaScriptCore/bytecode/InByIdStatus.cpp.
+        (JSC::InByStatus::appendVariant):
+        (JSC::InByStatus::shrinkToFit):
+        (JSC::InByStatus::computeFor):
+        (JSC::InByStatus::computeForStubInfo):
+        (JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):
+        (JSC::InByStatus::merge):
+        (JSC::InByStatus::filter):
+        (JSC::InByStatus::markIfCheap):
+        (JSC::InByStatus::finalize):
+        (JSC::InByStatus::singleIdentifier const):
+        (JSC::InByStatus::dump const):
+        * bytecode/InByStatus.h: Renamed from Source/JavaScriptCore/bytecode/InByIdStatus.h.
+        * bytecode/RecordedStatuses.cpp:
+        (JSC::RecordedStatuses::addInByStatus): Renamed from addInByIdStatus.
+        * bytecode/RecordedStatuses.h:
+        * bytecode/SetPrivateBrandStatus.cpp:
+        (JSC::SetPrivateBrandStatus::singleIdentifier const):
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::reset):
+        * bytecode/StructureStubInfo.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleInById):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addInByVal):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasInByStatus): Renamed from hasInByIdStatus.
+        (JSC::DFG::Node::inByStatus): Renamed from inByIdStatus.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInByVal):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGVarargsForwardingPhase.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInBy):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInByVal):
+        * jit/ICStats.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::link):
+        * jit/JIT.h:
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITInByValGenerator::JITInByValGenerator):
+        (JSC::JITInByValGenerator::generateFastPath):
+        (JSC::JITInByValGenerator::finalize):
+        (JSC::JITInByIdGenerator::JITInByIdGenerator):
+        * jit/JITInlineCacheGenerator.h:
+        (JSC::JITDelByIdGenerator::slowPathJump const):
+        (JSC::JITInByValGenerator::JITInByValGenerator):
+        (JSC::JITInByValGenerator::slowPathJump const):
+        * jit/JITOperations.cpp:
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_in_by_val):
+        (JSC::JIT::emitSlow_op_in_by_val):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_in_by_val):
+        (JSC::JIT::emitSlow_op_in_by_val):
+        * jit/Repatch.cpp:
+        (JSC::tryCacheInBy): Renamed from tryCacheInByID.
+        (JSC::repatchInBy): Renamed from repatchInByID.
+        (JSC::resetInBy): Renamed from resetInByID.
+        * jit/Repatch.h:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * runtime/CommonSlowPaths.cpp:
+        * runtime/CommonSlowPaths.h:
+
</ins><span class="cx"> 2021-06-03  Mark Lam  <mark.lam@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Fix an ASSERT in objectPrototypeHasOwnProperty() to account for TerminationException.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj     2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1401,7 +1401,9 @@
</span><span class="cx">          A1D792FF1B43864B004516F5 /* IntlNumberFormatConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = A1D792F91B43864B004516F5 /* IntlNumberFormatConstructor.h */; };
</span><span class="cx">          A1D793011B43864B004516F5 /* IntlNumberFormatPrototype.h in Headers */ = {isa = PBXBuildFile; fileRef = A1D792FB1B43864B004516F5 /* IntlNumberFormatPrototype.h */; };
</span><span class="cx">          A321AA6D2626359B0023ADA2 /* IntlWorkaround.h in Headers */ = {isa = PBXBuildFile; fileRef = A321AA6C2626359B0023ADA2 /* IntlWorkaround.h */; };
</span><ins>+               A382C5312667111D0042CD99 /* InByIdVariant.h in Headers */ = {isa = PBXBuildFile; fileRef = E3305FB120B0F78800CEB82B /* InByIdVariant.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           A38D250E25800D440042BFDD /* JSArrayBufferPrototypeInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = A38D250D25800D430042BFDD /* JSArrayBufferPrototypeInlines.h */; };
</span><ins>+               A38D5BFC2666D3DA00A109A6 /* InByStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = A38D5BFA2666D3DA00A109A6 /* InByStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">           A3EE8543262514B000FC9B8D /* IntlWorkaround.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A37619402625127C00CBCBA9 /* IntlWorkaround.cpp */; };
</span><span class="cx">          A3FF9BC72234749100B1A9AB /* YarrFlags.h in Headers */ = {isa = PBXBuildFile; fileRef = A3FF9BC52234746600B1A9AB /* YarrFlags.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          A503FA1A188E0FB000110F14 /* JavaScriptCallFrame.h in Headers */ = {isa = PBXBuildFile; fileRef = A503FA14188E0FAF00110F14 /* JavaScriptCallFrame.h */; };
</span><span class="lines">@@ -4430,6 +4432,8 @@
</span><span class="cx">          A321AA6C2626359B0023ADA2 /* IntlWorkaround.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IntlWorkaround.h; sourceTree = "<group>"; };
</span><span class="cx">          A37619402625127C00CBCBA9 /* IntlWorkaround.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = IntlWorkaround.cpp; sourceTree = "<group>"; };
</span><span class="cx">          A38D250D25800D430042BFDD /* JSArrayBufferPrototypeInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSArrayBufferPrototypeInlines.h; sourceTree = "<group>"; };
</span><ins>+               A38D5BF92666D3DA00A109A6 /* InByStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InByStatus.cpp; sourceTree = "<group>"; };
+               A38D5BFA2666D3DA00A109A6 /* InByStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InByStatus.h; sourceTree = "<group>"; };
</ins><span class="cx">           A3AFF92B245A3CF900C9BA3B /* IntlLocale.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IntlLocale.h; sourceTree = "<group>"; };
</span><span class="cx">          A3AFF92C245A3CFA00C9BA3B /* IntlLocaleConstructor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IntlLocaleConstructor.h; sourceTree = "<group>"; };
</span><span class="cx">          A3AFF92D245A3CFA00C9BA3B /* IntlLocale.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = IntlLocale.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -5058,10 +5062,8 @@
</span><span class="cx">          E3282BB91FE930A300EDAF71 /* YarrErrorCode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = YarrErrorCode.cpp; path = yarr/YarrErrorCode.cpp; sourceTree = "<group>"; };
</span><span class="cx">          E3282BBA1FE930A400EDAF71 /* YarrErrorCode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = YarrErrorCode.h; path = yarr/YarrErrorCode.h; sourceTree = "<group>"; };
</span><span class="cx">          E32C3C6823E94C1E00BC97C0 /* UnlinkedCodeBlockGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UnlinkedCodeBlockGenerator.h; sourceTree = "<group>"; };
</span><del>-               E3305FAF20B0F78700CEB82B /* InByIdStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InByIdStatus.h; sourceTree = "<group>"; };
</del><span class="cx">           E3305FB020B0F78700CEB82B /* InByIdVariant.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InByIdVariant.cpp; sourceTree = "<group>"; };
</span><span class="cx">          E3305FB120B0F78800CEB82B /* InByIdVariant.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InByIdVariant.h; sourceTree = "<group>"; };
</span><del>-               E3305FB220B0F78800CEB82B /* InByIdStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InByIdStatus.cpp; sourceTree = "<group>"; };
</del><span class="cx">           E33095DC23210A1400EB7856 /* JSInternalFieldObjectImpl.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = JSInternalFieldObjectImpl.h; sourceTree = "<group>"; };
</span><span class="cx">          E334CBB221FD96A8000EB178 /* RegExpGlobalData.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RegExpGlobalData.cpp; sourceTree = "<group>"; };
</span><span class="cx">          E334CBB321FD96A9000EB178 /* RegExpGlobalData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RegExpGlobalData.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -6282,9 +6284,9 @@
</span><span class="cx">                          FE3A06B91C1103D900390FDD /* JITRightShiftGenerator.h */,
</span><span class="cx">                          72131BF326587EF2007114CF /* JITSafepoint.cpp */,
</span><span class="cx">                          72131BF526587EF2007114CF /* JITSafepoint.h */,
</span><ins>+                               72131BF426587EF2007114CF /* JITScannable.h */,
</ins><span class="cx">                           52B5100C265EFCD4008970E7 /* JITSizeStatistics.cpp */,
</span><span class="cx">                          52B5100B265EFCD4008970E7 /* JITSizeStatistics.h */,
</span><del>-                               72131BF426587EF2007114CF /* JITScannable.h */,
</del><span class="cx">                           0F766D2615A8CC1B008F363E /* JITStubRoutine.cpp */,
</span><span class="cx">                          0F766D1C15A5028D008F363E /* JITStubRoutine.h */,
</span><span class="cx">                          FE42388F1BE18C1200514737 /* JITSubGenerator.cpp */,
</span><span class="lines">@@ -8577,10 +8579,10 @@
</span><span class="cx">                          0F44A7AF20BF685F0022B171 /* ICStatusMap.h */,
</span><span class="cx">                          0F44A7B520C0BE3F0022B171 /* ICStatusUtils.cpp */,
</span><span class="cx">                          0FB399BD20AF6B380017E213 /* ICStatusUtils.h */,
</span><del>-                               E3305FB220B0F78800CEB82B /* InByIdStatus.cpp */,
-                               E3305FAF20B0F78700CEB82B /* InByIdStatus.h */,
</del><span class="cx">                           E3305FB020B0F78700CEB82B /* InByIdVariant.cpp */,
</span><span class="cx">                          E3305FB120B0F78800CEB82B /* InByIdVariant.h */,
</span><ins>+                               A38D5BF92666D3DA00A109A6 /* InByStatus.cpp */,
+                               A38D5BFA2666D3DA00A109A6 /* InByStatus.h */,
</ins><span class="cx">                           7905BB661D12050E0019FE57 /* InlineAccess.cpp */,
</span><span class="cx">                          7905BB671D12050E0019FE57 /* InlineAccess.h */,
</span><span class="cx">                          148A7BED1B82975A002D9157 /* InlineCallFrame.cpp */,
</span><span class="lines">@@ -9617,7 +9619,6 @@
</span><span class="cx">                          0F2BDC21151E803B00CD8910 /* DFGInsertionSet.h in Headers */,
</span><span class="cx">                          0F300B7C18AB1B1400A6D72E /* DFGIntegerCheckCombiningPhase.h in Headers */,
</span><span class="cx">                          0F898F321B27689F0083A33C /* DFGIntegerRangeOptimizationPhase.h in Headers */,
</span><del>-                               52B5100D265EFCDB008970E7 /* JITSizeStatistics.h in Headers */,
</del><span class="cx">                           0FC97F3E18202119002C9B26 /* DFGInvalidationPointInjectionPhase.h in Headers */,
</span><span class="cx">                          0FEA0A34170D40BF00BB722C /* DFGJITCode.h in Headers */,
</span><span class="cx">                          86EC9DCC1328DF82002B2AD7 /* DFGJITCompiler.h in Headers */,
</span><span class="lines">@@ -9920,6 +9921,8 @@
</span><span class="cx">                          BC18C40F0E16F5CD00B34460 /* Identifier.h in Headers */,
</span><span class="cx">                          8606DDEA18DA44AB00A383D0 /* IdentifierInlines.h in Headers */,
</span><span class="cx">                          A5FD0076189B038C00633231 /* IdentifiersFactory.h in Headers */,
</span><ins>+                               A382C5312667111D0042CD99 /* InByIdVariant.h in Headers */,
+                               A38D5BFC2666D3DA00A109A6 /* InByStatus.h in Headers */,
</ins><span class="cx">                           C25F8BCE157544A900245B71 /* IncrementalSweeper.h in Headers */,
</span><span class="cx">                          0FB7F39915ED8E4600F167B2 /* IndexingHeader.h in Headers */,
</span><span class="cx">                          0FB7F39A15ED8E4600F167B2 /* IndexingHeaderInlines.h in Headers */,
</span><span class="lines">@@ -10071,6 +10074,7 @@
</span><span class="cx">                          FE3A06C01C11041A00390FDD /* JITRightShiftGenerator.h in Headers */,
</span><span class="cx">                          72131BF926587EF2007114CF /* JITSafepoint.h in Headers */,
</span><span class="cx">                          72131BF826587EF2007114CF /* JITScannable.h in Headers */,
</span><ins>+                               52B5100D265EFCDB008970E7 /* JITSizeStatistics.h in Headers */,
</ins><span class="cx">                           0F766D3115AA8112008F363E /* JITStubRoutine.h in Headers */,
</span><span class="cx">                          0F766D2C15A8CC3A008F363E /* JITStubRoutineSet.h in Headers */,
</span><span class="cx">                          0F5EF91F16878F7D003E5C25 /* JITThunks.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreSourcestxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/Sources.txt (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/Sources.txt  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/Sources.txt     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -239,7 +239,7 @@
</span><span class="cx"> bytecode/GetterSetterAccessCase.cpp
</span><span class="cx"> bytecode/ICStatusMap.cpp
</span><span class="cx"> bytecode/ICStatusUtils.cpp
</span><del>-bytecode/InByIdStatus.cpp
</del><ins>+bytecode/InByStatus.cpp
</ins><span class="cx"> bytecode/InByIdVariant.cpp
</span><span class="cx"> bytecode/InlineAccess.cpp
</span><span class="cx"> bytecode/InlineCallFrame.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCheckPrivateBrandStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp 2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/CheckPrivateBrandStatus.cpp    2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -219,20 +219,7 @@
</span><span class="cx"> 
</span><span class="cx"> CacheableIdentifier CheckPrivateBrandStatus::singleIdentifier() const
</span><span class="cx"> {
</span><del>-    if (m_variants.isEmpty())
-        return nullptr;
-
-    CacheableIdentifier result = m_variants.first().identifier();
-    if (!result)
-        return nullptr;
-    for (size_t i = 1; i < m_variants.size(); ++i) {
-        CacheableIdentifier identifier = m_variants[i].identifier();
-        if (!identifier)
-            return nullptr;
-        if (identifier != result)
-            return nullptr;
-    }
-    return result;
</del><ins>+    return singleIdentifierForICStatus(m_variants);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename Visitor>
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeDeleteByStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/DeleteByStatus.cpp     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -245,20 +245,7 @@
</span><span class="cx"> 
</span><span class="cx"> CacheableIdentifier DeleteByStatus::singleIdentifier() const
</span><span class="cx"> {
</span><del>-    if (m_variants.isEmpty())
-        return nullptr;
-
-    CacheableIdentifier result = m_variants.first().identifier();
-    if (!result)
-        return nullptr;
-    for (size_t i = 1; i < m_variants.size(); ++i) {
-        CacheableIdentifier identifier = m_variants[i].identifier();
-        if (!identifier)
-            return nullptr;
-        if (identifier != result)
-            return nullptr;
-    }
-    return result;
</del><ins>+    return singleIdentifierForICStatus(m_variants);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename Visitor>
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeGetByStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/GetByStatus.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/GetByStatus.cpp     2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/GetByStatus.cpp        2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -579,20 +579,7 @@
</span><span class="cx">     if (isModuleNamespace())
</span><span class="cx">         return m_moduleNamespaceData->m_identifier;
</span><span class="cx"> 
</span><del>-    if (m_variants.isEmpty())
-        return nullptr;
-
-    CacheableIdentifier result = m_variants.first().identifier();
-    if (!result)
-        return nullptr;
-    for (size_t i = 1; i < m_variants.size(); ++i) {
-        CacheableIdentifier identifier = m_variants[i].identifier();
-        if (!identifier)
-            return nullptr;
-        if (identifier != result)
-            return nullptr;
-    }
-    return result;
</del><ins>+    return singleIdentifierForICStatus(m_variants);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void GetByStatus::dump(PrintStream& out) const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeICStatusMaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h       2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h  2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -35,7 +35,7 @@
</span><span class="cx"> class CallLinkStatus;
</span><span class="cx"> class CodeBlock;
</span><span class="cx"> class GetByStatus;
</span><del>-class InByIdStatus;
</del><ins>+class InByStatus;
</ins><span class="cx"> class PutByIdStatus;
</span><span class="cx"> class DeleteByStatus;
</span><span class="cx"> class StructureStubInfo;
</span><span class="lines">@@ -47,7 +47,7 @@
</span><span class="cx">     ByValInfo* byValInfo { nullptr };
</span><span class="cx">     CallLinkStatus* callStatus { nullptr };
</span><span class="cx">     GetByStatus* getStatus { nullptr };
</span><del>-    InByIdStatus* inStatus { nullptr };
</del><ins>+    InByStatus* inStatus { nullptr };
</ins><span class="cx">     PutByIdStatus* putStatus { nullptr };
</span><span class="cx">     DeleteByStatus* deleteStatus { nullptr };
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeICStatusUtilsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ICStatusUtils.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ICStatusUtils.h     2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/ICStatusUtils.h        2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><span class="cx"> #include "BytecodeIndex.h"
</span><ins>+#include "CacheableIdentifier.h"
</ins><span class="cx"> #include "ExitFlag.h"
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -72,6 +73,25 @@
</span><span class="cx">         });
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+template<typename VariantVectorType>
+CacheableIdentifier singleIdentifierForICStatus(VariantVectorType& variants)
+{
+    if (variants.isEmpty())
+        return nullptr;
+
+    CacheableIdentifier result = variants.first().identifier();
+    if (!result)
+        return nullptr;
+
+    for (size_t i = 1; i < variants.size(); ++i) {
+        CacheableIdentifier identifier = variants[i].identifier();
+        if (!identifier || identifier != result)
+            return nullptr;
+    }
+
+    return result;
+}
+
</ins><span class="cx"> ExitFlag hasBadCacheExitSite(CodeBlock* profiledBlock, BytecodeIndex);
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInByIdStatuscpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/bytecode/InByIdStatus.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InByIdStatus.cpp    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/InByIdStatus.cpp       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1,298 +0,0 @@
</span><del>-/*
- * Copyright (C) 2018 Yusuke Suzuki <utatane.tea@gmail.com>.
