<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[281684] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/281684">281684</a></dd>
<dt>Author</dt> <dd>ysuzuki@apple.com</dd>
<dt>Date</dt> <dd>2021-08-26 21:26:35 -0700 (Thu, 26 Aug 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>[JSC] op_put_private_name should use modern IC and remove ByValInfo
https://bugs.webkit.org/show_bug.cgi?id=229544

Reviewed by Saam Barati.

JSTests:

Move class-fields-private benchmarks into microbenchmarks.
Added several microbenchmarks and stress tests.

* microbenchmarks/class-private-field-polymorphic.js: Added.
(shouldBe):
(test.A.prototype.put):
* microbenchmarks/get-private-name.js: Renamed from JSTests/microbenchmarks/class-fields-private/get-private-name.js.
* microbenchmarks/monomorphic-get-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/monomorphic-get-private-field.js.
* microbenchmarks/polymorphic-get-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/polymorphic-get-private-field.js.
* microbenchmarks/polymorphic-put-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/polymorphic-put-private-field.js.
* microbenchmarks/put-by-val-polymorphic-properties.js: Added.
(shouldBe):
(test):
* microbenchmarks/put-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/put-private-field.js.
* stress/class-private-field-megamorphic.js: Added.
(shouldBe):
* stress/class-private-field-polymorphic.js: Added.
(shouldBe):
(test.A.prototype.put):
* stress/put-by-val-polymorphic-properties.js: Added.
(shouldBe):
(test):

Source/JavaScriptCore:

This patch makes op_put_private_name use new PutByVal IC. This allows op_put_private_name to support
polymorphic properties, and we can finally remove Baseline's adhoc IC and ByValInfo completely.

Added microbenchmark showed 3x improvement due to polymorphic PutPrivateName IC.

                                            ToT                     Patched

class-private-field-polymorphic        9.3666+-0.0332     ^      3.1199+-0.0182        ^ definitely 3.0022x faster

* JavaScriptCore.xcodeproj/project.pbxproj:
* Sources.txt:
* bytecode/ByValInfo.cpp: Removed.
* bytecode/ByValInfo.h: Removed.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::getICStatusMap):
(JSC::CodeBlock::stronglyVisitStrongReferences):
(JSC::CodeBlock::findByValInfo): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
* bytecode/CodeBlock.h:
* bytecode/ICStatusMap.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetPrivateName):
(JSC::DFG::SpeculativeJIT::compilePutPrivateName):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
* jit/JIT.cpp:
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
(JSC::ByValCompilationInfo::ByValCompilationInfo): Deleted.
* jit/JITInlines.h:
(JSC::JIT::emitArrayProfileStoreToHoleSpecialCase): Deleted.
(JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase): Deleted.
* jit/JITOperations.cpp:
(JSC::putPrivateNameOptimize):
(JSC::putPrivateName):
(JSC::JSC_DEFINE_JIT_OPERATION):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_private_name):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::emitPutByValWithCachedId): Deleted.
(JSC::JIT::emitPutPrivateNameWithCachedId): Deleted.
(JSC::JIT::emitByValIdentifierCheck): Deleted.
(JSC::JIT::privateCompilePutPrivateNameWithCachedId): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_private_name):
(JSC::JIT::emitSlow_op_put_private_name):
* jit/Repatch.cpp:
(JSC::appropriateGenericPutByFunction):
(JSC::appropriateOptimizingPutByFunction):
(JSC::resetPutBy):

Tools:

* Scripts/run-jsc-benchmarks:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreSourcestxt">trunk/Source/JavaScriptCore/Sources.txt</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockh">trunk/Source/JavaScriptCore/bytecode/CodeBlock.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeICStatusMaph">trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStoreBarrierInsertionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITh">trunk/Source/JavaScriptCore/jit/JIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlinesh">trunk/Source/JavaScriptCore/jit/JITInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchcpp">trunk/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsScriptsrunjscbenchmarks">trunk/Tools/Scripts/run-jsc-benchmarks</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestsmicrobenchmarksclassprivatefieldpolymorphicjs">trunk/JSTests/microbenchmarks/class-private-field-polymorphic.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarksgetprivatenamejs">trunk/JSTests/microbenchmarks/get-private-name.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarksmonomorphicgetprivatefieldjs">trunk/JSTests/microbenchmarks/monomorphic-get-private-field.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarkspolymorphicgetprivatefieldjs">trunk/JSTests/microbenchmarks/polymorphic-get-private-field.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarkspolymorphicputprivatefieldjs">trunk/JSTests/microbenchmarks/polymorphic-put-private-field.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarksputbyvalpolymorphicpropertiesjs">trunk/JSTests/microbenchmarks/put-by-val-polymorphic-properties.js</a></li>
<li><a href="#trunkJSTestsmicrobenchmarksputprivatefieldjs">trunk/JSTests/microbenchmarks/put-private-field.js</a></li>
<li><a href="#trunkJSTestsstressclassprivatefieldmegamorphicjs">trunk/JSTests/stress/class-private-field-megamorphic.js</a></li>
<li><a href="#trunkJSTestsstressclassprivatefieldpolymorphicjs">trunk/JSTests/stress/class-private-field-polymorphic.js</a></li>
<li><a href="#trunkJSTestsstressputbyvalpolymorphicpropertiesjs">trunk/JSTests/stress/put-by-val-polymorphic-properties.js</a></li>
</ul>

<h3>Removed Paths</h3>
<ul>
<li>trunk/JSTests/microbenchmarks/class-fields-private/</li>
<li><a href="#trunkSourceJavaScriptCorebytecodeByValInfocpp">trunk/Source/JavaScriptCore/bytecode/ByValInfo.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeByValInfoh">trunk/Source/JavaScriptCore/bytecode/ByValInfo.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog  2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/JSTests/ChangeLog     2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2021-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] op_put_private_name should use modern IC and remove ByValInfo
+        https://bugs.webkit.org/show_bug.cgi?id=229544
+
+        Reviewed by Saam Barati.
+
+        Move class-fields-private benchmarks into microbenchmarks.
+        Added several microbenchmarks and stress tests.
+
+        * microbenchmarks/class-private-field-polymorphic.js: Added.
+        (shouldBe):
+        (test.A.prototype.put):
+        * microbenchmarks/get-private-name.js: Renamed from JSTests/microbenchmarks/class-fields-private/get-private-name.js.
+        * microbenchmarks/monomorphic-get-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/monomorphic-get-private-field.js.
+        * microbenchmarks/polymorphic-get-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/polymorphic-get-private-field.js.
+        * microbenchmarks/polymorphic-put-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/polymorphic-put-private-field.js.
+        * microbenchmarks/put-by-val-polymorphic-properties.js: Added.
+        (shouldBe):
+        (test):
+        * microbenchmarks/put-private-field.js: Renamed from JSTests/microbenchmarks/class-fields-private/put-private-field.js.
+        * stress/class-private-field-megamorphic.js: Added.
+        (shouldBe):
+        * stress/class-private-field-polymorphic.js: Added.
+        (shouldBe):
+        (test.A.prototype.put):
+        * stress/put-by-val-polymorphic-properties.js: Added.
+        (shouldBe):
+        (test):
+
</ins><span class="cx"> 2021-08-26  Saam Barati  <sbarati@apple.com>
</span><span class="cx"> 
</span><span class="cx">         r281485 was not sufficient in where it called disablePeepholeOptimization
</span></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksclassprivatefieldpolymorphicjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/microbenchmarks/class-private-field-polymorphic.js (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/class-private-field-polymorphic.js                         (rev 0)
+++ trunk/JSTests/microbenchmarks/class-private-field-polymorphic.js    2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function test(i)
+{
+    class A {
+        #field = 0;
+        put(i)
+        {
+            this.#field = i;
+        }
+        get()
+        {
+            return this.#field;
+        }
+    }
+    noInline(A.prototype.get);
+    noInline(A.prototype.put);
+    return new A;
+}
+
+let test0 = test(0);
+let test1 = test(1);
+let test2 = test(2);
+let test3 = test(3);
+let test4 = test(4);
+
+for (var i = 0; i < 1e5; ++i) {
+    test0.put(i + 0);
+    test1.put(i + 1);
+    test2.put(i + 2);
+    test3.put(i + 3);
+    test4.put(i + 4);
+}
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksgetprivatenamejsfromrev281679trunkJSTestsmicrobenchmarksclassfieldsprivategetprivatenamejs"></a>
<div class="copfile"><h4>Copied: trunk/JSTests/microbenchmarks/get-private-name.js (from rev 281679, trunk/JSTests/microbenchmarks/class-fields-private/get-private-name.js) (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/get-private-name.js                                (rev 0)
+++ trunk/JSTests/microbenchmarks/get-private-name.js   2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,27 @@
</span><ins>+function assert(b, m = "Assertion failed") {
+    if (!b)
+        throw new Error(m);
+}
+
+function test1() {
+    function factory(i) {
+        return new class {
+            #x = i;
+            get() { return this.#x; }
+        };
+    }
+
+    function foo(o, i) {
+        return o.get();
+    }
+    noInline(foo);
+
+    let a = factory(42);
+    let b = factory(43);
+    let start = Date.now();
+    for (let i = 0; i < 10000000; ++i) {
+        assert(foo(a, "a") === 42);
+        assert(foo(b, "b") === 43);
+    }
+}
+test1();
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksmonomorphicgetprivatefieldjsfromrev281679trunkJSTestsmicrobenchmarksclassfieldsprivatemonomorphicgetprivatefieldjs"></a>
<div class="copfile"><h4>Copied: trunk/JSTests/microbenchmarks/monomorphic-get-private-field.js (from rev 281679, trunk/JSTests/microbenchmarks/class-fields-private/monomorphic-get-private-field.js) (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/monomorphic-get-private-field.js                           (rev 0)
+++ trunk/JSTests/microbenchmarks/monomorphic-get-private-field.js      2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+class C {
+    #field;
+
+    constructor(i) {
+        this.#field = i;
+    }
+
+    getField() {
+        return this.#field;
+    }
+}
+noInline(C.prototype.getField);
+
+let c = new C("test");
+for (let i = 0; i < 5000000; i++) {
+    if (c.getField() !== "test")
+        throw new Error("unexpected field value");
+}
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarkspolymorphicgetprivatefieldjsfromrev281679trunkJSTestsmicrobenchmarksclassfieldsprivatepolymorphicgetprivatefieldjs"></a>
<div class="copfile"><h4>Copied: trunk/JSTests/microbenchmarks/polymorphic-get-private-field.js (from rev 281679, trunk/JSTests/microbenchmarks/class-fields-private/polymorphic-get-private-field.js) (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/polymorphic-get-private-field.js                           (rev 0)
+++ trunk/JSTests/microbenchmarks/polymorphic-get-private-field.js      2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+class C {
+    #field;
+
+    setField(value) {
+        this.#field = value;
+    }
+
+    getField() {
+        return this.#field;
+    }
+}
+noInline(C.prototype.getField);
+
+let c1 = new C();
+c1.foo = 0;
+c1.setField("a");
+
+let c2 = new C();
+c2.bar = 0;
+c2.setField("b");