- * Copyright (C) 2018-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "InByIdStatus.h"
-
-#include "CodeBlock.h"
-#include "ComplexGetStatus.h"
-#include "ICStatusUtils.h"
-#include "PolymorphicAccess.h"
-#include "StructureStubInfo.h"
-#include <wtf/ListDump.h>
-
-namespace JSC {
-
-bool InByIdStatus::appendVariant(const InByIdVariant& variant)
-{
-    return appendICStatusVariant(m_variants, variant);
-}
-
-void InByIdStatus::shrinkToFit()
-{
-    m_variants.shrinkToFit();
-}
-
-#if ENABLE(JIT)
-InByIdStatus InByIdStatus::computeFor(CodeBlock* profiledBlock, ICStatusMap& map, BytecodeIndex bytecodeIndex, UniquedStringImpl* uid, ExitFlag didExit)
-{
-    ConcurrentJSLocker locker(profiledBlock->m_lock);
-
-    InByIdStatus result;
-
-#if ENABLE(DFG_JIT)
-    result = computeForStubInfoWithoutExitSiteFeedback(locker, profiledBlock->vm(), map.get(CodeOrigin(bytecodeIndex)).stubInfo, uid);
-
-    if (!result.takesSlowPath() && didExit)
-        return InByIdStatus(TakesSlowPath);
-#else
-    UNUSED_PARAM(map);
-    UNUSED_PARAM(bytecodeIndex);
-    UNUSED_PARAM(uid);
-    UNUSED_PARAM(didExit);
-#endif
-
-    return result;
-}
-
-InByIdStatus InByIdStatus::computeFor(CodeBlock* profiledBlock, ICStatusMap& map, BytecodeIndex bytecodeIndex, UniquedStringImpl* uid)
-{
-    return computeFor(profiledBlock, map, bytecodeIndex, uid, hasBadCacheExitSite(profiledBlock, bytecodeIndex));
-}
-
-InByIdStatus InByIdStatus::computeFor(
-    CodeBlock* profiledBlock, ICStatusMap& baselineMap,
-    ICStatusContextStack& contextStack, CodeOrigin codeOrigin, UniquedStringImpl* uid)
-{
-    BytecodeIndex bytecodeIndex = codeOrigin.bytecodeIndex();
-    ExitFlag didExit = hasBadCacheExitSite(profiledBlock, bytecodeIndex);
-    
-    for (ICStatusContext* context : contextStack) {
-        ICStatus status = context->get(codeOrigin);
-        
-        auto bless = [&] (const InByIdStatus& result) -> InByIdStatus {
-            if (!context->isInlined(codeOrigin)) {
-                InByIdStatus baselineResult = computeFor(
-                    profiledBlock, baselineMap, bytecodeIndex, uid, didExit);
-                baselineResult.merge(result);
-                return baselineResult;
-            }
-            if (didExit.isSet(ExitFromInlined))
-                return InByIdStatus(TakesSlowPath);
-            return result;
-        };
-        
-#if ENABLE(DFG_JIT)
-        if (status.stubInfo) {
-            InByIdStatus result;
-            {
-                ConcurrentJSLocker locker(context->optimizedCodeBlock->m_lock);
-                result = computeForStubInfoWithoutExitSiteFeedback(locker, profiledBlock->vm(), status.stubInfo, uid);
-            }
-            if (result.isSet())
-                return bless(result);
-        }
-#endif
-        
-        if (status.inStatus)
-            return bless(*status.inStatus);
-    }
-    
-    return computeFor(profiledBlock, baselineMap, bytecodeIndex, uid, didExit);
-}
-#endif // ENABLE(JIT)
-
-#if ENABLE(DFG_JIT)
-InByIdStatus InByIdStatus::computeForStubInfo(const ConcurrentJSLocker& locker, CodeBlock* profiledBlock, StructureStubInfo* stubInfo, CodeOrigin codeOrigin, UniquedStringImpl* uid)
-{
-    InByIdStatus result = InByIdStatus::computeForStubInfoWithoutExitSiteFeedback(locker, profiledBlock->vm(), stubInfo, uid);
-
-    if (!result.takesSlowPath() && hasBadCacheExitSite(profiledBlock, codeOrigin.bytecodeIndex()))
-        return InByIdStatus(TakesSlowPath);
-    return result;
-}
-
-InByIdStatus InByIdStatus::computeForStubInfoWithoutExitSiteFeedback(const ConcurrentJSLocker&, VM& vm, StructureStubInfo* stubInfo, UniquedStringImpl* uid)
-{
-    StubInfoSummary summary = StructureStubInfo::summary(vm, stubInfo);
-    if (!isInlineable(summary))
-        return InByIdStatus(summary);
-    
-    // Finally figure out if we can derive an access strategy.
-    InByIdStatus result;
-    result.m_state = Simple;
-    switch (stubInfo->cacheType()) {
-    case CacheType::Unset:
-        return InByIdStatus(NoInformation);
-
-    case CacheType::InByIdSelf: {
-        Structure* structure = stubInfo->u.byIdSelf.baseObjectStructure.get();
-        if (structure->takesSlowPathInDFGForImpureProperty())
-            return InByIdStatus(TakesSlowPath);
-        unsigned attributes;
-        InByIdVariant variant;
-        variant.m_offset = structure->getConcurrently(uid, attributes);
-        if (!isValidOffset(variant.m_offset))
-            return InByIdStatus(TakesSlowPath);
-        if (attributes & PropertyAttribute::CustomAccessorOrValue)
-            return InByIdStatus(TakesSlowPath);
-
-        variant.m_structureSet.add(structure);
-        bool didAppend = result.appendVariant(variant);
-        ASSERT_UNUSED(didAppend, didAppend);
-        return result;
-    }
-
-    case CacheType::Stub: {
-        PolymorphicAccess* list = stubInfo->u.stub;
-        for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
-            const AccessCase& access = list->at(listIndex);
-            if (access.viaProxy())
-                return InByIdStatus(TakesSlowPath);
-
-            if (access.usesPolyProto())
-                return InByIdStatus(TakesSlowPath);
-
-            Structure* structure = access.structure();
-            if (!structure) {
-                // The null structure cases arise due to array.length. We have no way of creating a
-                // InByIdVariant for those, and we don't really have to since the DFG handles those
-                // cases in FixupPhase using value profiling. That's a bit awkward - we shouldn't
-                // have to use value profiling to discover something that the AccessCase could have
-                // told us. But, it works well enough. So, our only concern here is to not
-                // crash on null structure.
-                return InByIdStatus(TakesSlowPath);
-            }
-
-            ComplexGetStatus complexGetStatus = ComplexGetStatus::computeFor(structure, access.conditionSet(), uid);
-            switch (complexGetStatus.kind()) {
-            case ComplexGetStatus::ShouldSkip:
-                continue;
-
-            case ComplexGetStatus::TakesSlowPath:
-                return InByIdStatus(TakesSlowPath);
-
-            case ComplexGetStatus::Inlineable: {
-                switch (access.type()) {
-                case AccessCase::InHit:
-                case AccessCase::InMiss:
-                    break;
-                default:
-                    return InByIdStatus(TakesSlowPath);
-                }
-
-                InByIdVariant variant(
-                    StructureSet(structure), complexGetStatus.offset(),
-                    complexGetStatus.conditionSet());
-
-                if (!result.appendVariant(variant))
-                    return InByIdStatus(TakesSlowPath);
-                break;
-            }
-            }
-        }
-
-        result.shrinkToFit();
-        return result;
-    }
-
-    default:
-        return InByIdStatus(TakesSlowPath);
-    }
-
-    RELEASE_ASSERT_NOT_REACHED();
-    return InByIdStatus();
-}
-#endif
-
-void InByIdStatus::merge(const InByIdStatus& other)
-{
-    if (other.m_state == NoInformation)
-        return;
-    
-    switch (m_state) {
-    case NoInformation:
-        *this = other;
-        return;
-        
-    case Simple:
-        if (other.m_state != Simple) {
-            *this = InByIdStatus(TakesSlowPath);
-            return;
-        }
-        for (const InByIdVariant& otherVariant : other.m_variants) {
-            if (!appendVariant(otherVariant)) {
-                *this = InByIdStatus(TakesSlowPath);
-                return;
-            }
-        }
-        shrinkToFit();
-        return;
-        
-    case TakesSlowPath:
-        return;
-    }
-    
-    RELEASE_ASSERT_NOT_REACHED();
-}
-
-void InByIdStatus::filter(const StructureSet& structureSet)
-{
-    if (m_state != Simple)
-        return;
-    filterICStatusVariants(m_variants, structureSet);
-    if (m_variants.isEmpty())
-        m_state = NoInformation;
-}
-
-template<typename Visitor>
-void InByIdStatus::markIfCheap(Visitor& visitor)
-{
-    for (InByIdVariant& variant : m_variants)
-        variant.markIfCheap(visitor);
-}
-
-template void InByIdStatus::markIfCheap(AbstractSlotVisitor&);
-template void InByIdStatus::markIfCheap(SlotVisitor&);
-
-bool InByIdStatus::finalize(VM& vm)
-{
-    for (InByIdVariant& variant : m_variants) {
-        if (!variant.finalize(vm))
-            return false;
-    }
-    return true;
-}
-
-void InByIdStatus::dump(PrintStream& out) const
-{
-    out.print("(");
-    switch (m_state) {
-    case NoInformation:
-        out.print("NoInformation");
-        break;
-    case Simple:
-        out.print("Simple");
-        break;
-    case TakesSlowPath:
-        out.print("TakesSlowPath");
-        break;
-    }
-    out.print(", ", listDump(m_variants), ")");
-}
-
-} // namespace JSC
-
</del></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInByIdStatush"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/bytecode/InByIdStatus.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InByIdStatus.h      2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/InByIdStatus.h 2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1,125 +0,0 @@
</span><del>-/*
- * Copyright (C) 2018 Yusuke Suzuki <utatane.tea@gmail.com>.
- * Copyright (C) 2018-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-#include "CallLinkStatus.h"
-#include "CodeOrigin.h"
-#include "ConcurrentJSLock.h"
-#include "ICStatusMap.h"
-#include "InByIdVariant.h"
-#include "StubInfoSummary.h"
-
-namespace JSC {
-
-class AccessCase;
-class CodeBlock;
-class StructureStubInfo;
-
-class InByIdStatus final {
-    WTF_MAKE_FAST_ALLOCATED;
-public:
-    enum State {
-        // It's uncached so we have no information.
-        NoInformation,
-        // It's cached for a simple access to a known object property with
-        // a possible structure chain and a possible specific value.
-        Simple,
-        // It's known to often take slow path.
-        TakesSlowPath,
-    };
-
-    InByIdStatus() = default;
-
-    InByIdStatus(State state, const InByIdVariant& variant = InByIdVariant())
-        : m_state(state)
-    {
-        ASSERT((state == Simple) == variant.isSet());
-        if (variant.isSet())
-            m_variants.append(variant);
-    }
-
-    explicit InByIdStatus(StubInfoSummary summary)
-    {
-        switch (summary) {
-        case StubInfoSummary::NoInformation:
-            m_state = NoInformation;
-            return;
-        case StubInfoSummary::Simple:
-        case StubInfoSummary::MakesCalls:
-            RELEASE_ASSERT_NOT_REACHED();
-            return;
-        case StubInfoSummary::TakesSlowPath:
-        case StubInfoSummary::TakesSlowPathAndMakesCalls:
-            m_state = TakesSlowPath;
-            return;
-        }
-        RELEASE_ASSERT_NOT_REACHED();
-    }
-    
-    static InByIdStatus computeFor(CodeBlock*, ICStatusMap&, BytecodeIndex, UniquedStringImpl* uid);
-    static InByIdStatus computeFor(CodeBlock*, ICStatusMap&, BytecodeIndex, UniquedStringImpl* uid, ExitFlag);
-    static InByIdStatus computeFor(CodeBlock* baselineBlock, ICStatusMap& baselineMap, ICStatusContextStack& contextStack, CodeOrigin, UniquedStringImpl* uid);
-
-#if ENABLE(DFG_JIT)
-    static InByIdStatus computeForStubInfo(const ConcurrentJSLocker&, CodeBlock* baselineBlock, StructureStubInfo*, CodeOrigin, UniquedStringImpl* uid);
-#endif
-
-    State state() const { return m_state; }
-
-    bool isSet() const { return m_state != NoInformation; }
-    explicit operator bool() const { return isSet(); }
-    bool isSimple() const { return m_state == Simple; }
-
-    size_t numVariants() const { return m_variants.size(); }
-    const Vector<InByIdVariant, 1>& variants() const { return m_variants; }
-    const InByIdVariant& at(size_t index) const { return m_variants[index]; }
-    const InByIdVariant& operator[](size_t index) const { return at(index); }
-
-    bool takesSlowPath() const { return m_state == TakesSlowPath; }
-    
-    void merge(const InByIdStatus&);
-
-    // Attempts to reduce the set of variants to fit the given structure set. This may be approximate.
-    void filter(const StructureSet&);
-    
-    template<typename Visitor> void markIfCheap(Visitor&);
-    bool finalize(VM&);
-
-    void dump(PrintStream&) const;
-
-private:
-#if ENABLE(DFG_JIT)
-    static InByIdStatus computeForStubInfoWithoutExitSiteFeedback(const ConcurrentJSLocker&, VM&, StructureStubInfo*, UniquedStringImpl* uid);
-#endif
-    bool appendVariant(const InByIdVariant&);
-    void shrinkToFit();
-
-    State m_state { NoInformation };
-    Vector<InByIdVariant, 1> m_variants;
-};
-
-} // namespace JSC
</del></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInByIdVariantcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/InByIdVariant.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InByIdVariant.cpp   2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/InByIdVariant.cpp      2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -27,12 +27,15 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "InByIdVariant.h"
</span><span class="cx"> 
</span><ins>+#include "CacheableIdentifierInlines.h"
+
</ins><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-InByIdVariant::InByIdVariant(const StructureSet& structureSet, PropertyOffset offset, const ObjectPropertyConditionSet& conditionSet)
</del><ins>+InByIdVariant::InByIdVariant(CacheableIdentifier identifier, const StructureSet& structureSet, PropertyOffset offset, const ObjectPropertyConditionSet& conditionSet)
</ins><span class="cx">     : m_structureSet(structureSet)
</span><span class="cx">     , m_conditionSet(conditionSet)
</span><span class="cx">     , m_offset(offset)
</span><ins>+    , m_identifier(WTFMove(identifier))
</ins><span class="cx"> {
</span><span class="cx">     if (!structureSet.size()) {
</span><span class="cx">         ASSERT(offset == invalidOffset);
</span><span class="lines">@@ -42,6 +45,12 @@
</span><span class="cx"> 
</span><span class="cx"> bool InByIdVariant::attemptToMerge(const InByIdVariant& other)
</span><span class="cx"> {
</span><ins>+    if (!!m_identifier != !!other.m_identifier)
+        return false;
+
+    if (m_identifier && (m_identifier != other.m_identifier))
+        return false;
+
</ins><span class="cx">     if (m_offset != other.m_offset)
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><span class="lines">@@ -89,13 +98,13 @@
</span><span class="cx"> 
</span><span class="cx"> void InByIdVariant::dumpInContext(PrintStream& out, DumpContext* context) const
</span><span class="cx"> {
</span><ins>+    out.print("<id='", m_identifier, "', ");
</ins><span class="cx">     if (!isSet()) {
</span><del>-        out.print("<empty>");
</del><ins>+        out.print("empty>");
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    out.print(
-        "<", inContext(structureSet(), context), ", ", inContext(m_conditionSet, context));
</del><ins>+    out.print(inContext(structureSet(), context), ", ", inContext(m_conditionSet, context));
</ins><span class="cx">     out.print(", offset = ", offset());
</span><span class="cx">     out.print(">");
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInByIdVarianth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/InByIdVariant.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InByIdVariant.h     2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/InByIdVariant.h        2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> 
</span><span class="cx"> #pragma once
</span><span class="cx"> 
</span><ins>+#include "CacheableIdentifier.h"
</ins><span class="cx"> #include "ObjectPropertyConditionSet.h"
</span><span class="cx"> #include "PropertyOffset.h"
</span><span class="cx"> #include "StructureSet.h"
</span><span class="lines">@@ -35,13 +36,13 @@
</span><span class="cx"> class GetterSetter;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-class InByIdStatus;
</del><ins>+class InByStatus;
</ins><span class="cx"> struct DumpContext;
</span><span class="cx"> 
</span><span class="cx"> class InByIdVariant {
</span><span class="cx">     WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><del>-    InByIdVariant(const StructureSet& = StructureSet(), PropertyOffset = invalidOffset, const ObjectPropertyConditionSet& = ObjectPropertyConditionSet());
</del><ins>+    InByIdVariant(CacheableIdentifier, const StructureSet& = StructureSet(), PropertyOffset = invalidOffset, const ObjectPropertyConditionSet& = ObjectPropertyConditionSet());
</ins><span class="cx"> 
</span><span class="cx">     bool isSet() const { return !!m_structureSet.size(); }
</span><span class="cx">     explicit operator bool() const { return isSet(); }
</span><span class="lines">@@ -63,17 +64,26 @@
</span><span class="cx">     void dump(PrintStream&) const;
</span><span class="cx">     void dumpInContext(PrintStream&, DumpContext*) const;
</span><span class="cx"> 
</span><ins>+    CacheableIdentifier identifier() const { return m_identifier; }
+
</ins><span class="cx">     bool overlaps(const InByIdVariant& other)
</span><span class="cx">     {
</span><ins>+        if (!!m_identifier != !!other.m_identifier)
+            return true;
+        if (m_identifier) {
+            if (m_identifier != other.m_identifier)
+                return false;
+        }
</ins><span class="cx">         return structureSet().overlaps(other.structureSet());
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx"> private:
</span><del>-    friend class InByIdStatus;
</del><ins>+    friend class InByStatus;
</ins><span class="cx"> 
</span><span class="cx">     StructureSet m_structureSet;
</span><span class="cx">     ObjectPropertyConditionSet m_conditionSet;
</span><span class="cx">     PropertyOffset m_offset;
</span><ins>+    CacheableIdentifier m_identifier;
</ins><span class="cx"> };
</span><span class="cx"> 
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInByStatuscppfromrev278444trunkSourceJavaScriptCorebytecodeInByIdStatuscpp"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/bytecode/InByStatus.cpp (from rev 278444, trunk/Source/JavaScriptCore/bytecode/InByIdStatus.cpp) (0 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InByStatus.cpp                              (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/InByStatus.cpp 2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -0,0 +1,306 @@
</span><ins>+/*
+ * Copyright (C) 2018 Yusuke Suzuki <utatane.tea@gmail.com>.
+ * Copyright (C) 2018-2021 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "InByStatus.h"
+
+#include "CacheableIdentifierInlines.h"
+#include "CodeBlock.h"
+#include "ComplexGetStatus.h"
+#include "ICStatusUtils.h"
+#include "PolymorphicAccess.h"
+#include "StructureStubInfo.h"
+#include <wtf/ListDump.h>
+
+namespace JSC {
+
+bool InByStatus::appendVariant(const InByIdVariant& variant)
+{
+    return appendICStatusVariant(m_variants, variant);
+}
+
+void InByStatus::shrinkToFit()
+{
+    m_variants.shrinkToFit();
+}
+
+#if ENABLE(JIT)
+InByStatus InByStatus::computeFor(CodeBlock* profiledBlock, ICStatusMap& map, BytecodeIndex bytecodeIndex, ExitFlag didExit)
+{
+    ConcurrentJSLocker locker(profiledBlock->m_lock);
+
+    InByStatus result;
+
+#if ENABLE(DFG_JIT)
+    result = computeForStubInfoWithoutExitSiteFeedback(locker, profiledBlock->vm(), map.get(CodeOrigin(bytecodeIndex)).stubInfo);
+
+    if (!result.takesSlowPath() && didExit)
+        return InByStatus(TakesSlowPath);
+#else
+    UNUSED_PARAM(map);
+    UNUSED_PARAM(bytecodeIndex);
+    UNUSED_PARAM(didExit);
+#endif
+
+    return result;
+}
+
+InByStatus InByStatus::computeFor(CodeBlock* profiledBlock, ICStatusMap& map, BytecodeIndex bytecodeIndex)
+{
+    return computeFor(profiledBlock, map, bytecodeIndex, hasBadCacheExitSite(profiledBlock, bytecodeIndex));
+}
+
+InByStatus InByStatus::computeFor(
+    CodeBlock* profiledBlock, ICStatusMap& baselineMap,
+    ICStatusContextStack& contextStack, CodeOrigin codeOrigin)
+{
+    BytecodeIndex bytecodeIndex = codeOrigin.bytecodeIndex();
+    ExitFlag didExit = hasBadCacheExitSite(profiledBlock, bytecodeIndex);
+    
+    for (ICStatusContext* context : contextStack) {
+        ICStatus status = context->get(codeOrigin);
+        
+        auto bless = [&] (const InByStatus& result) -> InByStatus {
+            if (!context->isInlined(codeOrigin)) {
+                InByStatus baselineResult = computeFor(
+                    profiledBlock, baselineMap, bytecodeIndex, didExit);
+                baselineResult.merge(result);
+                return baselineResult;
+            }
+            if (didExit.isSet(ExitFromInlined))
+                return InByStatus(TakesSlowPath);
+            return result;
+        };
+        
+#if ENABLE(DFG_JIT)
+        if (status.stubInfo) {
+            InByStatus result;
+            {
+                ConcurrentJSLocker locker(context->optimizedCodeBlock->m_lock);
+                result = computeForStubInfoWithoutExitSiteFeedback(locker, profiledBlock->vm(), status.stubInfo);
+            }
+            if (result.isSet())
+                return bless(result);
+        }
+#endif
+        
+        if (status.inStatus)
+            return bless(*status.inStatus);
+    }
+    
+    return computeFor(profiledBlock, baselineMap, bytecodeIndex, didExit);
+}
+#endif // ENABLE(JIT)
+
+#if ENABLE(DFG_JIT)
+InByStatus InByStatus::computeForStubInfo(const ConcurrentJSLocker& locker, CodeBlock* profiledBlock, StructureStubInfo* stubInfo, CodeOrigin codeOrigin)
+{
+    InByStatus result = InByStatus::computeForStubInfoWithoutExitSiteFeedback(locker, profiledBlock->vm(), stubInfo);
+
+    if (!result.takesSlowPath() && hasBadCacheExitSite(profiledBlock, codeOrigin.bytecodeIndex()))
+        return InByStatus(TakesSlowPath);
+    return result;
+}
+
+InByStatus InByStatus::computeForStubInfoWithoutExitSiteFeedback(const ConcurrentJSLocker&, VM& vm, StructureStubInfo* stubInfo)
+{
+    StubInfoSummary summary = StructureStubInfo::summary(vm, stubInfo);
+    if (!isInlineable(summary))
+        return InByStatus(summary);
+    
+    // Finally figure out if we can derive an access strategy.
+    InByStatus result;
+    result.m_state = Simple;
+    switch (stubInfo->cacheType()) {
+    case CacheType::Unset:
+        return InByStatus(NoInformation);
+
+    case CacheType::InByIdSelf: {
+        Structure* structure = stubInfo->u.byIdSelf.baseObjectStructure.get();
+        if (structure->takesSlowPathInDFGForImpureProperty())
+            return InByStatus(TakesSlowPath);
+        CacheableIdentifier identifier = stubInfo->identifier();
+        UniquedStringImpl* uid = identifier.uid();
+        RELEASE_ASSERT(uid);
+        InByIdVariant variant(WTFMove(identifier));
+        unsigned attributes;
+        variant.m_offset = structure->getConcurrently(uid, attributes);
+        if (!isValidOffset(variant.m_offset))
+            return InByStatus(TakesSlowPath);
+        if (attributes & PropertyAttribute::CustomAccessorOrValue)
+            return InByStatus(TakesSlowPath);
+
+        variant.m_structureSet.add(structure);
+        bool didAppend = result.appendVariant(variant);
+        ASSERT_UNUSED(didAppend, didAppend);
+        return result;
+    }
+
+    case CacheType::Stub: {
+        PolymorphicAccess* list = stubInfo->u.stub;
+        for (unsigned listIndex = 0; listIndex < list->size(); ++listIndex) {
+            const AccessCase& access = list->at(listIndex);
+            if (access.viaProxy())
+                return InByStatus(TakesSlowPath);
+
+            if (access.usesPolyProto())
+                return InByStatus(TakesSlowPath);
+
+            Structure* structure = access.structure();
+            if (!structure) {
+                // The null structure cases arise due to array.length. We have no way of creating a
+                // InByIdVariant for those, and we don't really have to since the DFG handles those
+                // cases in FixupPhase using value profiling. That's a bit awkward - we shouldn't
+                // have to use value profiling to discover something that the AccessCase could have
+                // told us. But, it works well enough. So, our only concern here is to not
+                // crash on null structure.