+
+let c3 = new C();
+c3.baz = 0;
+c3.setField("c");
+
+let arr = [c1, c2, c3];
+let values = ["a", "b", "c"];
+for (let i = 0; i < 5000000; i++) {
+    if (arr[i % arr.length].getField() !== values[i % values.length])
+        throw new Error("unexpected field value");
+}
+
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarkspolymorphicputprivatefieldjsfromrev281679trunkJSTestsmicrobenchmarksclassfieldsprivatepolymorphicputprivatefieldjs"></a>
<div class="copfile"><h4>Copied: trunk/JSTests/microbenchmarks/polymorphic-put-private-field.js (from rev 281679, trunk/JSTests/microbenchmarks/class-fields-private/polymorphic-put-private-field.js) (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/polymorphic-put-private-field.js                           (rev 0)
+++ trunk/JSTests/microbenchmarks/polymorphic-put-private-field.js      2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+class C {
+    #field;
+
+    setField(value) {
+        this.#field = value;
+    }
+}
+noInline(C.prototype.setField);
+
+let c1 = new C();
+c1.foo = 0;
+
+let c2 = new C();
+c2.bar = 0;
+
+let c3 = new C();
+c3.baz = 0;
+
+let arr = [c1, c2, c3];
+
+for (let i = 0; i < 5000000; i++) {
+    arr[i % arr.length].setField(i);
+}
+
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksputbyvalpolymorphicpropertiesjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/microbenchmarks/put-by-val-polymorphic-properties.js (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/put-by-val-polymorphic-properties.js                               (rev 0)
+++ trunk/JSTests/microbenchmarks/put-by-val-polymorphic-properties.js  2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function test(object, name, value)
+{
+    object[name] = value;
+}
+noInline(test);
+
+var array = [ 0, 1, 2 ];
+array.hello = 42;
+array.world = 44;
+
+for (var i = 0; i < 1e6; ++i) {
+    test(array, "hello", i);
+    test(array, "world", i);
+    test(array, 0, i);
+}
</ins></span></pre></div>
<a id="trunkJSTestsmicrobenchmarksputprivatefieldjsfromrev281679trunkJSTestsmicrobenchmarksclassfieldsprivateputprivatefieldjs"></a>
<div class="copfile"><h4>Copied: trunk/JSTests/microbenchmarks/put-private-field.js (from rev 281679, trunk/JSTests/microbenchmarks/class-fields-private/put-private-field.js) (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/microbenchmarks/put-private-field.js                               (rev 0)
+++ trunk/JSTests/microbenchmarks/put-private-field.js  2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+class C {
+    #field;
+
+    setField(value) {
+        this.#field = value;
+    }
+}
+noInline(C.prototype.setField);
+
+let c = new C();
+for (let i = 0; i < 5000000; i++) {
+    c.setField(i);
+}
+
</ins></span></pre></div>
<a id="trunkJSTestsstressclassprivatefieldmegamorphicjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/class-private-field-megamorphic.js (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/class-private-field-megamorphic.js                          (rev 0)
+++ trunk/JSTests/stress/class-private-field-megamorphic.js     2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function test(i)
+{
+    class A {
+        #field = 0;
+        get()
+        {
+            return this.#field;
+        }
+        put(i)
+        {
+            this.#field = i;
+        }
+    }
+
+    let instance = new A;
+    instance.put(i);
+    return instance.get();
+}
+
+for (var i = 0; i < 1e5; ++i)
+    shouldBe(test(i), i);
</ins></span></pre></div>
<a id="trunkJSTestsstressclassprivatefieldpolymorphicjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/class-private-field-polymorphic.js (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/class-private-field-polymorphic.js                          (rev 0)
+++ trunk/JSTests/stress/class-private-field-polymorphic.js     2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,41 @@
</span><ins>+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function test(i)
+{
+    class A {
+        #field = 0;
+        put(i)
+        {
+            this.#field = i;
+        }
+        get()
+        {
+            return this.#field;
+        }
+    }
+    noInline(A.prototype.get);
+    noInline(A.prototype.put);
+    return new A;
+}
+
+let test0 = test(0);
+let test1 = test(1);
+let test2 = test(2);
+let test3 = test(3);
+let test4 = test(4);
+
+for (var i = 0; i < 1e5; ++i) {
+    test0.put(i + 0);
+    shouldBe(test0.get(), i + 0);
+    test1.put(i + 1);
+    shouldBe(test1.get(), i + 1);
+    test2.put(i + 2);
+    shouldBe(test2.get(), i + 2);
+    test3.put(i + 3);
+    shouldBe(test3.get(), i + 3);
+    test4.put(i + 4);
+    shouldBe(test4.get(), i + 4);
+}
</ins></span></pre></div>
<a id="trunkJSTestsstressputbyvalpolymorphicpropertiesjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/put-by-val-polymorphic-properties.js (0 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/put-by-val-polymorphic-properties.js                                (rev 0)
+++ trunk/JSTests/stress/put-by-val-polymorphic-properties.js   2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function test(object, name, value)
+{
+    object[name] = value;
+}
+noInline(test);
+
+var array = [ 0, 1, 2 ];
+array.hello = 42;
+array.world = 44;
+
+for (var i = 0; i < 1e6; ++i) {
+    test(array, "hello", i);
+    shouldBe(array.hello, i);
+    test(array, "world", i);
+    shouldBe(array.world, i);
+    test(array, 0, i);
+    shouldBe(array[0], i);
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/ChangeLog       2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -1,3 +1,75 @@
</span><ins>+2021-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] op_put_private_name should use modern IC and remove ByValInfo
+        https://bugs.webkit.org/show_bug.cgi?id=229544
+
+        Reviewed by Saam Barati.
+
+        This patch makes op_put_private_name use new PutByVal IC. This allows op_put_private_name to support
+        polymorphic properties, and we can finally remove Baseline's adhoc IC and ByValInfo completely.
+
+        Added microbenchmark showed 3x improvement due to polymorphic PutPrivateName IC.
+
+                                                    ToT                     Patched
+
+        class-private-field-polymorphic        9.3666+-0.0332     ^      3.1199+-0.0182        ^ definitely 3.0022x faster
+
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/ByValInfo.cpp: Removed.
+        * bytecode/ByValInfo.h: Removed.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::getICStatusMap):
+        (JSC::CodeBlock::stronglyVisitStrongReferences):
+        (JSC::CodeBlock::findByValInfo): Deleted.
+        (JSC::CodeBlock::addByValInfo): Deleted.
+        * bytecode/CodeBlock.h:
+        * bytecode/ICStatusMap.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetPrivateName):
+        (JSC::DFG::SpeculativeJIT::compilePutPrivateName):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStoreBarrierInsertionPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::link):
+        (JSC::JIT::privateCompileExceptionHandlers):
+        * jit/JIT.h:
+        (JSC::ByValCompilationInfo::ByValCompilationInfo): Deleted.
+        * jit/JITInlines.h:
+        (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase): Deleted.
+        (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase): Deleted.
+        * jit/JITOperations.cpp:
+        (JSC::putPrivateNameOptimize):
+        (JSC::putPrivateName):
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_private_name):
+        (JSC::JIT::emitSlow_op_put_private_name):
+        (JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
+        (JSC::JIT::emitPutByValWithCachedId): Deleted.
+        (JSC::JIT::emitPutPrivateNameWithCachedId): Deleted.
+        (JSC::JIT::emitByValIdentifierCheck): Deleted.
+        (JSC::JIT::privateCompilePutPrivateNameWithCachedId): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_private_name):
+        (JSC::JIT::emitSlow_op_put_private_name):
+        * jit/Repatch.cpp:
+        (JSC::appropriateGenericPutByFunction):
+        (JSC::appropriateOptimizingPutByFunction):
+        (JSC::resetPutBy):
+
</ins><span class="cx"> 2021-08-26  Saam Barati  <sbarati@apple.com>
</span><span class="cx"> 
</span><span class="cx">         r281485 was not sufficient in where it called disablePeepholeOptimization
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj     2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -444,7 +444,6 @@
</span><span class="cx">          0F7DF13C1E2971130095951B /* JSDestructibleObjectHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF13A1E29710E0095951B /* JSDestructibleObjectHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F7DF1461E2BEF6A0095951B /* BlockDirectoryInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF1451E2BEF680095951B /* BlockDirectoryInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F7F988C1D9596C800F4F12E /* DFGStoreBarrierClusteringPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7F988A1D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.h */; };
</span><del>-               0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; };
</del><span class="cx">           0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8335B51639C1E3001443B5 /* ArrayAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">          0F8364B7164B0C110053329A /* DFGBranchDirection.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8364B5164B0C0E0053329A /* DFGBranchDirection.h */; };
</span><span class="cx">          0F86A26F1D6F7B3300CB0C92 /* GCTypeMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F86A26E1D6F7B3100CB0C92 /* GCTypeMap.h */; };
</span><span class="lines">@@ -2828,7 +2827,6 @@
</span><span class="cx">          0F7DF1451E2BEF680095951B /* BlockDirectoryInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BlockDirectoryInlines.h; sourceTree = "<group>"; };
</span><span class="cx">          0F7F98891D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStoreBarrierClusteringPhase.cpp; path = dfg/DFGStoreBarrierClusteringPhase.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F7F988A1D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStoreBarrierClusteringPhase.h; path = dfg/DFGStoreBarrierClusteringPhase.h; sourceTree = "<group>"; };
</span><del>-               0F8023E91613832300A0BA45 /* ByValInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ByValInfo.h; sourceTree = "<group>"; };
</del><span class="cx">           0F8335B41639C1E3001443B5 /* ArrayAllocationProfile.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ArrayAllocationProfile.cpp; sourceTree = "<group>"; };
</span><span class="cx">          0F8335B51639C1E3001443B5 /* ArrayAllocationProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ArrayAllocationProfile.h; sourceTree = "<group>"; };
</span><span class="cx">          0F8364B5164B0C0E0053329A /* DFGBranchDirection.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGBranchDirection.h; path = dfg/DFGBranchDirection.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -5135,7 +5133,6 @@
</span><span class="cx">          E355D38E2244686C008F1AD6 /* GlobalExecutable.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = GlobalExecutable.cpp; sourceTree = "<group>"; };
</span><span class="cx">          E356987122841183008CDCCB /* PackedCellPtr.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = PackedCellPtr.h; sourceTree = "<group>"; };
</span><span class="cx">          E35A0B9C220AD87A00AC4474 /* ExecutableBaseInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExecutableBaseInlines.h; sourceTree = "<group>"; };
</span><del>-               E35BA2C0241A0E8C00B67086 /* ByValInfo.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = ByValInfo.cpp; sourceTree = "<group>"; };