+                return InByStatus(TakesSlowPath);
+            }
+
+            ComplexGetStatus complexGetStatus = ComplexGetStatus::computeFor(structure, access.conditionSet(), access.uid());
+            switch (complexGetStatus.kind()) {
+            case ComplexGetStatus::ShouldSkip:
+                continue;
+
+            case ComplexGetStatus::TakesSlowPath:
+                return InByStatus(TakesSlowPath);
+
+            case ComplexGetStatus::Inlineable: {
+                switch (access.type()) {
+                case AccessCase::InHit:
+                case AccessCase::InMiss:
+                    break;
+                default:
+                    return InByStatus(TakesSlowPath);
+                }
+
+                InByIdVariant variant(
+                    access.identifier(), StructureSet(structure), complexGetStatus.offset(),
+                    complexGetStatus.conditionSet());
+
+                if (!result.appendVariant(variant))
+                    return InByStatus(TakesSlowPath);
+                break;
+            }
+            }
+        }
+
+        result.shrinkToFit();
+        return result;
+    }
+
+    default:
+        return InByStatus(TakesSlowPath);
+    }
+
+    RELEASE_ASSERT_NOT_REACHED();
+    return InByStatus();
+}
+#endif
+
+void InByStatus::merge(const InByStatus& other)
+{
+    if (other.m_state == NoInformation)
+        return;
+    
+    switch (m_state) {
+    case NoInformation:
+        *this = other;
+        return;
+        
+    case Simple:
+        if (other.m_state != Simple) {
+            *this = InByStatus(TakesSlowPath);
+            return;
+        }
+        for (const InByIdVariant& otherVariant : other.m_variants) {
+            if (!appendVariant(otherVariant)) {
+                *this = InByStatus(TakesSlowPath);
+                return;
+            }
+        }
+        shrinkToFit();
+        return;
+        
+    case TakesSlowPath:
+        return;
+    }
+    
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
+void InByStatus::filter(const StructureSet& structureSet)
+{
+    if (m_state != Simple)
+        return;
+    filterICStatusVariants(m_variants, structureSet);
+    if (m_variants.isEmpty())
+        m_state = NoInformation;
+}
+
+template<typename Visitor>
+void InByStatus::markIfCheap(Visitor& visitor)
+{
+    for (InByIdVariant& variant : m_variants)
+        variant.markIfCheap(visitor);
+}
+
+template void InByStatus::markIfCheap(AbstractSlotVisitor&);
+template void InByStatus::markIfCheap(SlotVisitor&);
+
+bool InByStatus::finalize(VM& vm)
+{
+    for (InByIdVariant& variant : m_variants) {
+        if (!variant.finalize(vm))
+            return false;
+    }
+    return true;
+}
+
+CacheableIdentifier InByStatus::singleIdentifier() const
+{
+    return singleIdentifierForICStatus(m_variants);
+}
+
+void InByStatus::dump(PrintStream& out) const
+{
+    out.print("(");
+    switch (m_state) {
+    case NoInformation:
+        out.print("NoInformation");
+        break;
+    case Simple:
+        out.print("Simple");
+        break;
+    case TakesSlowPath:
+        out.print("TakesSlowPath");
+        break;
+    }
+    out.print(", ", listDump(m_variants), ")");
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInByStatushfromrev278444trunkSourceJavaScriptCorebytecodeInByIdStatush"></a>
<div class="copfile"><h4>Copied: trunk/Source/JavaScriptCore/bytecode/InByStatus.h (from rev 278444, trunk/Source/JavaScriptCore/bytecode/InByIdStatus.h) (0 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InByStatus.h                                (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/InByStatus.h   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -0,0 +1,125 @@
</span><ins>+/*
+ * Copyright (C) 2018 Yusuke Suzuki <utatane.tea@gmail.com>.
+ * Copyright (C) 2018-2021 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "CallLinkStatus.h"
+#include "CodeOrigin.h"
+#include "ConcurrentJSLock.h"
+#include "ICStatusMap.h"
+#include "InByIdVariant.h"
+#include "StubInfoSummary.h"
+
+namespace JSC {
+
+class AccessCase;
+class CodeBlock;
+class StructureStubInfo;
+
+class InByStatus final {
+    WTF_MAKE_FAST_ALLOCATED;
+public:
+    enum State {
+        // It's uncached so we have no information.
+        NoInformation,
+        // It's cached for a simple access to a known object property with
+        // a possible structure chain and a possible specific value.
+        Simple,
+        // It's known to often take slow path.
+        TakesSlowPath,
+    };
+
+    InByStatus() = default;
+
+    InByStatus(State state)
+        : m_state(state)
+    {
+        ASSERT(state != Simple);
+    }
+
+    explicit InByStatus(StubInfoSummary summary)
+    {
+        switch (summary) {
+        case StubInfoSummary::NoInformation:
+            m_state = NoInformation;
+            return;
+        case StubInfoSummary::Simple:
+        case StubInfoSummary::MakesCalls:
+            RELEASE_ASSERT_NOT_REACHED();
+            return;
+        case StubInfoSummary::TakesSlowPath:
+        case StubInfoSummary::TakesSlowPathAndMakesCalls:
+            m_state = TakesSlowPath;
+            return;
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+    
+    static InByStatus computeFor(CodeBlock*, ICStatusMap&, BytecodeIndex);
+    static InByStatus computeFor(CodeBlock*, ICStatusMap&, BytecodeIndex, ExitFlag);
+    static InByStatus computeFor(CodeBlock* baselineBlock, ICStatusMap& baselineMap, ICStatusContextStack&, CodeOrigin);
+
+#if ENABLE(DFG_JIT)
+    static InByStatus computeForStubInfo(const ConcurrentJSLocker&, CodeBlock* baselineBlock, StructureStubInfo*, CodeOrigin);
+#endif
+
+    State state() const { return m_state; }
+
+    bool isSet() const { return m_state != NoInformation; }
+    explicit operator bool() const { return isSet(); }
+    bool isSimple() const { return m_state == Simple; }
+
+    size_t numVariants() const { return m_variants.size(); }
+    const Vector<InByIdVariant, 1>& variants() const { return m_variants; }
+    const InByIdVariant& at(size_t index) const { return m_variants[index]; }
+    const InByIdVariant& operator[](size_t index) const { return at(index); }
+
+    bool takesSlowPath() const { return m_state == TakesSlowPath; }
+    
+    void merge(const InByStatus&);
+
+    // Attempts to reduce the set of variants to fit the given structure set. This may be approximate.
+    void filter(const StructureSet&);
+    
+    template<typename Visitor> void markIfCheap(Visitor&);
+    bool finalize(VM&);
+
+    void dump(PrintStream&) const;
+
+    CacheableIdentifier singleIdentifier() const;
+
+private:
+#if ENABLE(DFG_JIT)
+    static InByStatus computeForStubInfoWithoutExitSiteFeedback(const ConcurrentJSLocker&, VM&, StructureStubInfo*);
+#endif
+    bool appendVariant(const InByIdVariant&);
+    void shrinkToFit();
+
+    State m_state { NoInformation };
+    Vector<InByIdVariant, 1> m_variants;
+};
+
+} // namespace JSC
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeRecordedStatusescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.cpp        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.cpp   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -70,10 +70,10 @@
</span><span class="cx">     return result;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-InByIdStatus* RecordedStatuses::addInByIdStatus(const CodeOrigin& codeOrigin, const InByIdStatus& status)
</del><ins>+InByStatus* RecordedStatuses::addInByStatus(const CodeOrigin& codeOrigin, const InByStatus& status)
</ins><span class="cx"> {
</span><del>-    auto statusPtr = makeUnique<InByIdStatus>(status);
-    InByIdStatus* result = statusPtr.get();
</del><ins>+    auto statusPtr = makeUnique<InByStatus>(status);
+    InByStatus* result = statusPtr.get();
</ins><span class="cx">     ins.append(std::make_pair(codeOrigin, WTFMove(statusPtr)));
</span><span class="cx">     return result;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeRecordedStatusesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.h  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.h     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -29,7 +29,7 @@
</span><span class="cx"> #include "CheckPrivateBrandStatus.h"
</span><span class="cx"> #include "DeleteByStatus.h"
</span><span class="cx"> #include "GetByStatus.h"
</span><del>-#include "InByIdStatus.h"
</del><ins>+#include "InByStatus.h"
</ins><span class="cx"> #include "PutByIdStatus.h"
</span><span class="cx"> #include "SetPrivateBrandStatus.h"
</span><span class="cx"> 
</span><span class="lines">@@ -49,7 +49,7 @@
</span><span class="cx">     CallLinkStatus* addCallLinkStatus(const CodeOrigin&, const CallLinkStatus&);
</span><span class="cx">     GetByStatus* addGetByStatus(const CodeOrigin&, const GetByStatus&);
</span><span class="cx">     PutByIdStatus* addPutByIdStatus(const CodeOrigin&, const PutByIdStatus&);
</span><del>-    InByIdStatus* addInByIdStatus(const CodeOrigin&, const InByIdStatus&);
</del><ins>+    InByStatus* addInByStatus(const CodeOrigin&, const InByStatus&);
</ins><span class="cx">     DeleteByStatus* addDeleteByStatus(const CodeOrigin&, const DeleteByStatus&);
</span><span class="cx">     CheckPrivateBrandStatus* addCheckPrivateBrandStatus(const CodeOrigin&, const CheckPrivateBrandStatus&);
</span><span class="cx">     SetPrivateBrandStatus* addSetPrivateBrandStatus(const CodeOrigin&, const SetPrivateBrandStatus&);
</span><span class="lines">@@ -77,7 +77,7 @@
</span><span class="cx">     Vector<std::pair<CodeOrigin, std::unique_ptr<CallLinkStatus>>> calls;
</span><span class="cx">     Vector<std::pair<CodeOrigin, std::unique_ptr<GetByStatus>>> gets;
</span><span class="cx">     Vector<std::pair<CodeOrigin, std::unique_ptr<PutByIdStatus>>> puts;
</span><del>-    Vector<std::pair<CodeOrigin, std::unique_ptr<InByIdStatus>>> ins;
</del><ins>+    Vector<std::pair<CodeOrigin, std::unique_ptr<InByStatus>>> ins;
</ins><span class="cx">     Vector<std::pair<CodeOrigin, std::unique_ptr<DeleteByStatus>>> deletes;
</span><span class="cx">     Vector<std::pair<CodeOrigin, std::unique_ptr<CheckPrivateBrandStatus>>> checkPrivateBrands;
</span><span class="cx">     Vector<std::pair<CodeOrigin, std::unique_ptr<SetPrivateBrandStatus>>> setPrivateBrands;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeSetPrivateBrandStatuscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp   2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/SetPrivateBrandStatus.cpp      2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -226,20 +226,7 @@
</span><span class="cx"> 
</span><span class="cx"> CacheableIdentifier SetPrivateBrandStatus::singleIdentifier() const
</span><span class="cx"> {
</span><del>-    if (m_variants.isEmpty())
-        return nullptr;
-
-    CacheableIdentifier result = m_variants.first().identifier();
-    if (!result)
-        return nullptr;
-    for (size_t i = 1; i < m_variants.size(); ++i) {
-        CacheableIdentifier identifier = m_variants[i].identifier();
-        if (!identifier)
-            return nullptr;
-        if (identifier != result)
-            return nullptr;
-    }
-    return result;
</del><ins>+    return singleIdentifierForICStatus(m_variants);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> template<typename Visitor>
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureStubInfocpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp       2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp  2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -272,9 +272,12 @@
</span><span class="cx">     case AccessType::Put:
</span><span class="cx">         resetPutByID(codeBlock, *this);
</span><span class="cx">         break;
</span><del>-    case AccessType::In:
-        resetInByID(codeBlock, *this);
</del><ins>+    case AccessType::InById:
+        resetInBy(codeBlock, *this, InByKind::Normal);
</ins><span class="cx">         break;
</span><ins>+    case AccessType::InByVal:
+        resetInBy(codeBlock, *this, InByKind::NormalByVal);
+        break;
</ins><span class="cx">     case AccessType::InstanceOf:
</span><span class="cx">         resetInstanceOf(*this);
</span><span class="cx">         break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureStubInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h 2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h    2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -55,7 +55,8 @@
</span><span class="cx">     TryGetById,
</span><span class="cx">     GetByVal,
</span><span class="cx">     Put,
</span><del>-    In,
</del><ins>+    InById,
+    InByVal,
</ins><span class="cx">     InstanceOf,
</span><span class="cx">     DeleteByID,
</span><span class="cx">     DeleteByVal,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -4439,7 +4439,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span><span class="lines">@@ -4610,10 +4610,10 @@
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><del>-    case FilterInByIdStatus: {
</del><ins>+    case FilterInByStatus: {
</ins><span class="cx">         AbstractValue& value = forNode(node->child1());
</span><span class="cx">         if (value.m_structure.isFinite())
</span><del>-            node->inByIdStatus()->filter(value.m_structure.toStructureSet());
</del><ins>+            node->inByStatus()->filter(value.m_structure.toStructureSet());
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGArgumentsEliminationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp 2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp    2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -404,7 +404,7 @@
</span><span class="cx">                 case FilterGetByStatus:
</span><span class="cx">                 case FilterPutByIdStatus:
</span><span class="cx">                 case FilterCallLinkStatus:
</span><del>-                case FilterInByIdStatus:
</del><ins>+                case FilterInByStatus:
</ins><span class="cx">                 case FilterDeleteByStatus:
</span><span class="cx">                 case FilterCheckPrivateBrandStatus:
</span><span class="cx">                 case FilterSetPrivateBrandStatus:
</span><span class="lines">@@ -1267,7 +1267,7 @@
</span><span class="cx">                 case FilterGetByStatus:
</span><span class="cx">                 case FilterPutByIdStatus:
</span><span class="cx">                 case FilterCallLinkStatus:
</span><del>-                case FilterInByIdStatus:
</del><ins>+                case FilterInByStatus:
</ins><span class="cx">                 case FilterDeleteByStatus:
</span><span class="cx">                 case FilterCheckPrivateBrandStatus:
</span><span class="cx">                 case FilterSetPrivateBrandStatus: {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -55,7 +55,7 @@
</span><span class="cx"> #include "GetByStatus.h"
</span><span class="cx"> #include "GetterSetter.h"
</span><span class="cx"> #include "Heap.h"
</span><del>-#include "InByIdStatus.h"
</del><ins>+#include "InByStatus.h"
</ins><span class="cx"> #include "InstanceOfStatus.h"
</span><span class="cx"> #include "JSArrayIterator.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="lines">@@ -263,7 +263,9 @@
</span><span class="cx"> 
</span><span class="cx">     void handleDeleteById(
</span><span class="cx">         VirtualRegister destination, Node* base, CacheableIdentifier, unsigned identifierNumber, DeleteByStatus, ECMAMode);
</span><del>-    
</del><ins>+
+    void handleInById(VirtualRegister destination, Node* base, CacheableIdentifier, InByStatus);
+
</ins><span class="cx">     // Either register a watchpoint or emit a check for this condition. Returns false if the
</span><span class="cx">     // condition no longer holds, and therefore no reasonable check can be emitted.
</span><span class="cx">     bool check(const ObjectPropertyCondition&);
</span><span class="lines">@@ -4928,6 +4930,35 @@
</span><span class="cx">     return;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void ByteCodeParser::handleInById(VirtualRegister destination, Node* base, CacheableIdentifier identifier, InByStatus status)
+{
+    if (status.isSimple() && Options::useAccessInlining()) {
+        bool allOK = true;
+        MatchStructureData* data = m_graph.m_matchStructureData.add();
+        for (const InByIdVariant& variant : status.variants()) {
+            if (!check(variant.conditionSet())) {
+                allOK = false;
+                break;
+            }
+            for (Structure* structure : variant.structureSet()) {
+                MatchStructureVariant matchVariant;
+                matchVariant.structure = m_graph.registerStructure(structure);
+                matchVariant.result = variant.isHit();
+
+                data->variants.append(WTFMove(matchVariant));
+            }
+        }
+
+        if (allOK) {
+            addToGraph(FilterInByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addInByStatus(currentCodeOrigin(), status)), base);
+            set(destination, addToGraph(MatchStructure, OpInfo(data), base));
+            return;
+        }
+    }
+
+    set(destination, addToGraph(InById, OpInfo(identifier), base));
+}
+
</ins><span class="cx"> void ByteCodeParser::emitPutById(
</span><span class="cx">     Node* base, CacheableIdentifier identifier, Node* value, const PutByIdStatus& putByIdStatus, bool isDirect, ECMAMode ecmaMode)
</span><span class="cx"> {
</span><span class="lines">@@ -8212,8 +8243,39 @@
</span><span class="cx"> 
</span><span class="cx">         case op_in_by_val: {
</span><span class="cx">             auto bytecode = currentInstruction->as<OpInByVal>();
</span><del>-            ArrayMode arrayMode = getArrayMode(bytecode.metadata(codeBlock).m_arrayProfile, Array::Read);
-            set(bytecode.m_dst, addToGraph(InByVal, OpInfo(arrayMode.asWord()), get(bytecode.m_base), get(bytecode.m_property)));
</del><ins>+            Node* base = get(bytecode.m_base);
+            Node* property = get(bytecode.m_property);
+            bool compiledAsInById = false;
+
+            if (!m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)
+                && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
+                && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadConstantValue)) {
+
+                InByStatus status = InByStatus::computeFor(
+                    m_inlineStackTop->m_profiledBlock, m_inlineStackTop->m_baselineMap,
+                    m_icContextStack, currentCodeOrigin());
+
+                if (CacheableIdentifier identifier = status.singleIdentifier()) {
+                    UniquedStringImpl* uid = identifier.uid();
+                    m_graph.identifiers().ensure(uid);
+                    if (identifier.isCell()) {
+                        FrozenValue* frozen = m_graph.freezeStrong(identifier.cell());
+                        if (identifier.isSymbolCell())
+                            addToGraph(CheckIsConstant, OpInfo(frozen), property);
+                        else
+                            addToGraph(CheckIdent, OpInfo(uid), property);
+                    } else
+                        addToGraph(CheckIdent, OpInfo(uid), property);
+
+                    handleInById(bytecode.m_dst, base, identifier, status);
+                    compiledAsInById = true;
+                }
+            }
+
+            if (!compiledAsInById) {
+                ArrayMode arrayMode = getArrayMode(bytecode.metadata(codeBlock).m_arrayProfile, Array::Read);
+                set(bytecode.m_dst, addToGraph(InByVal, OpInfo(arrayMode.asWord()), base, property));
+            }
</ins><span class="cx">             NEXT_OPCODE(op_in_by_val);
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="lines">@@ -8222,39 +8284,10 @@
</span><span class="cx">             Node* base = get(bytecode.m_base);
</span><span class="cx">             unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[bytecode.m_property];
</span><span class="cx">             UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
</span><del>-
-            InByIdStatus status = InByIdStatus::computeFor(
-                m_inlineStackTop->m_profiledBlock,
-                m_inlineStackTop->m_baselineMap, m_icContextStack,
-                currentCodeOrigin(), uid);
-
-            if (status.isSimple() && Options::useAccessInlining()) {
-                bool allOK = true;
-                MatchStructureData* data = m_graph.m_matchStructureData.add();
-                for (const InByIdVariant& variant : status.variants()) {
-                    if (!check(variant.conditionSet())) {
-                        allOK = false;
-                        break;
-                    }
-                    for (Structure* structure : variant.structureSet()) {
-                        MatchStructureVariant matchVariant;
-                        matchVariant.structure = m_graph.registerStructure(structure);
-                        matchVariant.result = variant.isHit();
-
-                        data->variants.append(WTFMove(matchVariant));
-                    }
-                }
-
-                if (allOK) {
-                    addToGraph(FilterInByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addInByIdStatus(currentCodeOrigin(), status)), base);
-
-                    Node* match = addToGraph(MatchStructure, OpInfo(data), base);
-                    set(bytecode.m_dst, match);
-                    NEXT_OPCODE(op_in_by_id);
-                }
-            }
-
-            set(bytecode.m_dst, addToGraph(InById, OpInfo(CacheableIdentifier::createFromIdentifierOwnedByCodeBlock(m_inlineStackTop->m_profiledBlock, uid)), base));
</del><ins>+            InByStatus status = InByStatus::computeFor(
+                m_inlineStackTop->m_profiledBlock, m_inlineStackTop->m_baselineMap,
+                m_icContextStack, currentCodeOrigin());
+            handleInById(bytecode.m_dst, base, CacheableIdentifier::createFromIdentifierOwnedByCodeBlock(m_inlineStackTop->m_profiledBlock, uid), status);
</ins><span class="cx">             NEXT_OPCODE(op_in_by_id);
</span><span class="cx">         }
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -504,7 +504,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobbersExitStatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp 2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp    2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -82,7 +82,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -249,7 +249,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -2882,7 +2882,7 @@
</span><span class="cx">         case FilterCallLinkStatus:
</span><span class="cx">         case FilterGetByStatus:
</span><span class="cx">         case FilterPutByIdStatus:
</span><del>-        case FilterInByIdStatus:
</del><ins>+        case FilterInByStatus:
</ins><span class="cx">         case FilterDeleteByStatus:
</span><span class="cx">         case FilterCheckPrivateBrandStatus:
</span><span class="cx">         case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp     2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp        2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -383,8 +383,8 @@
</span><span class="cx">         out.print(comma, *node->callLinkStatus());
</span><span class="cx">     if (node->hasGetByStatus())
</span><span class="cx">         out.print(comma, *node->getByStatus());
</span><del>-    if (node->hasInByIdStatus())
-        out.print(comma, *node->inByIdStatus());
</del><ins>+    if (node->hasInByStatus())
+        out.print(comma, *node->inByStatus());
</ins><span class="cx">     if (node->hasPutByIdStatus())
</span><span class="cx">         out.print(comma, *node->putByIdStatus());
</span><span class="cx">     if (node->isJump())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp       2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp  2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -255,6 +255,7 @@
</span><span class="cx">     finalizeInlineCaches(m_delByIds, linkBuffer);
</span><span class="cx">     finalizeInlineCaches(m_delByVals, linkBuffer);
</span><span class="cx">     finalizeInlineCaches(m_inByIds, linkBuffer);
</span><ins>+    finalizeInlineCaches(m_inByVals, linkBuffer);
</ins><span class="cx">     finalizeInlineCaches(m_instanceOfs, linkBuffer);
</span><span class="cx">     finalizeInlineCaches(m_privateBrandAccesses, linkBuffer);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h 2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h    2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -214,6 +214,11 @@
</span><span class="cx">         m_inByIds.append(InlineCacheWrapper<JITInByIdGenerator>(gen, slowPath));
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    void addInByVal(const JITInByValGenerator& gen, SlowPathGenerator* slowPath)
+    {
+        m_inByVals.append(InlineCacheWrapper<JITInByValGenerator>(gen, slowPath));
+    }
+
</ins><span class="cx">     void addPrivateBrandAccess(const JITPrivateBrandAccessGenerator& gen, SlowPathGenerator* slowPath)
</span><span class="cx">     {
</span><span class="cx">         m_privateBrandAccesses.append(InlineCacheWrapper<JITPrivateBrandAccessGenerator>(gen, slowPath));
</span><span class="lines">@@ -353,6 +358,7 @@
</span><span class="cx">     Vector<InlineCacheWrapper<JITDelByIdGenerator>, 4> m_delByIds;
</span><span class="cx">     Vector<InlineCacheWrapper<JITDelByValGenerator>, 4> m_delByVals;
</span><span class="cx">     Vector<InlineCacheWrapper<JITInByIdGenerator>, 4> m_inByIds;
</span><ins>+    Vector<InlineCacheWrapper<JITInByValGenerator>, 4> m_inByVals;
</ins><span class="cx">     Vector<InlineCacheWrapper<JITInstanceOfGenerator>, 4> m_instanceOfs;
</span><span class="cx">     Vector<InlineCacheWrapper<JITPrivateBrandAccessGenerator>, 4> m_privateBrandAccesses;
</span><span class="cx">     Vector<JSCallRecord, 4> m_jsCalls;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMayExitcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp   2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp      2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -107,7 +107,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -3109,15 +3109,15 @@
</span><span class="cx">         return m_opInfo.as<GetByStatus*>();
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    bool hasInByIdStatus()
</del><ins>+    bool hasInByStatus()
</ins><span class="cx">     {
</span><del>-        return op() == FilterInByIdStatus;
</del><ins>+        return op() == FilterInByStatus;
</ins><span class="cx">     }
</span><span class="cx">     
</span><del>-    InByIdStatus* inByIdStatus()
</del><ins>+    InByStatus* inByStatus()
</ins><span class="cx">     {
</span><del>-        ASSERT(hasInByIdStatus());
-        return m_opInfo.as<InByIdStatus*>();
</del><ins>+        ASSERT(hasInByStatus());
+        return m_opInfo.as<InByStatus*>();
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     bool hasPutByIdStatus()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -546,7 +546,7 @@
</span><span class="cx">     /* Used to provide feedback to the IC profiler. */ \
</span><span class="cx">     macro(FilterCallLinkStatus, NodeMustGenerate) \
</span><span class="cx">     macro(FilterGetByStatus, NodeMustGenerate) \
</span><del>-    macro(FilterInByIdStatus, NodeMustGenerate) \
</del><ins>+    macro(FilterInByStatus, NodeMustGenerate) \
</ins><span class="cx">     macro(FilterPutByIdStatus, NodeMustGenerate) \
</span><span class="cx">     macro(FilterDeleteByStatus, NodeMustGenerate) \
</span><span class="cx">     macro(FilterCheckPrivateBrandStatus, NodeMustGenerate) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGObjectAllocationSinkingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp      2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp 2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1259,7 +1259,7 @@
</span><span class="cx">         case FilterCallLinkStatus:
</span><span class="cx">         case FilterGetByStatus:
</span><span class="cx">         case FilterPutByIdStatus:
</span><del>-        case FilterInByIdStatus:
</del><ins>+        case FilterInByStatus:
</ins><span class="cx">         case FilterDeleteByStatus:
</span><span class="cx">         case FilterCheckPrivateBrandStatus:
</span><span class="cx">         case FilterSetPrivateBrandStatus:
</span><span class="lines">@@ -2616,7 +2616,7 @@
</span><span class="cx">                 case FilterCallLinkStatus:
</span><span class="cx">                 case FilterGetByStatus:
</span><span class="cx">                 case FilterPutByIdStatus:
</span><del>-                case FilterInByIdStatus:
</del><ins>+                case FilterInByStatus:
</ins><span class="cx">                 case FilterDeleteByStatus:
</span><span class="cx">                 case FilterCheckPrivateBrandStatus:
</span><span class="cx">                 case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1451,7 +1451,7 @@
</span><span class="cx">         case FilterCallLinkStatus:
</span><span class="cx">         case FilterGetByStatus:
</span><span class="cx">         case FilterPutByIdStatus:
</span><del>-        case FilterInByIdStatus:
</del><ins>+        case FilterInByStatus:
</ins><span class="cx">         case FilterDeleteByStatus:
</span><span class="cx">         case FilterCheckPrivateBrandStatus:
</span><span class="cx">         case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h       2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h  2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -361,7 +361,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1286,18 +1286,31 @@
</span><span class="cx"> {
</span><span class="cx">     SpeculateCellOperand base(this, node->child1());
</span><span class="cx">     JSValueOperand key(this, node->child2());
</span><ins>+    JSValueRegsTemporary result(this, Reuse, key);
</ins><span class="cx"> 
</span><span class="cx">     GPRReg baseGPR = base.gpr();
</span><del>-    JSValueRegs regs = key.jsValueRegs();
</del><ins>+    JSValueRegs keyRegs = key.jsValueRegs();
+    JSValueRegs resultRegs = result.regs();
</ins><span class="cx"> 
</span><span class="cx">     base.use();
</span><span class="cx">     key.use();
</span><span class="cx"> 
</span><del>-    flushRegisters();
-    JSValueRegsFlushedCallResult result(this);
-    JSValueRegs resultRegs = result.regs();
-    callOperation(operationInByVal, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, regs);
-    m_jit.exceptionCheck();