</del><span class="cx">           E35CA14F1DBC3A5600F83516 /* DOMJITAbstractHeap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITAbstractHeap.cpp; sourceTree = "<group>"; };
</span><span class="cx">          E35CA1501DBC3A5600F83516 /* DOMJITAbstractHeap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITAbstractHeap.h; sourceTree = "<group>"; };
</span><span class="cx">          E35CA1511DBC3A5600F83516 /* DOMJITHeapRange.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITHeapRange.cpp; sourceTree = "<group>"; };
</span><span class="lines">@@ -8554,8 +8551,6 @@
</span><span class="cx">                          E3D2642A1D38C042000BE174 /* BytecodeRewriter.h */,
</span><span class="cx">                          53D35498240D88AD008950DD /* BytecodeUseDef.cpp */,
</span><span class="cx">                          0F885E101849A3BE00F1E3FA /* BytecodeUseDef.h */,
</span><del>-                               E35BA2C0241A0E8C00B67086 /* ByValInfo.cpp */,
-                               0F8023E91613832300A0BA45 /* ByValInfo.h */,
</del><span class="cx">                           0F64B2771A7957B2006E4E66 /* CallEdge.cpp */,
</span><span class="cx">                          0F64B2781A7957B2006E4E66 /* CallEdge.h */,
</span><span class="cx">                          0F0B83AE14BCF71400885B4F /* CallLinkInfo.cpp */,
</span><span class="lines">@@ -9473,7 +9468,6 @@
</span><span class="cx">                          E328DAEB1D38D005001A2529 /* BytecodeRewriter.h in Headers */,
</span><span class="cx">                          6514F21918B3E1670098FF8B /* Bytecodes.h in Headers */,
</span><span class="cx">                          0F885E111849A3BE00F1E3FA /* BytecodeUseDef.h in Headers */,
</span><del>-                               0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */,
</del><span class="cx">                           FE8DE54B23AC1DAD005C9142 /* CacheableIdentifier.h in Headers */,
</span><span class="cx">                          FE8DE54D23AC1E86005C9142 /* CacheableIdentifierInlines.h in Headers */,
</span><span class="cx">                          144CA3502224180100817789 /* CachedBytecode.h in Headers */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreSourcestxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/Sources.txt (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/Sources.txt  2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/Sources.txt     2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -197,7 +197,6 @@
</span><span class="cx"> bytecode/ArithProfile.cpp
</span><span class="cx"> bytecode/ArrayAllocationProfile.cpp
</span><span class="cx"> bytecode/ArrayProfile.cpp
</span><del>-bytecode/ByValInfo.cpp
</del><span class="cx"> bytecode/BytecodeBasicBlock.cpp
</span><span class="cx"> bytecode/BytecodeDumper.cpp
</span><span class="cx"> bytecode/BytecodeGeneratorification.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeByValInfocpp"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/bytecode/ByValInfo.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ByValInfo.cpp       2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/bytecode/ByValInfo.cpp  2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -1,45 +0,0 @@
</span><del>-/*
- * Copyright (C) 2020-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "ByValInfo.h"
-
-#include "CacheableIdentifierInlines.h"
-
-namespace JSC {
-
-#if ENABLE(JIT)
-
-template<typename Visitor>
-void ByValInfo::visitAggregateImpl(Visitor& visitor)
-{
-    cachedId.visitAggregate(visitor);
-}
-
-DEFINE_VISIT_AGGREGATE(ByValInfo);
-
-#endif // ENABLE(JIT)
-
-} // namespace JSC
</del></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeByValInfoh"></a>
<div class="delfile"><h4>Deleted: trunk/Source/JavaScriptCore/bytecode/ByValInfo.h (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ByValInfo.h 2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/bytecode/ByValInfo.h    2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -1,300 +0,0 @@
</span><del>-/*
- * Copyright (C) 2012-2021 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#pragma once
-
-#include "CacheableIdentifier.h"
-#include "ClassInfo.h"
-#include "CodeLocation.h"
-#include "IndexingType.h"
-#include "JITStubRoutine.h"
-#include "Structure.h"
-
-namespace JSC {
-
-class Symbol;
-
-#if ENABLE(JIT)
-
-class ArrayProfile;
-class StructureStubInfo;
-
-enum JITArrayMode : uint8_t {
-    JITInt32,
-    JITDouble,
-    JITContiguous,
-    JITArrayStorage,
-    JITDirectArguments,
-    JITScopedArguments,
-    JITInt8Array,
-    JITInt16Array,
-    JITInt32Array,
-    JITUint8Array,
-    JITUint8ClampedArray,
-    JITUint16Array,
-    JITUint32Array,
-    JITFloat32Array,
-    JITFloat64Array,
-    JITBigInt64Array,
-    JITBigUint64Array,
-};
-
-inline bool isOptimizableIndexingType(IndexingType indexingType)
-{
-    switch (indexingType) {
-    case ALL_INT32_INDEXING_TYPES:
-    case ALL_DOUBLE_INDEXING_TYPES:
-    case ALL_CONTIGUOUS_INDEXING_TYPES:
-    case ARRAY_WITH_ARRAY_STORAGE_INDEXING_TYPES:
-        return true;
-    default:
-        return false;
-    }
-}
-
-inline bool hasOptimizableIndexingForJSType(JSType type)
-{
-    switch (type) {
-    case DirectArgumentsType:
-    case ScopedArgumentsType:
-        return true;
-    default:
-        return false;
-    }
-}
-
-inline bool hasOptimizableIndexingForClassInfo(const ClassInfo* classInfo)
-{
-    return isTypedView(classInfo->typedArrayStorageType);
-}
-
-inline bool hasOptimizableIndexing(Structure* structure)
-{
-    return isOptimizableIndexingType(structure->indexingType())
-        || hasOptimizableIndexingForJSType(structure->typeInfo().type())
-        || hasOptimizableIndexingForClassInfo(structure->classInfo());
-}
-
-inline JITArrayMode jitArrayModeForIndexingType(IndexingType indexingType)
-{
-    switch (indexingType) {
-    case ALL_INT32_INDEXING_TYPES:
-        return JITInt32;
-    case ALL_DOUBLE_INDEXING_TYPES:
-        return JITDouble;
-    case ALL_CONTIGUOUS_INDEXING_TYPES:
-        return JITContiguous;
-    case ARRAY_WITH_ARRAY_STORAGE_INDEXING_TYPES:
-        return JITArrayStorage;
-    default:
-        CRASH();
-        return JITContiguous;
-    }
-}
-
-inline JITArrayMode jitArrayModeForJSType(JSType type)
-{
-    switch (type) {
-    case DirectArgumentsType:
-        return JITDirectArguments;
-    case ScopedArgumentsType:
-        return JITScopedArguments;
-    default:
-        RELEASE_ASSERT_NOT_REACHED();
-        return JITContiguous;
-    }
-}
-
-inline JITArrayMode jitArrayModeForClassInfo(const ClassInfo* classInfo)
-{
-    switch (classInfo->typedArrayStorageType) {
-    case TypeInt8:
-        return JITInt8Array;
-    case TypeInt16:
-        return JITInt16Array;
-    case TypeInt32:
-        return JITInt32Array;
-    case TypeUint8:
-        return JITUint8Array;
-    case TypeUint8Clamped:
-        return JITUint8ClampedArray;
-    case TypeUint16:
-        return JITUint16Array;
-    case TypeUint32:
-        return JITUint32Array;
-    case TypeFloat32:
-        return JITFloat32Array;
-    case TypeFloat64:
-        return JITFloat64Array;
-    case TypeBigInt64:
-        return JITBigInt64Array;
-    case TypeBigUint64:
-        return JITBigUint64Array;
-    default:
-        CRASH();
-        return JITContiguous;
-    }
-}
-
-inline bool jitArrayModePermitsPut(JITArrayMode mode)
-{
-    switch (mode) {
-    case JITDirectArguments:
-    case JITScopedArguments:
-    // FIXME: Optimize BigInt64Array / BigUint64Array in IC
-    // https://bugs.webkit.org/show_bug.cgi?id=221183
-    case JITBigInt64Array:
-    case JITBigUint64Array:
-        // We could support put_by_val on these at some point, but it's just not that profitable
-        // at the moment.
-        return false;
-    default:
-        return true;
-    }
-}
-
-inline bool jitArrayModePermitsPutDirect(JITArrayMode mode)
-{
-    // We don't allow typed array putDirect here since putDirect has
-    // defineOwnProperty({configurable: true, writable:true, enumerable:true})
-    // semantics. Typed array indexed properties are non-configurable by
-    // default, so we can't simply store to a typed array for putDirect.
-    //
-    // We could model putDirect on ScopedArguments and DirectArguments, but we
-    // haven't found any performance incentive to do it yet.
-    switch (mode) {
-    case JITInt32:
-    case JITDouble:
-    case JITContiguous:
-    case JITArrayStorage:
-        return true;
-    default:
-        return false;
-    }
-}
-
-inline TypedArrayType typedArrayTypeForJITArrayMode(JITArrayMode mode)
-{
-    switch (mode) {
-    case JITInt8Array:
-        return TypeInt8;
-    case JITInt16Array:
-        return TypeInt16;
-    case JITInt32Array:
-        return TypeInt32;
-    case JITUint8Array:
-        return TypeUint8;
-    case JITUint8ClampedArray:
-        return TypeUint8Clamped;
-    case JITUint16Array:
-        return TypeUint16;
-    case JITUint32Array:
-        return TypeUint32;
-    case JITFloat32Array:
-        return TypeFloat32;
-    case JITFloat64Array:
-        return TypeFloat64;
-    case JITBigInt64Array:
-        return TypeBigInt64;
-    case JITBigUint64Array:
-        return TypeBigUint64;
-    default:
-        CRASH();
-        return NotTypedArray;
-    }
-}
-
-inline JITArrayMode jitArrayModeForStructure(Structure* structure)
-{
-    if (isOptimizableIndexingType(structure->indexingType()))
-        return jitArrayModeForIndexingType(structure->indexingType());
-    
-    if (hasOptimizableIndexingForJSType(structure->typeInfo().type()))
-        return jitArrayModeForJSType(structure->typeInfo().type());
-    
-    ASSERT(hasOptimizableIndexingForClassInfo(structure->classInfo()));
-    return jitArrayModeForClassInfo(structure->classInfo());
-}
-
-struct ByValInfo {
-    ByValInfo(BytecodeIndex bytecodeIndex)
-        : bytecodeIndex(bytecodeIndex)
-    {
-    }
-
-    void setUp(CodeLocationLabel<ExceptionHandlerPtrTag> exceptionHandler, JITArrayMode arrayMode, ArrayProfile* arrayProfile, CodeLocationLabel<JSInternalPtrTag> doneTarget, CodeLocationLabel<JSInternalPtrTag> badTypeNextHotPathTarget, CodeLocationLabel<JSInternalPtrTag> slowPathTarget)
-    {
-        this->exceptionHandler = exceptionHandler;
-        this->doneTarget = doneTarget;
-        this->badTypeNextHotPathTarget = badTypeNextHotPathTarget;
-        this->slowPathTarget = slowPathTarget;
-        this->arrayProfile = arrayProfile;
-        this->slowPathCount = 0;
-        this->stubInfo = nullptr;
-        this->arrayMode = arrayMode;
-        this->tookSlowPath = false;
-        this->seen = false;
-    }
-
-    DECLARE_VISIT_AGGREGATE;
-
-    static ptrdiff_t offsetOfSlowOperation() { return OBJECT_OFFSETOF(ByValInfo, m_slowOperation); }
-    static ptrdiff_t offsetOfNotIndexJumpTarget() { return OBJECT_OFFSETOF(ByValInfo, m_notIndexJumpTarget); }
-    static ptrdiff_t offsetOfBadTypeJumpTarget() { return OBJECT_OFFSETOF(ByValInfo, m_badTypeJumpTarget); }
-
-    FunctionPtr<OperationPtrTag> m_slowOperation;
-
-    union {
-        CodeLocationLabel<JITStubRoutinePtrTag> m_notIndexJumpTarget;
-        CodeLocationJump<JSInternalPtrTag> m_notIndexJump;
-    };
-    union {
-        CodeLocationLabel<JITStubRoutinePtrTag> m_badTypeJumpTarget;
-        CodeLocationJump<JSInternalPtrTag> m_badTypeJump;
-    };
-
-    CodeLocationLabel<ExceptionHandlerPtrTag> exceptionHandler;
-    CodeLocationLabel<JSInternalPtrTag> doneTarget;
-    CodeLocationLabel<JSInternalPtrTag> badTypeNextHotPathTarget;
-    CodeLocationLabel<JSInternalPtrTag> slowPathTarget;
-    ArrayProfile* arrayProfile;
-    BytecodeIndex bytecodeIndex;
-    unsigned slowPathCount;
-    RefPtr<JITStubRoutine> stubRoutine;
-    CacheableIdentifier cachedId; // Once we set cachedId, we must not change the value. JIT code relies on that configured cachedId is marked and retained by CodeBlock through ByValInfo.