</del><ins>+    CodeOrigin codeOrigin = node->origin.semantic;
+    CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
+    RegisterSet usedRegisters = this->usedRegisters();
+    JITInByValGenerator gen(
+        m_jit.codeBlock(), codeOrigin, callSite, usedRegisters,
+        JSValueRegs::payloadOnly(baseGPR), keyRegs, resultRegs);
+    gen.generateFastPath(m_jit);
+
+    auto slowPath = slowPathCall(
+        gen.slowPathJump(), this, operationInByValOptimize,
+        NeedToSpill, ExceptionCheckRequirement::CheckNeeded,
+        resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), gen.stubInfo(), nullptr, CCallHelpers::CellValue(baseGPR), keyRegs);
+
+    m_jit.addInByVal(gen, slowPath.get());
+    addSlowPathGenerator(WTFMove(slowPath));
+
</ins><span class="cx">     blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp       2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp  2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -4271,7 +4271,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -5705,7 +5705,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGVarargsForwardingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -198,7 +198,7 @@
</span><span class="cx">             case FilterGetByStatus:
</span><span class="cx">             case FilterPutByIdStatus:
</span><span class="cx">             case FilterCallLinkStatus:
</span><del>-            case FilterInByIdStatus:
</del><ins>+            case FilterInByStatus:
</ins><span class="cx">             case FilterDeleteByStatus:
</span><span class="cx">             case FilterCheckPrivateBrandStatus:
</span><span class="cx">             case FilterSetPrivateBrandStatus:
</span><span class="lines">@@ -423,7 +423,7 @@
</span><span class="cx">             case FilterGetByStatus:
</span><span class="cx">             case FilterPutByIdStatus:
</span><span class="cx">             case FilterCallLinkStatus:
</span><del>-            case FilterInByIdStatus:
</del><ins>+            case FilterInByStatus:
</ins><span class="cx">             case FilterDeleteByStatus:
</span><span class="cx">             case FilterCheckPrivateBrandStatus:
</span><span class="cx">             case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp      2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -409,7 +409,7 @@
</span><span class="cx">     case FilterCallLinkStatus:
</span><span class="cx">     case FilterGetByStatus:
</span><span class="cx">     case FilterPutByIdStatus:
</span><del>-    case FilterInByIdStatus:
</del><ins>+    case FilterInByStatus:
</ins><span class="cx">     case FilterDeleteByStatus:
</span><span class="cx">     case FilterCheckPrivateBrandStatus:
</span><span class="cx">     case FilterSetPrivateBrandStatus:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp      2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1652,7 +1652,7 @@
</span><span class="cx">         case FilterCallLinkStatus:
</span><span class="cx">         case FilterGetByStatus:
</span><span class="cx">         case FilterPutByIdStatus:
</span><del>-        case FilterInByIdStatus:
</del><ins>+        case FilterInByStatus:
</ins><span class="cx">         case FilterDeleteByStatus:
</span><span class="cx">         case FilterCheckPrivateBrandStatus:
</span><span class="cx">         case FilterSetPrivateBrandStatus:
</span><span class="lines">@@ -12213,13 +12213,7 @@
</span><span class="cx">         m_out.appendTo(continuation, lastNext);
</span><span class="cx">         setJSValue(m_out.phi(Int64, results));
</span><span class="cx">     }
</span><del>-    
-    void compileInByVal()
-    {
-        JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
-        setJSValue(vmCall(Int64, operationInByVal, weakPointer(globalObject), lowCell(m_node->child1()), lowJSValue(m_node->child2())));
-    }
-    
</del><ins>+
</ins><span class="cx">     void compileHasPrivateName()
</span><span class="cx">     {
</span><span class="cx">         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
</span><span class="lines">@@ -12232,39 +12226,54 @@
</span><span class="cx">         setJSValue(vmCall(Int64, operationHasPrivateBrand, weakPointer(globalObject), lowCell(m_node->child1()), lowSymbol(m_node->child2())));
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    void compileInById()
</del><ins>+    template<InByKind kind, typename SubscriptKind>
+    void compileInBy(LValue base, SubscriptKind subscriptValue)
</ins><span class="cx">     {
</span><del>-        Node* node = m_node;
-        CacheableIdentifier identifier = node->cacheableIdentifier();
-        LValue base = lowCell(m_node->child1());
-
</del><span class="cx">         PatchpointValue* patchpoint = m_out.patchpoint(Int64);
</span><span class="cx">         patchpoint->appendSomeRegister(base);
</span><ins>+        if constexpr (kind != InByKind::Normal)
+            patchpoint->appendSomeRegister(subscriptValue);
</ins><span class="cx">         patchpoint->append(m_notCellMask, ValueRep::lateReg(GPRInfo::notCellMaskRegister));
</span><span class="cx">         patchpoint->append(m_numberTag, ValueRep::lateReg(GPRInfo::numberTagRegister));
</span><del>-
</del><span class="cx">         patchpoint->clobber(RegisterSet::macroScratchRegisters());
</span><span class="cx"> 
</span><del>-        RefPtr<PatchpointExceptionHandle> exceptionHandle =
-            preparePatchpointForExceptions(patchpoint);
</del><ins>+        RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
</ins><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        Node* node = m_node;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><del>-                CallSiteIndex callSiteIndex =
-                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</ins><span class="cx"> 
</span><span class="cx">                 // This is the direct exit target for operation calls.
</span><del>-                Box<CCallHelpers::JumpList> exceptions =
-                    exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</del><ins>+                Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</ins><span class="cx"> 
</span><del>-                auto generator = Box<JITInByIdGenerator>::create(
-                    jit.codeBlock(), node->origin.semantic, callSiteIndex,
-                    params.unavailableRegisters(), identifier, JSValueRegs(params[1].gpr()),
-                    JSValueRegs(params[0].gpr()));
</del><ins>+                auto returnGPR = params[0].gpr();
+                auto base = JSValueRegs(params[1].gpr());
</ins><span class="cx"> 
</span><ins>+                const auto subscript = [&] {
+                    if constexpr (kind == InByKind::Normal)
+                        return CCallHelpers::TrustedImmPtr(subscriptValue.rawBits());
+                    else
+                        return JSValueRegs(params[2].gpr());
+                }();
+
+                const auto generator = [&] {
+                    if constexpr (kind == InByKind::Normal) {
+                        return Box<JITInByIdGenerator>::create(
+                            jit.codeBlock(), node->origin.semantic, callSiteIndex,
+                            params.unavailableRegisters(), subscriptValue, base,
+                            JSValueRegs(returnGPR));
+                    } else {
+                        return Box<JITInByValGenerator>::create(
+                            jit.codeBlock(), node->origin.semantic, callSiteIndex,
+                            params.unavailableRegisters(), base, subscript,
+                            JSValueRegs(returnGPR));
+                    }
+                }();
+
</ins><span class="cx">                 generator->generateFastPath(jit);
</span><span class="cx">                 CCallHelpers::Label done = jit.label();
</span><span class="cx"> 
</span><span class="lines">@@ -12274,12 +12283,22 @@
</span><span class="cx"> 
</span><span class="cx">                         generator->slowPathJump().link(&jit);
</span><span class="cx">                         CCallHelpers::Label slowPathBegin = jit.label();
</span><del>-                        CCallHelpers::Call slowPathCall = callOperation(
-                            *state, params.unavailableRegisters(), jit, node->origin.semantic,
-                            exceptions.get(), operationInByIdOptimize, params[0].gpr(),
-                            jit.codeBlock()->globalObjectFor(node->origin.semantic),
-                            CCallHelpers::TrustedImmPtr(generator->stubInfo()), params[1].gpr(),
-                            identifier.rawBits()).call();
</del><ins>+                        CCallHelpers::Call slowPathCall;
+                        if constexpr (kind == InByKind::Normal) {
+                            slowPathCall = callOperation(
+                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
+                                exceptions.get(), operationInByIdOptimize, returnGPR,
+                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
+                                CCallHelpers::TrustedImmPtr(generator->stubInfo()),
+                                base, subscript).call();
+                        } else {
+                            slowPathCall = callOperation(
+                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
+                                exceptions.get(), operationInByValOptimize, returnGPR,
+                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
+                                CCallHelpers::TrustedImmPtr(generator->stubInfo()),
+                                CCallHelpers::TrustedImmPtr(nullptr), base, subscript).call();
+                        }
</ins><span class="cx">                         jit.jump().linkTo(done, &jit);
</span><span class="cx"> 
</span><span class="cx">                         generator->reportSlowPathCall(slowPathBegin, slowPathCall);
</span><span class="lines">@@ -12294,6 +12313,16 @@
</span><span class="cx">         setJSValue(patchpoint);
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    void compileInById()
+    {
+        compileInBy<InByKind::Normal>(lowCell(m_node->child1()), m_node->cacheableIdentifier());
+    }
+
+    void compileInByVal()
+    {
+        compileInBy<InByKind::NormalByVal>(lowCell(m_node->child1()), lowJSValue(m_node->child2()));
+    }
+
</ins><span class="cx">     void compileHasOwnProperty()
</span><span class="cx">     {
</span><span class="cx">         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitICStatsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ICStats.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ICStats.h        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/ICStats.h   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -43,6 +43,7 @@
</span><span class="cx">     macro(GetBySelfPatch) \
</span><span class="cx">     macro(InAddAccessCase) \
</span><span class="cx">     macro(InReplaceWithJump) \
</span><ins>+    macro(InReplaceWithGeneric) \
</ins><span class="cx">     macro(InstanceOfAddAccessCase) \
</span><span class="cx">     macro(InstanceOfReplaceWithJump) \
</span><span class="cx">     macro(OperationGetById) \
</span><span class="lines">@@ -52,7 +53,7 @@
</span><span class="cx">     macro(OperationGetByValOptimize) \
</span><span class="cx">     macro(OperationGetByIdWithThisOptimize) \
</span><span class="cx">     macro(OperationGenericIn) \
</span><del>-    macro(OperationInById) \
</del><ins>+    macro(OperationInByIdGeneric) \
</ins><span class="cx">     macro(OperationInByIdOptimize) \
</span><span class="cx">     macro(OperationPutByIdStrict) \
</span><span class="cx">     macro(OperationPutByIdNonStrict) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -285,7 +285,6 @@
</span><span class="cx">         }
</span><span class="cx"> 
</span><span class="cx">         switch (opcodeID) {
</span><del>-        DEFINE_SLOW_OP(in_by_val)
</del><span class="cx">         DEFINE_SLOW_OP(has_private_name)
</span><span class="cx">         DEFINE_SLOW_OP(has_private_brand)
</span><span class="cx">         DEFINE_SLOW_OP(less)
</span><span class="lines">@@ -361,6 +360,7 @@
</span><span class="cx">         DEFINE_OP(op_beloweq)
</span><span class="cx">         DEFINE_OP(op_try_get_by_id)
</span><span class="cx">         DEFINE_OP(op_in_by_id)
</span><ins>+        DEFINE_OP(op_in_by_val)
</ins><span class="cx">         DEFINE_OP(op_get_by_id)
</span><span class="cx">         DEFINE_OP(op_get_by_id_with_this)
</span><span class="cx">         DEFINE_OP(op_get_by_id_direct)
</span><span class="lines">@@ -518,8 +518,9 @@
</span><span class="cx">     m_getByIdWithThisIndex = 0;
</span><span class="cx">     m_putByIdIndex = 0;
</span><span class="cx">     m_inByIdIndex = 0;
</span><ins>+    m_inByValIndex = 0;
+    m_delByIdIndex = 0;
</ins><span class="cx">     m_delByValIndex = 0;
</span><del>-    m_delByIdIndex = 0;
</del><span class="cx">     m_instanceOfIndex = 0;
</span><span class="cx">     m_privateBrandAccessIndex = 0;
</span><span class="cx">     m_byValInstructionIndex = 0;
</span><span class="lines">@@ -570,6 +571,7 @@
</span><span class="cx">         DEFINE_SLOWCASE_OP(op_eq)
</span><span class="cx">         DEFINE_SLOWCASE_OP(op_try_get_by_id)
</span><span class="cx">         DEFINE_SLOWCASE_OP(op_in_by_id)
</span><ins>+        DEFINE_SLOWCASE_OP(op_in_by_val)
</ins><span class="cx">         DEFINE_SLOWCASE_OP(op_get_by_id)
</span><span class="cx">         DEFINE_SLOWCASE_OP(op_get_by_id_with_this)
</span><span class="cx">         DEFINE_SLOWCASE_OP(op_get_by_id_direct)
</span><span class="lines">@@ -919,6 +921,7 @@
</span><span class="cx">     finalizeInlineCaches(m_delByIds, patchBuffer);
</span><span class="cx">     finalizeInlineCaches(m_delByVals, patchBuffer);
</span><span class="cx">     finalizeInlineCaches(m_inByIds, patchBuffer);
</span><ins>+    finalizeInlineCaches(m_inByVals, patchBuffer);
</ins><span class="cx">     finalizeInlineCaches(m_instanceOfs, patchBuffer);
</span><span class="cx">     finalizeInlineCaches(m_privateBrandAccesses, patchBuffer);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.h    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JIT.h       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -565,6 +565,7 @@
</span><span class="cx">         void emit_op_get_argument_by_val(const Instruction*);
</span><span class="cx">         void emit_op_get_prototype_of(const Instruction*);
</span><span class="cx">         void emit_op_in_by_id(const Instruction*);
</span><ins>+        void emit_op_in_by_val(const Instruction*);
</ins><span class="cx">         void emit_op_init_lazy_reg(const Instruction*);
</span><span class="cx">         void emit_op_overrides_has_instance(const Instruction*);