-    StructureStubInfo* stubInfo;
-    JITArrayMode arrayMode; // The array mode that was baked into the inline JIT code.
-    bool tookSlowPath : 1;
-    bool seen : 1;
-};
-
-inline BytecodeIndex getByValInfoBytecodeIndex(ByValInfo* info)
-{
-    return info->bytecodeIndex;
-}
-
-#endif // ENABLE(JIT)
-
-} // namespace JSC
</del></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp       2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp  2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -32,7 +32,6 @@
</span><span class="cx"> 
</span><span class="cx"> #include "ArithProfile.h"
</span><span class="cx"> #include "BasicBlockLocation.h"
</span><del>-#include "ByValInfo.h"
</del><span class="cx"> #include "BytecodeDumper.h"
</span><span class="cx"> #include "BytecodeLivenessAnalysisInlines.h"
</span><span class="cx"> #include "BytecodeOperandsForCheckpoint.h"
</span><span class="lines">@@ -1626,8 +1625,6 @@
</span><span class="cx">                 result.add(stubInfo->codeOrigin, ICStatus()).iterator->value.stubInfo = stubInfo;
</span><span class="cx">             for (CallLinkInfo* callLinkInfo : jitData->m_callLinkInfos)
</span><span class="cx">                 result.add(callLinkInfo->codeOrigin(), ICStatus()).iterator->value.callLinkInfo = callLinkInfo;
</span><del>-            for (ByValInfo* byValInfo : jitData->m_byValInfos)
-                result.add(CodeOrigin(byValInfo->bytecodeIndex), ICStatus()).iterator->value.byValInfo = byValInfo;
</del><span class="cx">         }
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx">         if (JITCode::isOptimizingJIT(jitType())) {
</span><span class="lines">@@ -1699,24 +1696,6 @@
</span><span class="cx">     return nullptr;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-ByValInfo* CodeBlock::findByValInfo(CodeOrigin codeOrigin)
-{
-    ConcurrentJSLocker locker(m_lock);
-    if (auto* jitData = m_jitData.get()) {
-        for (ByValInfo* byValInfo : jitData->m_byValInfos) {
-            if (byValInfo->bytecodeIndex == codeOrigin.bytecodeIndex())
-                return byValInfo;
-        }
-    }
-    return nullptr;
-}
-
-ByValInfo* CodeBlock::addByValInfo(BytecodeIndex bytecodeIndex)
-{
-    ConcurrentJSLocker locker(m_lock);
-    return ensureJITData(locker).m_byValInfos.add(bytecodeIndex);
-}
-
</del><span class="cx"> CallLinkInfo* CodeBlock::addCallLinkInfo(CodeOrigin codeOrigin)
</span><span class="cx"> {
</span><span class="cx">     ConcurrentJSLocker locker(m_lock);
</span><span class="lines">@@ -1828,8 +1807,6 @@
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx">     if (auto* jitData = m_jitData.get()) {
</span><del>-        for (ByValInfo* byValInfo : jitData->m_byValInfos)
-            byValInfo->visitAggregate(visitor);
</del><span class="cx">         for (StructureStubInfo* stubInfo : jitData->m_stubInfos)
</span><span class="cx">             stubInfo->visitAggregate(visitor);
</span><span class="cx">     }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.h (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.h 2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.h    2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -97,7 +97,6 @@
</span><span class="cx"> class PCToCodeOriginMap;
</span><span class="cx"> class RegisterAtOffsetList;
</span><span class="cx"> class StructureStubInfo;
</span><del>-struct ByValInfo;
</del><span class="cx"> 
</span><span class="cx"> DECLARE_ALLOCATOR_WITH_HEAP_IDENTIFIER(CodeBlockRareData);
</span><span class="cx"> 
</span><span class="lines">@@ -275,7 +274,6 @@
</span><span class="cx">         Bag<JITMulIC> m_mulICs;
</span><span class="cx">         Bag<JITNegIC> m_negICs;
</span><span class="cx">         Bag<JITSubIC> m_subICs;
</span><del>-        Bag<ByValInfo> m_byValInfos;
</del><span class="cx">         Bag<CallLinkInfo> m_callLinkInfos;
</span><span class="cx">         SentinelLinkedList<CallLinkInfo, PackedRawSentinelNode<CallLinkInfo>> m_incomingCalls;
</span><span class="cx">         SentinelLinkedList<PolymorphicCallNode, PackedRawSentinelNode<PolymorphicCallNode>> m_incomingPolymorphicCalls;
</span><span class="lines">@@ -316,11 +314,7 @@
</span><span class="cx"> 
</span><span class="cx">     // O(n) operation. Use getICStatusMap() unless you really only intend to get one stub info.
</span><span class="cx">     StructureStubInfo* findStubInfo(CodeOrigin);
</span><del>-    // O(n) operation. Use getICStatusMap() unless you really only intend to get one by-val-info.
-    ByValInfo* findByValInfo(CodeOrigin);
</del><span class="cx"> 
</span><del>-    ByValInfo* addByValInfo(BytecodeIndex);
-
</del><span class="cx">     CallLinkInfo* addCallLinkInfo(CodeOrigin);
</span><span class="cx"> 
</span><span class="cx">     // This is a slow function call used primarily for compiling OSR exits in the case
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeICStatusMaph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h       2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h  2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -39,12 +39,10 @@
</span><span class="cx"> class PutByStatus;
</span><span class="cx"> class DeleteByStatus;
</span><span class="cx"> class StructureStubInfo;
</span><del>-struct ByValInfo;
</del><span class="cx"> 
</span><span class="cx"> struct ICStatus {
</span><span class="cx">     StructureStubInfo* stubInfo { nullptr };
</span><span class="cx">     CallLinkInfo* callLinkInfo { nullptr };
</span><del>-    ByValInfo* byValInfo { nullptr };
</del><span class="cx">     CallLinkStatus* callStatus { nullptr };
</span><span class="cx">     GetByStatus* getStatus { nullptr };
</span><span class="cx">     InByStatus* inStatus { nullptr };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp    2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp       2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -6453,12 +6453,11 @@
</span><span class="cx">             Node* value = get(bytecode.m_value);
</span><span class="cx">             bool compiledAsPutPrivateNameById = false;
</span><span class="cx"> 
</span><ins>+            PutByStatus status = PutByStatus::computeFor(m_inlineStackTop->m_profiledBlock, m_inlineStackTop->m_baselineMap, m_icContextStack, currentCodeOrigin());
+
</ins><span class="cx">             if (!m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)
</span><span class="cx">                 && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
</span><span class="cx">                 && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadConstantValue)) {
</span><del>-
-                PutByStatus status = PutByStatus::computeFor(m_inlineStackTop->m_profiledBlock, m_inlineStackTop->m_baselineMap, m_icContextStack, currentCodeOrigin());
-
</del><span class="cx">                 if (CacheableIdentifier identifier = status.singleIdentifier()) {
</span><span class="cx">                     UniquedStringImpl* uid = identifier.uid();
</span><span class="cx">                     unsigned identifierNumber = m_graph.identifiers().ensure(uid);
</span><span class="lines">@@ -6473,11 +6472,37 @@
</span><span class="cx"> 
</span><span class="cx">                     handlePutPrivateNameById(base, identifier, identifierNumber, value, status, bytecode.m_putKind);
</span><span class="cx">                     compiledAsPutPrivateNameById = true;
</span><ins>+                } else if (status.takesSlowPath()) {
+                    // Even though status is taking a slow path, it is possible that this node still has constant identifier and using PutById is always better in that case.