</span><span class="cx">         void emit_op_instanceof(const Instruction*);
</span><span class="lines">@@ -698,6 +699,7 @@
</span><span class="cx">         void emitSlow_op_check_private_brand(const Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx">         void emitSlow_op_get_argument_by_val(const Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx">         void emitSlow_op_in_by_id(const Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><ins>+        void emitSlow_op_in_by_val(const Instruction*, Vector<SlowCaseEntry>::iterator&);
</ins><span class="cx">         void emitSlow_op_instanceof(const Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx">         void emitSlow_op_instanceof_custom(const Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx">         void emitSlow_op_jless(const Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="lines">@@ -1037,6 +1039,7 @@
</span><span class="cx">         Vector<JITGetByIdWithThisGenerator> m_getByIdsWithThis;
</span><span class="cx">         Vector<JITPutByIdGenerator> m_putByIds;
</span><span class="cx">         Vector<JITInByIdGenerator> m_inByIds;
</span><ins>+        Vector<JITInByValGenerator> m_inByVals;
</ins><span class="cx">         Vector<JITDelByIdGenerator> m_delByIds;
</span><span class="cx">         Vector<JITDelByValGenerator> m_delByVals;
</span><span class="cx">         Vector<JITInstanceOfGenerator> m_instanceOfs;
</span><span class="lines">@@ -1063,6 +1066,7 @@
</span><span class="cx">         unsigned m_getByIdWithThisIndex { UINT_MAX };
</span><span class="cx">         unsigned m_putByIdIndex { UINT_MAX };
</span><span class="cx">         unsigned m_inByIdIndex { UINT_MAX };
</span><ins>+        unsigned m_inByValIndex { UINT_MAX };
</ins><span class="cx">         unsigned m_delByValIndex { UINT_MAX };
</span><span class="cx">         unsigned m_delByIdIndex { UINT_MAX };
</span><span class="cx">         unsigned m_instanceOfIndex { UINT_MAX };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlineCacheGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp      2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp 2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -235,11 +235,39 @@
</span><span class="cx">         fastPath, slowPath, fastPath.locationOf<JITStubRoutinePtrTag>(m_start));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JITInByIdGenerator::JITInByIdGenerator(
-    CodeBlock* codeBlock, CodeOrigin codeOrigin, CallSiteIndex callSite, const RegisterSet& usedRegisters,
-    CacheableIdentifier propertyName, JSValueRegs base, JSValueRegs value)
-    : JITByIdGenerator(codeBlock, codeOrigin, callSite, AccessType::In, usedRegisters, base, value)
</del><ins>+JITInByValGenerator::JITInByValGenerator(CodeBlock* codeBlock, CodeOrigin codeOrigin, CallSiteIndex callSiteIndex, const RegisterSet& usedRegisters, JSValueRegs base, JSValueRegs property, JSValueRegs result)
+    : Base(codeBlock, codeOrigin, callSiteIndex, AccessType::InByVal, usedRegisters)
</ins><span class="cx"> {
</span><ins>+    m_stubInfo->hasConstantIdentifier = false;
+
+    m_stubInfo->baseGPR = base.payloadGPR();
+    m_stubInfo->regs.propertyGPR = property.payloadGPR();
+    m_stubInfo->valueGPR = result.payloadGPR();
+#if USE(JSVALUE32_64)
+    m_stubInfo->baseTagGPR = base.tagGPR();
+    m_stubInfo->valueTagGPR = result.tagGPR();
+    m_stubInfo->v.propertyTagGPR = property.tagGPR();
+#endif
+}
+
+void JITInByValGenerator::generateFastPath(MacroAssembler& jit)
+{
+    m_start = jit.label();
+    m_slowPathJump = jit.patchableJump();
+    m_done = jit.label();
+}
+
+void JITInByValGenerator::finalize(
+    LinkBuffer& fastPath, LinkBuffer& slowPath)
+{
+    ASSERT(m_start.isSet());
+    Base::finalize(
+        fastPath, slowPath, fastPath.locationOf<JITStubRoutinePtrTag>(m_start));
+}
+
+JITInByIdGenerator::JITInByIdGenerator(CodeBlock* codeBlock, CodeOrigin codeOrigin, CallSiteIndex callSite, const RegisterSet& usedRegisters, CacheableIdentifier propertyName, JSValueRegs base, JSValueRegs value)
+    : JITByIdGenerator(codeBlock, codeOrigin, callSite, AccessType::InById, usedRegisters, base, value)
+{
</ins><span class="cx">     // FIXME: We are not supporting fast path for "length" property.
</span><span class="cx">     UNUSED_PARAM(propertyName);
</span><span class="cx">     RELEASE_ASSERT(base.payloadGPR() != value.tagGPR());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlineCacheGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -195,6 +195,31 @@
</span><span class="cx">     MacroAssembler::PatchableJump m_slowPathJump;
</span><span class="cx"> };
</span><span class="cx"> 
</span><ins>+class JITInByValGenerator : public JITInlineCacheGenerator {
+    using Base = JITInlineCacheGenerator;
+public:
+    JITInByValGenerator() { }
+
+    JITInByValGenerator(
+        CodeBlock*, CodeOrigin, CallSiteIndex, const RegisterSet& usedRegisters,
+        JSValueRegs base, JSValueRegs property, JSValueRegs result);
+
+    MacroAssembler::Jump slowPathJump() const
+    {
+        ASSERT(m_slowPathJump.m_jump.isSet());
+        return m_slowPathJump.m_jump;
+    }
+
+    void finalize(
+        LinkBuffer& fastPathLinkBuffer, LinkBuffer& slowPathLinkBuffer);
+
+    void generateFastPath(MacroAssembler&);
+
+private:
+    MacroAssembler::Label m_start;
+    MacroAssembler::PatchableJump m_slowPathJump;
+};
+
</ins><span class="cx"> class JITInByIdGenerator : public JITByIdGenerator {
</span><span class="cx"> public:
</span><span class="cx">     JITInByIdGenerator() { }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -394,7 +394,7 @@
</span><span class="cx">     }));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JSC_DEFINE_JIT_OPERATION(operationInById, EncodedJSValue, (JSGlobalObject* globalObject, StructureStubInfo* stubInfo, EncodedJSValue base, uintptr_t rawCacheableIdentifier))
</del><ins>+JSC_DEFINE_JIT_OPERATION(operationInByIdGeneric, EncodedJSValue, (JSGlobalObject* globalObject, StructureStubInfo* stubInfo, EncodedJSValue base, uintptr_t rawCacheableIdentifier))
</ins><span class="cx"> {
</span><span class="cx">     SuperSamplerScope superSamplerScope(false);
</span><span class="cx"> 
</span><span class="lines">@@ -415,7 +415,7 @@
</span><span class="cx">     }
</span><span class="cx">     JSObject* baseObject = asObject(baseValue);
</span><span class="cx"> 
</span><del>-    LOG_IC((ICEvent::OperationInById, baseObject->classInfo(vm), ident));
</del><ins>+    LOG_IC((ICEvent::OperationInByIdGeneric, baseObject->classInfo(vm), ident));
</ins><span class="cx"> 
</span><span class="cx">     scope.release();
</span><span class="cx">     PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty);
</span><span class="lines">@@ -448,21 +448,66 @@
</span><span class="cx">     bool found = baseObject->getPropertySlot(globalObject, ident, slot);
</span><span class="cx">     CodeBlock* codeBlock = callFrame->codeBlock();
</span><span class="cx">     if (stubInfo->considerCachingBy(vm, codeBlock, baseObject->structure(vm), identifier))
</span><del>-        repatchInByID(globalObject, codeBlock, baseObject, identifier, found, slot, *stubInfo);
</del><ins>+        repatchInBy(globalObject, codeBlock, baseObject, identifier, found, slot, *stubInfo, InByKind::Normal);
</ins><span class="cx">     return JSValue::encode(jsBoolean(found));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JSC_DEFINE_JIT_OPERATION(operationInByVal, EncodedJSValue, (JSGlobalObject* globalObject, JSCell* base, EncodedJSValue key))
</del><ins>+JSC_DEFINE_JIT_OPERATION(operationInByValOptimize, EncodedJSValue, (JSGlobalObject* globalObject, StructureStubInfo* stubInfo, ArrayProfile* arrayProfile, EncodedJSValue encodedBase, EncodedJSValue encodedKey))
</ins><span class="cx"> {
</span><span class="cx">     SuperSamplerScope superSamplerScope(false);
</span><del>-    
</del><ins>+
</ins><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
</span><span class="cx">     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</span><ins>+    auto scope = DECLARE_THROW_SCOPE(vm);
</ins><span class="cx"> 
</span><del>-    return JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(globalObject, base, JSValue::decode(key))));
</del><ins>+    JSValue baseValue = JSValue::decode(encodedBase);
+    if (!baseValue.isObject()) {
+        throwException(globalObject, scope, createInvalidInParameterError(globalObject, baseValue));
+        return encodedJSValue();
+    }
+    JSObject* baseObject = asObject(baseValue);
+    if (arrayProfile)
+        arrayProfile->observeStructure(baseObject->structure(vm));
+
+    JSValue key = JSValue::decode(encodedKey);
+    uint32_t i;
+    if (key.getUInt32(i)) {
+        // FIXME: InByVal should have inline caching for integer indices too, as GetByVal does.
+        // https://bugs.webkit.org/show_bug.cgi?id=226619
+        if (arrayProfile)
+            arrayProfile->observeIndexedRead(vm, baseObject, i);
+        RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(baseObject->hasProperty(globalObject, i))));
+    }
+
+    const Identifier propertyName = key.toPropertyKey(globalObject);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+    PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty);
+    bool found = baseObject->getPropertySlot(globalObject, propertyName, slot);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    if (CacheableIdentifier::isCacheableIdentifierCell(key) && (key.isSymbol() || !parseIndex(propertyName))) {
+        CodeBlock* codeBlock = callFrame->codeBlock();
+        CacheableIdentifier identifier = CacheableIdentifier::createFromCell(key.asCell());
+        if (stubInfo->considerCachingBy(vm, codeBlock, baseObject->structure(vm), identifier))
+            repatchInBy(globalObject, codeBlock, baseObject, identifier, found, slot, *stubInfo, InByKind::NormalByVal);
+    }
+
+    return JSValue::encode(jsBoolean(found));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><ins>+JSC_DEFINE_JIT_OPERATION(operationInByValGeneric, EncodedJSValue, (JSGlobalObject* globalObject, StructureStubInfo* stubInfo, ArrayProfile* arrayProfile, EncodedJSValue base, EncodedJSValue key))
+{
+    SuperSamplerScope superSamplerScope(false);
+
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    stubInfo->tookSlowPath = true;
+    return JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(globalObject, JSValue::decode(base), JSValue::decode(key), arrayProfile)));
+}
+
</ins><span class="cx"> JSC_DEFINE_JIT_OPERATION(operationHasPrivateName, EncodedJSValue, (JSGlobalObject* globalObject, JSCell* base, EncodedJSValue key))
</span><span class="cx"> {
</span><span class="cx">     SuperSamplerScope superSamplerScope(false);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -174,10 +174,10 @@
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationGetByIdDirectGeneric, EncodedJSValue, (JSGlobalObject*, EncodedJSValue, uintptr_t));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationGetByIdDirectOptimize, EncodedJSValue, (JSGlobalObject*, StructureStubInfo*, EncodedJSValue, uintptr_t));
</span><span class="cx"> 
</span><del>-JSC_DECLARE_JIT_OPERATION(operationInById, EncodedJSValue, (JSGlobalObject*, StructureStubInfo*, EncodedJSValue, uintptr_t));
</del><ins>+JSC_DECLARE_JIT_OPERATION(operationInByIdGeneric, EncodedJSValue, (JSGlobalObject*, StructureStubInfo*, EncodedJSValue, uintptr_t));
</ins><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationInByIdOptimize, EncodedJSValue, (JSGlobalObject*, StructureStubInfo*, EncodedJSValue, uintptr_t));
</span><del>-
-JSC_DECLARE_JIT_OPERATION(operationInByVal, EncodedJSValue, (JSGlobalObject*, JSCell*, EncodedJSValue));
</del><ins>+JSC_DECLARE_JIT_OPERATION(operationInByValGeneric, EncodedJSValue, (JSGlobalObject*, StructureStubInfo*, ArrayProfile*, EncodedJSValue, EncodedJSValue));
+JSC_DECLARE_JIT_OPERATION(operationInByValOptimize, EncodedJSValue, (JSGlobalObject*, StructureStubInfo*, ArrayProfile*, EncodedJSValue, EncodedJSValue));
</ins><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationHasPrivateName, EncodedJSValue, (JSGlobalObject*, JSCell*, EncodedJSValue));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationHasPrivateBrand, EncodedJSValue, (JSGlobalObject*, JSCell*, EncodedJSValue));
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1573,6 +1573,76 @@
</span><span class="cx">     gen.reportSlowPathCall(coldPathBegin, call);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void JIT::emit_op_in_by_val(const Instruction* currentInstruction)
+{
+    auto bytecode = currentInstruction->as<OpInByVal>();
+    VirtualRegister dst = bytecode.m_dst;
+    VirtualRegister base = bytecode.m_base;
+    VirtualRegister property = bytecode.m_property;
+    auto& metadata = bytecode.metadata(m_codeBlock);
+    ArrayProfile* profile = &metadata.m_arrayProfile;
+
+    emitGetVirtualRegister(base, regT0);
+    emitJumpSlowCaseIfNotJSCell(regT0, base);
+    emitGetVirtualRegister(property, regT1);
+    emitArrayProfilingSiteWithCell(regT0, regT2, profile);
+
+    JITInByValGenerator gen(
+        m_codeBlock, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), RegisterSet::stubUnavailableRegisters(),
+        JSValueRegs(regT0), JSValueRegs(regT1), JSValueRegs(regT0));
+    gen.generateFastPath(*this);
+    addSlowCase(gen.slowPathJump());
+    m_inByVals.append(gen);
+
+    emitPutVirtualRegister(dst);
+}
+
+void JIT::emitSlow_op_in_by_val(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkAllSlowCases(iter);
+
+    auto bytecode = currentInstruction->as<OpInByVal>();
+    VirtualRegister dst = bytecode.m_dst;
+    auto& metadata = bytecode.metadata(m_codeBlock);
+    ArrayProfile* profile = &metadata.m_arrayProfile;
+
+    JITInByValGenerator& gen = m_inByVals[m_inByValIndex++];
+
+    Label coldPathBegin = label();
+
+#if !ENABLE(EXTRA_CTI_THUNKS)
+    Call call = callOperation(operationInByValOptimize, dst, TrustedImmPtr(m_codeBlock->globalObject()), gen.stubInfo(), profile, regT0, regT1);
+#else
+    VM& vm = this->vm();
+    uint32_t bytecodeOffset = m_bytecodeIndex.offset();
+    ASSERT(BytecodeIndex(bytecodeOffset) == m_bytecodeIndex);
+
+    constexpr GPRReg bytecodeOffsetGPR = argumentGPR4;
+    move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
+
+    constexpr GPRReg stubInfoGPR = argumentGPR3;
+    constexpr GPRReg profileGPR = argumentGPR2;
+    constexpr GPRReg baseGPR = regT0;
+    constexpr GPRReg propertyGPR = regT1;
+    static_assert(baseGPR == argumentGPR0 || !isARM64());
+    static_assert(propertyGPR == argumentGPR1);
+
+    move(TrustedImmPtr(gen.stubInfo()), stubInfoGPR);
+    move(TrustedImmPtr(profile), profileGPR);
+    // slow_op_get_by_val_prepareCallGenerator will do exactly what we need.
+    // So, there's no point in creating a duplicate thunk just to give it a different name.
+    static_assert(std::is_same<decltype(operationInByValOptimize), decltype(operationGetByValOptimize)>::value);
+    emitNakedNearCall(vm.getCTIStub(slow_op_get_by_val_prepareCallGenerator).retaggedCode<NoPtrTag>());
+
+    Call call = appendCall(operationInByValOptimize);
+    emitNakedNearCall(vm.getCTIStub(checkExceptionGenerator).retaggedCode<NoPtrTag>());
+
+    emitPutVirtualRegister(dst, returnValueGPR);
+#endif // ENABLE(EXTRA_CTI_THUNKS)
+
+    gen.reportSlowPathCall(coldPathBegin, call);
+}
+
</ins><span class="cx"> void JIT::emitVarInjectionCheck(bool needsVarInjectionChecks)
</span><span class="cx"> {
</span><span class="cx">     if (!needsVarInjectionChecks)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp       2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp  2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -908,6 +908,47 @@
</span><span class="cx">     gen.reportSlowPathCall(coldPathBegin, call);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void JIT::emit_op_in_by_val(const Instruction* currentInstruction)
+{
+    auto bytecode = currentInstruction->as<OpInByVal>();
+    VirtualRegister dst = bytecode.m_dst;
+    VirtualRegister base = bytecode.m_base;
+    VirtualRegister property = bytecode.m_property;
+    auto& metadata = bytecode.metadata(m_codeBlock);
+    ArrayProfile* profile = &metadata.m_arrayProfile;
+
+    emitLoad2(base, regT1, regT0, property, regT3, regT2);
+    emitJumpSlowCaseIfNotJSCell(base, regT1);
+    emitArrayProfilingSiteWithCell(regT0, regT4, profile);
+
+    JITInByValGenerator gen(
+        m_codeBlock, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), RegisterSet::stubUnavailableRegisters(),
+        JSValueRegs::payloadOnly(regT0), JSValueRegs(regT3, regT2), JSValueRegs(regT1, regT0));
+    gen.generateFastPath(*this);
+    addSlowCase(gen.slowPathJump());
+    m_inByVals.append(gen);
+
+    emitStore(dst, regT1, regT0);
+}
+
+void JIT::emitSlow_op_in_by_val(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkAllSlowCases(iter);
+
+    auto bytecode = currentInstruction->as<OpInByVal>();
+    VirtualRegister dst = bytecode.m_dst;
+    auto& metadata = bytecode.metadata(m_codeBlock);
+    ArrayProfile* profile = &metadata.m_arrayProfile;
+
+    JITInByValGenerator& gen = m_inByVals[m_inByValIndex++];
+
+    Label coldPathBegin = label();
+
+    Call call = callOperation(operationInByValOptimize, dst, TrustedImmPtr(m_codeBlock->globalObject()), gen.stubInfo(), profile, JSValueRegs(regT1, regT0), JSValueRegs(regT3, regT2));
+
+    gen.reportSlowPathCall(coldPathBegin, call);
+}
+
</ins><span class="cx"> void JIT::emitVarInjectionCheck(bool needsVarInjectionChecks)
</span><span class="cx"> {
</span><span class="cx">     if (!needsVarInjectionChecks)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.cpp      2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/Repatch.cpp 2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -897,7 +897,7 @@
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-static InlineCacheAction tryCacheInByID(
</del><ins>+static InlineCacheAction tryCacheInBy(
</ins><span class="cx">     JSGlobalObject* globalObject, CodeBlock* codeBlock, JSObject* base, CacheableIdentifier propertyName,
</span><span class="cx">     bool wasFound, const PropertySlot& slot, StructureStubInfo& stubInfo)
</span><span class="cx"> {
</span><span class="lines">@@ -1002,12 +1002,18 @@
</span><span class="cx">     return result.shouldGiveUpNow() ? GiveUpOnCache : RetryCacheLater;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void repatchInByID(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSObject* baseObject, CacheableIdentifier propertyName, bool wasFound, const PropertySlot& slot, StructureStubInfo& stubInfo)
</del><ins>+void repatchInBy(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSObject* baseObject, CacheableIdentifier propertyName, bool wasFound, const PropertySlot& slot, StructureStubInfo& stubInfo, InByKind kind)
</ins><span class="cx"> {
</span><span class="cx">     SuperSamplerScope superSamplerScope(false);
</span><ins>+    VM& vm = globalObject->vm();
</ins><span class="cx"> 
</span><del>-    if (tryCacheInByID(globalObject, codeBlock, baseObject, propertyName, wasFound, slot, stubInfo) == GiveUpOnCache)
-        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation, operationInById);
</del><ins>+    if (tryCacheInBy(globalObject, codeBlock, baseObject, propertyName, wasFound, slot, stubInfo) == GiveUpOnCache) {
+        LOG_IC((ICEvent::InReplaceWithGeneric, baseObject->classInfo(globalObject->vm()), Identifier::fromUid(vm, propertyName.uid())));
+        if (kind == InByKind::Normal)
+            ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation, operationInByIdGeneric);
+        else
+            ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation, operationInByValGeneric);
+    }
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> static InlineCacheAction tryCacheCheckPrivateBrand(
</span><span class="lines">@@ -1683,9 +1689,12 @@
</span><span class="cx">     MacroAssembler::repatchJump(stubInfo.patchableJump(), stubInfo.slowPathStartLocation);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void resetInByID(CodeBlock* codeBlock, StructureStubInfo& stubInfo)
</del><ins>+void resetInBy(CodeBlock* codeBlock, StructureStubInfo& stubInfo, InByKind kind)
</ins><span class="cx"> {
</span><del>-    ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation, operationInByIdOptimize);
</del><ins>+    if (kind == InByKind::Normal)
+        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation, operationInByIdOptimize);
+    else
+        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation, operationInByValOptimize);
</ins><span class="cx">     InlineAccess::rewireStubAsJump(stubInfo, stubInfo.slowPathStartLocation);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.h        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/jit/Repatch.h   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -48,11 +48,16 @@
</span><span class="cx">     NormalByVal
</span><span class="cx"> };
</span><span class="cx"> 
</span><ins>+enum class InByKind {
+    Normal,
+    NormalByVal
+};
+
</ins><span class="cx"> void repatchArrayGetByVal(JSGlobalObject*, CodeBlock*, JSValue base, JSValue index, StructureStubInfo&);
</span><span class="cx"> void repatchGetBy(JSGlobalObject*, CodeBlock*, JSValue, CacheableIdentifier, const PropertySlot&, StructureStubInfo&, GetByKind);
</span><span class="cx"> void repatchPutByID(JSGlobalObject*, CodeBlock*, JSValue, Structure*, CacheableIdentifier, const PutPropertySlot&, StructureStubInfo&, PutKind);
</span><span class="cx"> void repatchDeleteBy(JSGlobalObject*, CodeBlock*, DeletePropertySlot&, JSValue, Structure*, CacheableIdentifier, StructureStubInfo&, DelByKind, ECMAMode);
</span><del>-void repatchInByID(JSGlobalObject*, CodeBlock*, JSObject*, CacheableIdentifier, bool wasFound, const PropertySlot&, StructureStubInfo&);
</del><ins>+void repatchInBy(JSGlobalObject*, CodeBlock*, JSObject*, CacheableIdentifier, bool wasFound, const PropertySlot&, StructureStubInfo&, InByKind);
</ins><span class="cx"> void repatchCheckPrivateBrand(JSGlobalObject*, CodeBlock*, JSObject*, CacheableIdentifier, StructureStubInfo&);
</span><span class="cx"> void repatchSetPrivateBrand(JSGlobalObject*, CodeBlock*, JSObject*, Structure*, CacheableIdentifier, StructureStubInfo&);
</span><span class="cx"> void repatchInstanceOf(JSGlobalObject*, CodeBlock*, JSValue value, JSValue prototype, StructureStubInfo&, bool wasFound);
</span><span class="lines">@@ -64,7 +69,7 @@
</span><span class="cx"> void resetGetBy(CodeBlock*, StructureStubInfo&, GetByKind);
</span><span class="cx"> void resetPutByID(CodeBlock*, StructureStubInfo&);
</span><span class="cx"> void resetDelBy(CodeBlock*, StructureStubInfo&, DelByKind);
</span><del>-void resetInByID(CodeBlock*, StructureStubInfo&);
</del><ins>+void resetInBy(CodeBlock*, StructureStubInfo&, InByKind);
</ins><span class="cx"> void resetInstanceOf(StructureStubInfo&);
</span><span class="cx"> void resetCheckPrivateBrand(CodeBlock*, StructureStubInfo&);
</span><span class="cx"> void resetSetPrivateBrand(CodeBlock*, StructureStubInfo&);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp     2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp        2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -1424,6 +1424,14 @@
</span><span class="cx">     LLINT_RETURN(jsBoolean(asObject(baseValue)->hasProperty(globalObject, codeBlock->identifier(bytecode.m_property))));
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+LLINT_SLOW_PATH_DECL(slow_path_in_by_val)
+{
+    LLINT_BEGIN();
+    auto bytecode = pc->as<OpInByVal>();
+    auto& metadata = bytecode.metadata(codeBlock);
+    LLINT_RETURN(jsBoolean(CommonSlowPaths::opInByVal(globalObject, getOperand(callFrame, bytecode.m_base), getOperand(callFrame, bytecode.m_property), &metadata.m_arrayProfile)));
+}
+
</ins><span class="cx"> LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_id)
</span><span class="cx"> {
</span><span class="cx">     LLINT_BEGIN();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h       2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h  2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -72,6 +72,7 @@
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_id_with_this);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_put_by_id);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_in_by_id);
</span><ins>+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_in_by_val);
</ins><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_del_by_id);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_val);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_private_name);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreterasm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm        2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm   2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -2010,7 +2010,6 @@
</span><span class="cx">     slowPathOp(get_prototype_of)
</span><span class="cx"> end
</span><span class="cx"> 
</span><del>-slowPathOp(in_by_val)
</del><span class="cx"> slowPathOp(has_private_name)
</span><span class="cx"> slowPathOp(has_private_brand)
</span><span class="cx"> slowPathOp(is_callable)
</span><span class="lines">@@ -2044,6 +2043,7 @@
</span><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> llintSlowPathOp(in_by_id)
</span><ins>+llintSlowPathOp(in_by_val)
</ins><span class="cx"> llintSlowPathOp(del_by_id)
</span><span class="cx"> llintSlowPathOp(del_by_val)
</span><span class="cx"> llintSlowPathOp(instanceof)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp  2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp     2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -830,14 +830,6 @@
</span><span class="cx">     RETURN(jsBoolean(GET_C(bytecode.m_operand).jsValue().isConstructor(vm)));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JSC_DEFINE_COMMON_SLOW_PATH(slow_path_in_by_val)
-{
-    BEGIN();
-    auto bytecode = pc->as<OpInByVal>();
-    auto& metadata = bytecode.metadata(codeBlock);
-    RETURN(jsBoolean(CommonSlowPaths::opInByVal(globalObject, GET_C(bytecode.m_base).jsValue(), GET_C(bytecode.m_property).jsValue(), &metadata.m_arrayProfile)));
-}
-
</del><span class="cx"> JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_private_name)
</span><span class="cx"> {
</span><span class="cx">     BEGIN();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonSlowPathsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h (278444 => 278445)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h    2021-06-04 02:20:59 UTC (rev 278444)
+++ trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h       2021-06-04 03:10:54 UTC (rev 278445)
</span><span class="lines">@@ -251,7 +251,6 @@
</span><span class="cx"> JSC_DECLARE_COMMON_SLOW_PATH(slow_path_typeof_is_function);
</span><span class="cx"> JSC_DECLARE_COMMON_SLOW_PATH(slow_path_is_callable);
</span><span class="cx"> JSC_DECLARE_COMMON_SLOW_PATH(slow_path_is_constructor);
</span><del>-JSC_DECLARE_COMMON_SLOW_PATH(slow_path_in_by_val);
</del><span class="cx"> JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_private_name);
</span><span class="cx"> JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_private_brand);
</span><span class="cx"> JSC_DECLARE_COMMON_SLOW_PATH(slow_path_strcat);
</span></span></pre>
</div>
</div>

</body>
</html>