+                    UniquedStringImpl* uid = nullptr;
+                    JSCell* propertyCell = nullptr;
+                    if (auto* symbol = property->dynamicCastConstant<Symbol*>(*m_vm)) {
+                        uid = &symbol->uid();
+                        propertyCell = symbol;
+                        FrozenValue* frozen = m_graph.freezeStrong(symbol);
+                        addToGraph(CheckIsConstant, OpInfo(frozen), property);
+                    } else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
+                        if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
+                            uid = bitwise_cast<UniquedStringImpl*>(impl);
+                            propertyCell = string;
+                            m_graph.freezeStrong(string);
+                            addToGraph(CheckIdent, OpInfo(uid), property);
+                        }
+                    }
+
+                    if (uid) {
+                        unsigned identifierNumber = m_graph.identifiers().ensure(uid);
+                        handlePutPrivateNameById(base, CacheableIdentifier::createFromCell(propertyCell), identifierNumber, value, status, bytecode.m_putKind);
+                        compiledAsPutPrivateNameById = true;
+                    }
</ins><span class="cx">                 }
</span><span class="cx">             }
</span><span class="cx"> 
</span><del>-            if (!compiledAsPutPrivateNameById)
-                addToGraph(PutPrivateName, OpInfo(), OpInfo(bytecode.m_putKind), base, property, value);
</del><ins>+            if (!compiledAsPutPrivateNameById) {
+                Node* putPrivateName = addToGraph(PutPrivateName, OpInfo(), OpInfo(bytecode.m_putKind), base, property, value);
+                if (status.observedStructureStubInfoSlowPath())
+                    m_graph.m_slowPutByVal.add(putPrivateName);
+            }
</ins><span class="cx"> 
</span><span class="cx">             NEXT_OPCODE(op_put_private_name);
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp   2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -1952,8 +1952,16 @@
</span><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        case CheckPrivateBrand:
</del><ins>+        case CheckPrivateBrand: {
+            fixEdge<SymbolUse>(node->child2());
+            break;
+        }
+
</ins><span class="cx">         case PutPrivateName: {
</span><ins>+            if (!m_graph.m_slowPutByVal.contains(node)) {
+                if (node->child1()->shouldSpeculateCell())
+                    fixEdge<CellUse>(node->child1());
+            }
</ins><span class="cx">             fixEdge<SymbolUse>(node->child2());
</span><span class="cx">             break;
</span><span class="cx">         }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp    2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp       2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -3746,9 +3746,6 @@
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::compileGetPrivateName(Node* node)
</span><span class="cx"> {
</span><del>-    if (node->hasCacheableIdentifier())
-        return compileGetPrivateNameById(node);
-
</del><span class="cx">     switch (m_graph.child(node, 0).useKind()) {
</span><span class="cx">     case CellUse: {
</span><span class="cx">         SpeculateCellOperand base(this, m_graph.child(node, 0));
</span><span class="lines">@@ -3941,22 +3938,78 @@
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::compilePutPrivateName(Node* node)
</span><span class="cx"> {
</span><del>-    ASSERT(node->child1().useKind() == UntypedUse);
-    JSValueOperand base(this, node->child1());
-    SpeculateCellOperand propertyValue(this, node->child2());
-    JSValueOperand value(this, node->child3());
</del><ins>+    Edge& child1 = node->child1();
+    Edge& child2 = node->child2();
+    Edge& child3 = node->child3();
+    if (m_graph.m_slowPutByVal.contains(node) || (child1.useKind() != CellUse && child1.useKind() != KnownCellUse)) {
+        ASSERT(child1.useKind() == UntypedUse);
+        JSValueOperand base(this, child1);
+        SpeculateCellOperand propertyValue(this, child2);
+        JSValueOperand value(this, child3);
</ins><span class="cx"> 
</span><del>-    JSValueRegs valueRegs = value.jsValueRegs();
-    JSValueRegs baseRegs = base.jsValueRegs();
</del><ins>+        JSValueRegs valueRegs = value.jsValueRegs();
+        JSValueRegs baseRegs = base.jsValueRegs();
</ins><span class="cx"> 
</span><ins>+        GPRReg propertyGPR = propertyValue.gpr();
+
+        speculateSymbol(child2, propertyGPR);
+
+        flushRegisters();
+        auto operation = node->privateFieldPutKind().isDefine() ? operationPutByValDefinePrivateFieldGeneric : operationPutByValSetPrivateFieldGeneric;
+        callOperation(operation, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, CCallHelpers::CellValue(propertyGPR), valueRegs, TrustedImmPtr(nullptr), TrustedImmPtr(nullptr));
+        m_jit.exceptionCheck();
+
+        noResult(node);
+        return;
+    }
+
+    SpeculateCellOperand base(this, child1);
+    SpeculateCellOperand propertyValue(this, child2);
+    JSValueOperand value(this, child3);
+
+    GPRReg baseGPR = base.gpr();
</ins><span class="cx">     GPRReg propertyGPR = propertyValue.gpr();
</span><ins>+    JSValueRegs valueRegs = value.jsValueRegs();
</ins><span class="cx"> 
</span><del>-    speculateSymbol(node->child2(), propertyGPR);
</del><ins>+    GPRTemporary stubInfo;
+    GPRReg stubInfoGPR = InvalidGPRReg;
+    if (JITCode::useDataIC(JITType::DFGJIT)) {
+        stubInfo = GPRTemporary(this);
+        stubInfoGPR = stubInfo.gpr();
+    }
</ins><span class="cx"> 
</span><del>-    flushRegisters();
-    callOperation(operationPutPrivateNameGeneric, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, CCallHelpers::CellValue(propertyGPR), valueRegs, TrustedImmPtr(nullptr), TrustedImm32(node->privateFieldPutKind().value()));
-    m_jit.exceptionCheck();
</del><ins>+    speculateSymbol(child2, propertyGPR);
</ins><span class="cx"> 
</span><ins>+    CodeOrigin codeOrigin = node->origin.semantic;
+    CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
+    RegisterSet usedRegisters = this->usedRegisters();
+
+    JITPutByValGenerator gen(
+        m_jit.codeBlock(), JITType::DFGJIT, codeOrigin, callSite, AccessType::PutByVal, usedRegisters,
+        JSValueRegs::payloadOnly(baseGPR), JSValueRegs::payloadOnly(propertyGPR), valueRegs, InvalidGPRReg, stubInfoGPR);
+    gen.stubInfo()->propertyIsSymbol = true;
+
+    gen.generateFastPath(m_jit);
+
+    JITCompiler::JumpList slowCases;
+    if (!JITCode::useDataIC(JITType::DFGJIT))
+        slowCases.append(gen.slowPathJump());
+
+    std::unique_ptr<SlowPathGenerator> slowPath;
+    auto operation = node->privateFieldPutKind().isDefine() ? operationPutByValDefinePrivateFieldOptimize : operationPutByValSetPrivateFieldOptimize;
+    if (JITCode::useDataIC(JITType::DFGJIT)) {
+        slowPath = slowPathICCall(
+            slowCases, this, gen.stubInfo(), stubInfoGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), operation,
+            NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), CCallHelpers::CellValue(baseGPR), CCallHelpers::CellValue(propertyGPR), valueRegs, stubInfoGPR, nullptr);
+    } else {
+        slowPath = slowPathCall(
+            slowCases, this, operation,
+            NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), CCallHelpers::CellValue(baseGPR), CCallHelpers::CellValue(propertyGPR), valueRegs, gen.stubInfo(), nullptr);
+    }
+
+    m_jit.addPutByVal(gen, slowPath.get());
+    addSlowPathGenerator(WTFMove(slowPath));
+
</ins><span class="cx">     noResult(node);
</span><span class="cx"> }
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp       2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp  2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -2592,12 +2592,16 @@
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    case GetPrivateName:
-    case GetPrivateNameById: {
</del><ins>+    case GetPrivateName: {
</ins><span class="cx">         compileGetPrivateName(node);
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    case GetPrivateNameById: {
+        compileGetPrivateNameById(node);
+        break;
+    }
+
</ins><span class="cx">     case GetByVal: {
</span><span class="cx">         JSValueRegsTemporary jsValueResult;
</span><span class="cx">         GPRTemporary oneRegResult;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp  2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp     2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -3108,12 +3108,16 @@
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    case GetPrivateName:
-    case GetPrivateNameById: {
</del><ins>+    case GetPrivateName: {
</ins><span class="cx">         compileGetPrivateName(node);
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    case GetPrivateNameById: {
+        compileGetPrivateNameById(node);
+        break;
+    }
+
</ins><span class="cx">     case GetByVal: {
</span><span class="cx">         JSValueRegsTemporary result;
</span><span class="cx">         compileGetByVal(node, scopedLambda<std::tuple<JSValueRegs, DataFormat>(DataFormat preferredFormat)>([&] (DataFormat preferredFormat) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStoreBarrierInsertionPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp        2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp   2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -275,6 +275,12 @@
</span><span class="cx">                 break;
</span><span class="cx">             }
</span><span class="cx">                 
</span><ins>+            case PutPrivateName: {
+                if (!m_graph.m_slowPutByVal.contains(m_node) && (m_node->child1().useKind() == CellUse || m_node->child1().useKind() == KnownCellUse))
+                    considerBarrier(m_node->child1(), m_node->child3());
+                break;
+            }
+
</ins><span class="cx">             case PutPrivateNameById: {
</span><span class="cx">                 // We emit IC code when we have a non-null cacheableIdentifier and we need to introduce a
</span><span class="cx">                 // barrier for it. On PutPrivateName, we perform store barrier during slow path execution.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp      2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -4262,15 +4262,100 @@
</span><span class="cx"> 
</span><span class="cx">     void compilePutPrivateName()
</span><span class="cx">     {
</span><del>-        DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
</del><span class="cx">         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
</span><ins>+        Edge& child1 = m_node->child1();
+        Edge& child2 = m_node->child2();
+        Edge& child3 = m_node->child3();
+        if (m_graph.m_slowPutByVal.contains(m_node) || (child1.useKind() != CellUse && child1.useKind() != KnownCellUse)) {
+            DFG_ASSERT(m_graph, m_node, child1.useKind() == UntypedUse, child1.useKind());
</ins><span class="cx"> 
</span><del>-        LValue base = lowJSValue(m_node->child1());
-        LValue property = lowSymbol(m_node->child2());
-        LValue value = lowJSValue(m_node->child3());
</del><ins>+            LValue base = lowJSValue(child1);
+            LValue property = lowSymbol(child2);
+            LValue value = lowJSValue(child3);
</ins><span class="cx"> 
</span><del>-        vmCall(Void, operationPutPrivateNameGeneric,
-            weakPointer(globalObject), base, property, value, m_out.constIntPtr(0), m_out.constInt32(m_node->privateFieldPutKind().value()));
</del><ins>+            auto operation = m_node->privateFieldPutKind().isDefine() ? operationPutByValDefinePrivateFieldGeneric : operationPutByValSetPrivateFieldGeneric;
+            vmCall(Void, operation, weakPointer(globalObject), base, property, value, m_out.constIntPtr(0), m_out.constIntPtr(0));
+            return;
+        }
+
+        Node* node = m_node;
+
+        LValue base = lowCell(child1);
+        LValue property = lowSymbol(child2);
+        LValue value = lowJSValue(child3);
+
+        PatchpointValue* patchpoint = m_out.patchpoint(Void);
+        patchpoint->appendSomeRegister(base);
+        patchpoint->appendSomeRegister(property);
+        patchpoint->appendSomeRegister(value);
+        patchpoint->append(m_notCellMask, ValueRep::lateReg(GPRInfo::notCellMaskRegister));
+        patchpoint->append(m_numberTag, ValueRep::lateReg(GPRInfo::numberTagRegister));
+        patchpoint->clobber(RegisterSet::macroScratchRegisters());
+        patchpoint->numGPScratchRegisters = JITCode::useDataIC(JITType::FTLJIT) ? 1 : 0;
+
+        RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
+
+        State* state = &m_ftlState;
+        CodeOrigin nodeSemanticOrigin = node->origin.semantic;
+        auto operation = node->privateFieldPutKind().isDefine() ? operationPutByValDefinePrivateFieldOptimize : operationPutByValSetPrivateFieldOptimize;
+        patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
+            AllowMacroScratchRegisterUsage allowScratch(jit);
+
+            CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(nodeSemanticOrigin);
+
+            // This is the direct exit target for operation calls.
+            Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
+
+            // This is the exit for call IC's created by the IC for getters. We don't have
+            // to do anything weird other than call this, since it will associate the exit with
+            // the callsite index.
+            exceptionHandle->scheduleExitCreationForUnwind(params, callSiteIndex);
+
+            GPRReg baseGPR = params[0].gpr();
+            GPRReg propertyGPR = params[1].gpr();
+            GPRReg valueGPR = params[2].gpr();
+            GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
+
+            auto generator = Box<JITPutByValGenerator>::create(
+                jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex, AccessType::PutByVal,
+                params.unavailableRegisters(), JSValueRegs(baseGPR), JSValueRegs(propertyGPR), JSValueRegs(valueGPR), InvalidGPRReg, stubInfoGPR);
+
+            generator->stubInfo()->propertyIsSymbol = true;
+
+            generator->generateFastPath(jit);
+            CCallHelpers::Label done = jit.label();
+
+            params.addLatePath([=] (CCallHelpers& jit) {
+                AllowMacroScratchRegisterUsage allowScratch(jit);
+
+                if (!JITCode::useDataIC(JITType::FTLJIT))
+                    generator->slowPathJump().link(&jit);
+                CCallHelpers::Label slowPathBegin = jit.label();
+                CCallHelpers::Call slowPathCall;
+                if (JITCode::useDataIC(JITType::FTLJIT)) {
+                    jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
+                    generator->stubInfo()->m_slowOperation = operation;
+                    slowPathCall = callOperation(
+                        *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
+                        exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), InvalidGPRReg,
+                        jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
+                        baseGPR, propertyGPR, valueGPR, stubInfoGPR, CCallHelpers::TrustedImmPtr(nullptr)).call();
+                } else {
+                    slowPathCall = callOperation(
+                        *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
+                        exceptions.get(), operation, InvalidGPRReg,
+                        jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
+                        baseGPR, propertyGPR, valueGPR, CCallHelpers::TrustedImmPtr(generator->stubInfo()), CCallHelpers::TrustedImmPtr(nullptr)).call();
+                }
+                jit.jump().linkTo(done, &jit);
+
+                generator->reportSlowPathCall(slowPathBegin, slowPathCall);
+
+                jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
+                    generator->finalize(linkBuffer, linkBuffer);
+                });
+            });
+        });
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     void compileAtomicsReadModifyWrite()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp  2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp     2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -517,7 +517,6 @@
</span><span class="cx">     m_delByValIndex = 0;
</span><span class="cx">     m_instanceOfIndex = 0;
</span><span class="cx">     m_privateBrandAccessIndex = 0;
</span><del>-    m_byValInstructionIndex = 0;
</del><span class="cx">     m_callLinkInfoIndex = 0;
</span><span class="cx"> 
</span><span class="cx">     unsigned bytecodeCountHavingSlowCase = 0;
</span><span class="lines">@@ -919,45 +918,6 @@
</span><span class="cx">     finalizeInlineCaches(m_instanceOfs, patchBuffer);
</span><span class="cx">     finalizeInlineCaches(m_privateBrandAccesses, patchBuffer);
</span><span class="cx"> 
</span><del>-    if (m_byValCompilationInfo.size()) {
-#if ENABLE(EXTRA_CTI_THUNKS)
-        CodeLocationLabel exceptionHandler(vm().getCTIStub(handleExceptionGenerator).retaggedCode<ExceptionHandlerPtrTag>());
-#else
-        CodeLocationLabel<ExceptionHandlerPtrTag> exceptionHandler = patchBuffer.locationOf<ExceptionHandlerPtrTag>(m_exceptionHandler);
-#endif
-
-        for (const auto& byValCompilationInfo : m_byValCompilationInfo) {
-            PatchableJump patchableNotIndexJump = byValCompilationInfo.notIndexJump;
-            CodeLocationJump<JSInternalPtrTag> notIndexJump;
-            if (Jump(patchableNotIndexJump).isSet())
-                notIndexJump = CodeLocationJump<JSInternalPtrTag>(patchBuffer.locationOf<JSInternalPtrTag>(patchableNotIndexJump));
-
-            PatchableJump patchableBadTypeJump = byValCompilationInfo.badTypeJump;
-            CodeLocationJump<JSInternalPtrTag> badTypeJump;
-            if (Jump(patchableBadTypeJump).isSet())
-                badTypeJump = CodeLocationJump<JSInternalPtrTag>(patchBuffer.locationOf<JSInternalPtrTag>(byValCompilationInfo.badTypeJump));
-
-            auto doneTarget = CodeLocationLabel<JSInternalPtrTag>(patchBuffer.locationOf<JSInternalPtrTag>(byValCompilationInfo.doneTarget));
-            auto nextHotPathTarget = CodeLocationLabel<JSInternalPtrTag>(patchBuffer.locationOf<JSInternalPtrTag>(byValCompilationInfo.nextHotPathTarget));
-            auto slowPathTarget = CodeLocationLabel<JSInternalPtrTag>(patchBuffer.locationOf<JSInternalPtrTag>(byValCompilationInfo.slowPathTarget));
-
-            byValCompilationInfo.byValInfo->setUp(
-                exceptionHandler,
-                byValCompilationInfo.arrayMode,
-                byValCompilationInfo.arrayProfile,
-                doneTarget,
-                nextHotPathTarget,
-                slowPathTarget);
-            if (JITCode::useDataIC(JITType::BaselineJIT)) {
-                byValCompilationInfo.byValInfo->m_notIndexJumpTarget = slowPathTarget.retagged<JITStubRoutinePtrTag>();
-                byValCompilationInfo.byValInfo->m_badTypeJumpTarget = slowPathTarget.retagged<JITStubRoutinePtrTag>();
-            } else {
-                byValCompilationInfo.byValInfo->m_notIndexJump = notIndexJump;
-                byValCompilationInfo.byValInfo->m_badTypeJump = badTypeJump;
-            }
-        }
-    }
-
</del><span class="cx">     for (auto& compilationInfo : m_callCompilationInfo) {
</span><span class="cx">         CallLinkInfo& info = *compilationInfo.callLinkInfo;
</span><span class="cx">         info.setCodeLocations(
</span><span class="lines">@@ -1060,7 +1020,7 @@
</span><span class="cx">         jumpToExceptionHandler(vm());
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (!m_exceptionChecks.empty() || m_byValCompilationInfo.size()) {
</del><ins>+    if (!m_exceptionChecks.empty()) {
</ins><span class="cx">         m_exceptionHandler = label();
</span><span class="cx">         m_exceptionChecks.link(this);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.h (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.h    2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/JIT.h       2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -37,7 +37,6 @@
</span><span class="cx"> 
</span><span class="cx"> #define ASSERT_JIT_OFFSET(actual, expected) ASSERT_WITH_MESSAGE(actual == expected, "JIT Offset \"%s\" should be %d, not %d.\n", #expected, static_cast<int>(expected), static_cast<int>(actual));
</span><span class="cx"> 
</span><del>-#include "ByValInfo.h"
</del><span class="cx"> #include "CodeBlock.h"
</span><span class="cx"> #include "CommonSlowPaths.h"
</span><span class="cx"> #include "JITDisassembler.h"
</span><span class="lines">@@ -149,42 +148,6 @@
</span><span class="cx">         }
</span><span class="cx">     };
</span><span class="cx"> 
</span><del>-    struct ByValCompilationInfo {
-        ByValCompilationInfo() { }
-        
-        ByValCompilationInfo(ByValInfo* byValInfo, BytecodeIndex bytecodeIndex, MacroAssembler::PatchableJump notIndexJump, MacroAssembler::PatchableJump badTypeJump, JITArrayMode arrayMode, ArrayProfile* arrayProfile, MacroAssembler::Label doneTarget, MacroAssembler::Label nextHotPathTarget)
-            : byValInfo(byValInfo)
-            , bytecodeIndex(bytecodeIndex)
-            , notIndexJump(notIndexJump)
-            , badTypeJump(badTypeJump)
-            , arrayMode(arrayMode)
-            , arrayProfile(arrayProfile)
-            , doneTarget(doneTarget)
-            , nextHotPathTarget(nextHotPathTarget)
-        {
-        }
-
-        ByValCompilationInfo(ByValInfo* byValInfo, BytecodeIndex bytecodeIndex, MacroAssembler::PatchableJump notIndexJump, MacroAssembler::Label doneTarget, MacroAssembler::Label nextHotPathTarget)
-            : byValInfo(byValInfo)
-            , bytecodeIndex(bytecodeIndex)
-            , notIndexJump(notIndexJump)
-            , doneTarget(doneTarget)
-            , nextHotPathTarget(nextHotPathTarget)
-        {
-        }
-
-        ByValInfo* byValInfo;
-        BytecodeIndex bytecodeIndex;
-        MacroAssembler::PatchableJump notIndexJump;
-        MacroAssembler::PatchableJump badTypeJump;
-        JITArrayMode arrayMode;
-        ArrayProfile* arrayProfile;
-        MacroAssembler::Label doneTarget;
-        MacroAssembler::Label nextHotPathTarget;
-        MacroAssembler::Label slowPathTarget;
-        MacroAssembler::Call returnAddress;
-    };
-
</del><span class="cx">     struct CallCompilationInfo {
</span><span class="cx">         MacroAssembler::Label slowPathStart;
</span><span class="cx">         MacroAssembler::Label doneLocation;
</span><span class="lines">@@ -224,13 +187,6 @@
</span><span class="cx">         {
</span><span class="cx">             return JIT(vm, codeBlock, bytecodeOffset).privateCompile(effort);
</span><span class="cx">         }
</span><del>-        
-        static void compilePutPrivateNameWithCachedId(VM& vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, CacheableIdentifier propertyName)
-        {
-            JIT jit(vm, codeBlock);
-            jit.m_bytecodeIndex = byValInfo->bytecodeIndex;
-            jit.privateCompilePutPrivateNameWithCachedId(byValInfo, returnAddress, propertyName);
-        }
</del><span class="cx"> 
</span><span class="cx">         static unsigned frameRegisterCountFor(CodeBlock*);
</span><span class="cx">         static int stackPointerOffsetFor(CodeBlock*);
</span><span class="lines">@@ -244,8 +200,6 @@
</span><span class="cx">         void privateCompileSlowCases();
</span><span class="cx">         void link();
</span><span class="cx">         CompilationResult privateCompile(JITCompilationEffort);
</span><del>-        
-        void privateCompilePutPrivateNameWithCachedId(ByValInfo*, ReturnAddressPtr, CacheableIdentifier);
</del><span class="cx"> 
</span><span class="cx">         // Add a call out from JIT code, without an exception check.
</span><span class="cx">         Call appendCall(const FunctionPtr<CFunctionPtrTag> function)
</span><span class="lines">@@ -353,8 +307,6 @@
</span><span class="cx"> 
</span><span class="cx">         void emitArrayProfilingSiteWithCell(RegisterID cellGPR, ArrayProfile*, RegisterID scratchGPR);
</span><span class="cx">         void emitArrayProfilingSiteWithCell(RegisterID cellGPR, RegisterID arrayProfileGPR, RegisterID scratchGPR);
</span><del>-        void emitArrayProfileStoreToHoleSpecialCase(ArrayProfile*);
-        void emitArrayProfileOutOfBoundsSpecialCase(ArrayProfile*);
</del><span class="cx"> 
</span><span class="cx">         template<typename Op>
</span><span class="cx">         ECMAMode ecmaMode(Op);
</span><span class="lines">@@ -363,14 +315,6 @@
</span><span class="cx">         template<typename Op>
</span><span class="cx">         PrivateFieldPutKind privateFieldPutKind(Op);
</span><span class="cx"> 
</span><del>-        // Identifier check helper for GetByVal and PutByVal.
-        void emitByValIdentifierCheck(RegisterID cell, RegisterID scratch, CacheableIdentifier, JumpList& slowCases);
-
-        JITPutByIdGenerator emitPutPrivateNameWithCachedId(OpPutPrivateName, CacheableIdentifier, JumpList& doneCases, JumpList& slowCases);
-
-        template<typename Op>
-        JITPutByIdGenerator emitPutByValWithCachedId(Op, PutKind, CacheableIdentifier, JumpList& doneCases, JumpList& slowCases);
-
</del><span class="cx">         enum FinalObjectMode { MayBeFinal, KnownNotFinal };
</span><span class="cx"> 
</span><span class="cx">         void emitGetVirtualRegister(VirtualRegister src, JSValueRegs dst);
</span><span class="lines">@@ -1012,7 +956,6 @@
</span><span class="cx">         Vector<JITDelByValGenerator> m_delByVals;
</span><span class="cx">         Vector<JITInstanceOfGenerator> m_instanceOfs;
</span><span class="cx">         Vector<JITPrivateBrandAccessGenerator> m_privateBrandAccesses;
</span><del>-        Vector<ByValCompilationInfo> m_byValCompilationInfo;
</del><span class="cx">         Vector<CallCompilationInfo> m_callCompilationInfo;
</span><span class="cx">         Vector<JumpTable> m_jmpTable;
</span><span class="cx"> 
</span><span class="lines">@@ -1040,7 +983,6 @@
</span><span class="cx">         unsigned m_delByIdIndex { UINT_MAX };
</span><span class="cx">         unsigned m_instanceOfIndex { UINT_MAX };
</span><span class="cx">         unsigned m_privateBrandAccessIndex { UINT_MAX };
</span><del>-        unsigned m_byValInstructionIndex { UINT_MAX };
</del><span class="cx">         unsigned m_callLinkInfoIndex { UINT_MAX };
</span><span class="cx">         unsigned m_bytecodeCountHavingSlowCase { 0 };
</span><span class="cx">         
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlines.h (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlines.h     2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/JITInlines.h        2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -360,16 +360,6 @@
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline void JIT::emitArrayProfileStoreToHoleSpecialCase(ArrayProfile* arrayProfile)
-{
-    store8(TrustedImm32(1), arrayProfile->addressOfMayStoreToHole());
-}
-
-inline void JIT::emitArrayProfileOutOfBoundsSpecialCase(ArrayProfile* arrayProfile)
-{
-    store8(TrustedImm32(1), arrayProfile->addressOfOutOfBounds());
-}
-
</del><span class="cx"> ALWAYS_INLINE int32_t JIT::getOperandConstantInt(VirtualRegister src)
</span><span class="cx"> {
</span><span class="cx">     return getConstantOperand(src).asInt32();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp        2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp   2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -1315,19 +1315,12 @@
</span><span class="cx">     RETURN_IF_EXCEPTION(scope, void());
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JSC_DEFINE_JIT_OPERATION(operationPutPrivateNameOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo, PrivateFieldPutKind putKind))
</del><ins>+template<bool define>
+static ALWAYS_INLINE void putPrivateNameOptimize(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, JSValue subscript, JSValue value, StructureStubInfo* stubInfo)
</ins><span class="cx"> {
</span><span class="cx">     VM& vm = globalObject->vm();
</span><del>-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</del><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="cx"> 
</span><del>-    CodeBlock* codeBlock = callFrame->codeBlock();
-
-    JSValue baseValue = JSValue::decode(encodedBaseValue);
-    JSValue subscript = JSValue::decode(encodedSubscript);
-    JSValue value = JSValue::decode(encodedValue);
-
</del><span class="cx">     auto baseObject = baseValue.toObject(globalObject);
</span><span class="cx">     RETURN_IF_EXCEPTION(scope, void());
</span><span class="cx"> 
</span><span class="lines">@@ -1334,93 +1327,108 @@
</span><span class="cx">     auto propertyName = subscript.toPropertyKey(globalObject);
</span><span class="cx">     EXCEPTION_ASSERT(!scope.exception());
</span><span class="cx"> 
</span><del>-    OptimizationResult optimizationResult = OptimizationResult::NotOptimized;
</del><ins>+    // Private fields can only be accessed within class lexical scope
+    // and class methods are always in strict mode
+    AccessType accessType = static_cast<AccessType>(stubInfo->accessType);
+    Structure* structure = CommonSlowPaths::originalStructureBeforePut(vm, baseValue);
+    constexpr bool isStrictMode = true;
+    PutPropertySlot slot(baseObject, isStrictMode);
+    if constexpr (define)
+        baseObject->definePrivateField(globalObject, propertyName, value, slot);
+    else
+        baseObject->setPrivateField(globalObject, propertyName, value, slot);
+    RETURN_IF_EXCEPTION(scope, void());
</ins><span class="cx"> 
</span><ins>+    if (accessType != static_cast<AccessType>(stubInfo->accessType))
+        return;
+
</ins><span class="cx">     if (baseValue.isObject() && CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
</span><del>-        ASSERT(subscript.isSymbol());
-        ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
-        ASSERT(!byValInfo->stubRoutine);
-        if (byValInfo->seen) {
-            if (byValInfo->cachedId.uid() == propertyName) {
-                JIT::compilePutPrivateNameWithCachedId(vm, codeBlock, byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), byValInfo->cachedId);
-                optimizationResult = OptimizationResult::Optimized;
-            } else {
-                // Seem like a generic property access site.
-                optimizationResult = OptimizationResult::GiveUp;
-            }
-        } else {
-            {
-                ConcurrentJSLocker locker(codeBlock->m_lock);
-                byValInfo->seen = true;
-                byValInfo->cachedId = CacheableIdentifier::createFromCell(subscript.asCell());
-                optimizationResult = OptimizationResult::SeenOnce;
-            }
-            vm.heap.writeBarrier(codeBlock, subscript.asCell());
-        }
</del><ins>+        CacheableIdentifier identifier = CacheableIdentifier::createFromCell(subscript.asCell());
+        if (stubInfo->considerCachingBy(vm, codeBlock, structure, identifier))
+            repatchPutBy(globalObject, codeBlock, baseValue, structure, identifier, slot, *stubInfo, PutByKind::ByVal, define ? PutKind::DirectPrivateFieldDefine : PutKind::DirectPrivateFieldSet);
</ins><span class="cx">     }
</span><ins>+}
</ins><span class="cx"> 
</span><del>-    if (optimizationResult != OptimizationResult::Optimized && optimizationResult != OptimizationResult::SeenOnce) {
-        // If we take slow path more than 10 times without patching then make sure we
-        // never make that mistake again. This gives 10 iterations worth of opportunity
-        // for us to observe that the put_private_name may be polymorphic.
-        // We count up slowPathCount even if the result is GiveUp.
-        if (++byValInfo->slowPathCount >= 10)
-            optimizationResult = OptimizationResult::GiveUp;
-    }
</del><ins>+template<bool define>
+static ALWAYS_INLINE void putPrivateName(JSGlobalObject* globalObject, JSValue baseValue, JSValue subscript, JSValue value)
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
</ins><span class="cx"> 
</span><del>-    if (optimizationResult == OptimizationResult::GiveUp) {
-        // Don't ever try to optimize.
-        byValInfo->tookSlowPath = true;
-        if (codeBlock->useDataIC())
-            byValInfo->m_slowOperation = operationPutPrivateNameGeneric;
-        else
-            ctiPatchCallByReturnAddress(ReturnAddressPtr(OUR_RETURN_ADDRESS), operationPutPrivateNameGeneric);
-    }
</del><ins>+    auto baseObject = baseValue.toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, void());
</ins><span class="cx"> 
</span><ins>+    auto propertyName = subscript.toPropertyKey(globalObject);
+    EXCEPTION_ASSERT(!scope.exception());
+
</ins><span class="cx">     scope.release();
</span><del>-    
</del><ins>+
</ins><span class="cx">     // Private fields can only be accessed within class lexical scope
</span><span class="cx">     // and class methods are always in strict mode
</span><del>-    const bool isStrictMode = true;
</del><ins>+    constexpr bool isStrictMode = true;
</ins><span class="cx">     PutPropertySlot slot(baseObject, isStrictMode);
</span><del>-    if (putKind.isDefine())
</del><ins>+    if constexpr (define)
</ins><span class="cx">         baseObject->definePrivateField(globalObject, propertyName, value, slot);
</span><span class="cx">     else
</span><span class="cx">         baseObject->setPrivateField(globalObject, propertyName, value, slot);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-// We need to match the signature of operationPutPrivateNameOptimize
-JSC_DEFINE_JIT_OPERATION(operationPutPrivateNameGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo, PrivateFieldPutKind privateFieldPutKind))
</del><ins>+JSC_DEFINE_JIT_OPERATION(operationPutByValDefinePrivateFieldOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile*))
</ins><span class="cx"> {
</span><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
</span><span class="cx">     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</span><span class="cx"> 
</span><del>-    auto scope = DECLARE_THROW_SCOPE(vm);
</del><ins>+    CodeBlock* codeBlock = callFrame->codeBlock();
+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
+    putPrivateNameOptimize<true>(globalObject, codeBlock, baseValue, subscript, value, stubInfo);
+}
</ins><span class="cx"> 
</span><ins>+JSC_DEFINE_JIT_OPERATION(operationPutByValSetPrivateFieldOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile*))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    CodeBlock* codeBlock = callFrame->codeBlock();
</ins><span class="cx">     JSValue baseValue = JSValue::decode(encodedBaseValue);
</span><span class="cx">     JSValue subscript = JSValue::decode(encodedSubscript);
</span><span class="cx">     JSValue value = JSValue::decode(encodedValue);
</span><ins>+    putPrivateNameOptimize<false>(globalObject, codeBlock, baseValue, subscript, value, stubInfo);
+}
</ins><span class="cx"> 
</span><del>-    auto baseObject = baseValue.toObject(globalObject);
-    RETURN_IF_EXCEPTION(scope, void());
</del><ins>+JSC_DEFINE_JIT_OPERATION(operationPutByValDefinePrivateFieldGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile*))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</ins><span class="cx"> 
</span><del>-    auto propertyName = subscript.toPropertyKey(globalObject);
-    EXCEPTION_ASSERT(!scope.exception());
</del><ins>+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
</ins><span class="cx"> 
</span><del>-    scope.release();
</del><ins>+    if (stubInfo)
+        stubInfo->tookSlowPath = true;
</ins><span class="cx"> 
</span><del>-    // Private fields can only be accessed within class lexical scope
-    // and class methods are always in strict mode
-    const bool isStrictMode = true;
-    PutPropertySlot slot(baseObject, isStrictMode);
-    if (privateFieldPutKind.isDefine())
-        baseObject->definePrivateField(globalObject, propertyName, value, slot);
-    else
-        baseObject->setPrivateField(globalObject, propertyName, value, slot);
</del><ins>+    putPrivateName<true>(globalObject, baseValue, subscript, value);
+}
</ins><span class="cx"> 
</span><del>-    if (byValInfo)
-        byValInfo->tookSlowPath = true;
</del><ins>+JSC_DEFINE_JIT_OPERATION(operationPutByValSetPrivateFieldGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile*))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
+
+    if (stubInfo)
+        stubInfo->tookSlowPath = true;
+
+    putPrivateName<false>(globalObject, baseValue, subscript, value);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> JSC_DEFINE_JIT_OPERATION(operationCallEval, EncodedJSValue, (JSGlobalObject* globalObject, CallFrame* calleeFrame, ECMAMode ecmaMode))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h  2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h     2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -64,7 +64,6 @@
</span><span class="cx"> class VM;
</span><span class="cx"> class WatchpointSet;
</span><span class="cx"> 
</span><del>-struct ByValInfo;
</del><span class="cx"> struct ECMAMode;
</span><span class="cx"> struct InlineCallFrame;
</span><span class="cx"> struct Instruction;
</span><span class="lines">@@ -80,7 +79,6 @@
</span><span class="cx">     Ap: ArrayProfile*
</span><span class="cx">     Arp: BinaryArithProfile*
</span><span class="cx">     B: Butterfly*
</span><del>-    By: ByValInfo*
</del><span class="cx">     C: JSCell*
</span><span class="cx">     Cb: CodeBlock*
</span><span class="cx">     Cli: CallLinkInfo*
</span><span class="lines">@@ -201,9 +199,6 @@
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationSetPrivateBrandGeneric, void, (JSGlobalObject*, StructureStubInfo*, EncodedJSValue, EncodedJSValue));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationCheckPrivateBrandGeneric, void, (JSGlobalObject*, StructureStubInfo*, EncodedJSValue, EncodedJSValue));
</span><span class="cx"> 
</span><del>-JSC_DECLARE_JIT_OPERATION(operationPutPrivateNameOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, PrivateFieldPutKind));
-JSC_DECLARE_JIT_OPERATION(operationPutPrivateNameGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, PrivateFieldPutKind));
-
</del><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationPutByValNonStrictOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationPutByValStrictOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationDirectPutByValNonStrictOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
</span><span class="lines">@@ -212,6 +207,10 @@
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationPutByValStrictGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationDirectPutByValStrictGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationDirectPutByValNonStrictGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
</span><ins>+JSC_DECLARE_JIT_OPERATION(operationPutByValDefinePrivateFieldOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationPutByValDefinePrivateFieldGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationPutByValSetPrivateFieldOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationPutByValSetPrivateFieldGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
</ins><span class="cx"> 
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationCallEval, EncodedJSValue, (JSGlobalObject*, CallFrame*, ECMAMode));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationLinkCall, SlowPathReturnType, (CallFrame*, JSGlobalObject*, CallLinkInfo*));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp    2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp       2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -467,49 +467,6 @@
</span><span class="cx">     emitWriteBarrier(base, ShouldFilterBase);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template<typename Op>
-JITPutByIdGenerator JIT::emitPutByValWithCachedId(Op bytecode, PutKind putKind, CacheableIdentifier propertyName, JumpList& doneCases, JumpList& slowCases)
-{
-    // base: regT0
-    // property: regT1
-    // scratch: regT2
-
-    VirtualRegister base = bytecode.m_base;
-    VirtualRegister value = bytecode.m_value;
-
-    slowCases.append(branchIfNotCell(regT1));
-    emitByValIdentifierCheck(regT1, regT1, propertyName, slowCases);
-
-    // Write barrier breaks the registers. So after issuing the write barrier,
-    // reload the registers.
-    emitGetVirtualRegisters(base, regT0, value, regT1);
-
-    JITPutByIdGenerator gen(
-        m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), RegisterSet::stubUnavailableRegisters(), propertyName,
-        JSValueRegs(regT0), JSValueRegs(regT1), regT3, regT2, ecmaMode(bytecode), putKind);
-    gen.generateFastPath(*this);
-    // IC can write new Structure without write-barrier if a base is cell.
-    // FIXME: Use UnconditionalWriteBarrier in Baseline effectively to reduce code size.
-    // https://bugs.webkit.org/show_bug.cgi?id=209395
-    emitWriteBarrier(base, ShouldFilterBase);
-    doneCases.append(jump());
-
-    Label coldPathBegin = label();
-    gen.slowPathJump().link(this);
-
-    Call call;
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        gen.stubInfo()->m_slowOperation = gen.slowPathFunction();
-        move(TrustedImmPtr(gen.stubInfo()), GPRInfo::nonArgGPR0);
-        callOperation<decltype(gen.slowPathFunction())>(Address(GPRInfo::nonArgGPR0, StructureStubInfo::offsetOfSlowOperation()), TrustedImmPtr(m_codeBlock->globalObject()), GPRInfo::nonArgGPR0, regT1, regT0, propertyName.rawBits());
-    } else
-        call = callOperation(gen.slowPathFunction(), TrustedImmPtr(m_codeBlock->globalObject()), gen.stubInfo(), regT1, regT0, propertyName.rawBits());
-    gen.reportSlowPathCall(coldPathBegin, call);
-    doneCases.append(jump());
-
-    return gen;
-}
-
</del><span class="cx"> void JIT::emitSlow_op_put_by_val(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span><span class="cx"> {
</span><span class="cx">     bool isDirect = currentInstruction->opcodeID() == op_put_by_val_direct;
</span><span class="lines">@@ -611,76 +568,72 @@
</span><span class="cx">     auto bytecode = currentInstruction->as<OpPutPrivateName>();
</span><span class="cx">     VirtualRegister base = bytecode.m_base;
</span><span class="cx">     VirtualRegister property = bytecode.m_property;
</span><del>-    ByValInfo* byValInfo = m_codeBlock->addByValInfo(m_bytecodeIndex);
</del><ins>+    VirtualRegister value = bytecode.m_value;
</ins><span class="cx"> 
</span><span class="cx">     emitGetVirtualRegister(base, regT0);
</span><span class="cx">     emitGetVirtualRegister(property, regT1);
</span><ins>+    emitGetVirtualRegister(value, regT2);
</ins><span class="cx"> 
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(regT0, base);
</span><span class="cx"> 
</span><del>-    PatchableJump fastPathJmp;
-    if (JITCode::useDataIC(JITType::BaselineJIT))
-        farJump(AbsoluteAddress(&byValInfo->m_notIndexJumpTarget), JITStubRoutinePtrTag);
-    else {
-        fastPathJmp = patchableJump();
-        addSlowCase(fastPathJmp);
-    }
-    
-    Label done = label();
-    
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeIndex, fastPathJmp, done, done));
</del><ins>+    JITPutByValGenerator gen(
+        m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), AccessType::PutByVal, RegisterSet::stubUnavailableRegisters(),
+        JSValueRegs(regT0), JSValueRegs(regT1), JSValueRegs(regT2), InvalidGPRReg, regT4);
+    gen.generateFastPath(*this);
+    if (!JITCode::useDataIC(JITType::BaselineJIT))
+        addSlowCase(gen.slowPathJump());
+    else
+        addSlowCase();
+    m_putByVals.append(gen);
+
+    // IC can write new Structure without write-barrier if a base is cell.
+    // FIXME: Use UnconditionalWriteBarrier in Baseline effectively to reduce code size.
+    // https://bugs.webkit.org/show_bug.cgi?id=209395
+    emitWriteBarrier(base, ShouldFilterBase);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emitSlow_op_put_private_name(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span><span class="cx"> {
</span><span class="cx">     auto bytecode = currentInstruction->as<OpPutPrivateName>();
</span><del>-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
</del><span class="cx">     PrivateFieldPutKind putKind = bytecode.m_putKind;
</span><span class="cx"> 
</span><ins>+    JITPutByValGenerator& gen = m_putByVals[m_putByValIndex++];
+
</ins><span class="cx">     linkAllSlowCases(iter);
</span><del>-    Label slowPath = label();
</del><span class="cx"> 
</span><ins>+    Label coldPathBegin = label();
+
+    auto operation = putKind.isDefine() ? operationPutByValDefinePrivateFieldOptimize : operationPutByValSetPrivateFieldOptimize;
</ins><span class="cx"> #if !ENABLE(EXTRA_CTI_THUNKS)
</span><ins>+    // They are configured in the fast path and not clobbered.
</ins><span class="cx">     constexpr GPRReg baseGPR = regT0;
</span><span class="cx">     constexpr GPRReg propertyGPR = regT1;
</span><span class="cx">     constexpr GPRReg valueGPR = regT2;
</span><del>-
-    emitGetVirtualRegister(bytecode.m_base, baseGPR);
-    emitGetVirtualRegister(bytecode.m_property, propertyGPR);
-    emitGetVirtualRegister(bytecode.m_value, valueGPR);
-    Call call = callOperation(operationPutPrivateNameOptimize, TrustedImmPtr(m_codeBlock->globalObject()), baseGPR, propertyGPR, valueGPR, byValInfo, TrustedImm32(putKind.value()));
</del><ins>+    Call call = callOperation(operation, TrustedImmPtr(m_codeBlock->globalObject()), baseGPR, propertyGPR, valueGPR, gen.stubInfo(), TrustedImmPtr(nullptr));
</ins><span class="cx"> #else
</span><span class="cx">     VM& vm = this->vm();
</span><span class="cx">     uint32_t bytecodeOffset = m_bytecodeIndex.offset();
</span><span class="cx">     ASSERT(BytecodeIndex(bytecodeOffset) == m_bytecodeIndex);
</span><span class="cx"> 
</span><del>-    constexpr GPRReg bytecodeOffsetGPR = argumentGPR0;
</del><ins>+    // constexpr GPRReg baseGPR = regT0;
+    // constexpr GPRReg propertyGPR = regT1;
+    // constexpr GPRReg valueGPR = regT2;
+    constexpr GPRReg stubInfoGPR = regT3;
+    constexpr GPRReg bytecodeOffsetGPR = regT4;
+
</ins><span class="cx">     move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
</span><del>-
-    constexpr GPRReg baseGPR = argumentGPR1;
-    constexpr GPRReg propertyGPR = argumentGPR2;
-    constexpr GPRReg valueGPR = argumentGPR3;
-    constexpr GPRReg byValInfoGPR = argumentGPR4;
-    constexpr GPRReg putKindGPR = argumentGPR5;
-
-    emitGetVirtualRegister(bytecode.m_base, baseGPR);
-    emitGetVirtualRegister(bytecode.m_property, propertyGPR);
-    emitGetVirtualRegister(bytecode.m_value, valueGPR);
-    move(TrustedImmPtr(byValInfo), byValInfoGPR);
-    move(TrustedImm32(putKind.value()), putKindGPR);
</del><ins>+    move(TrustedImmPtr(gen.stubInfo()), stubInfoGPR);
</ins><span class="cx">     emitNakedNearCall(vm.getCTIStub(slow_op_put_private_name_prepareCallGenerator).retaggedCode<NoPtrTag>());
</span><span class="cx"> 
</span><span class="cx">     Call call;
</span><span class="cx">     if (JITCode::useDataIC(JITType::BaselineJIT))
</span><del>-        byValInfo->m_slowOperation = operationPutPrivateNameOptimize;
</del><ins>+        gen.stubInfo()->m_slowOperation = operation;
</ins><span class="cx">     else
</span><del>-        call = appendCall(operationPutPrivateNameOptimize);
</del><ins>+        call = appendCall(operation);
</ins><span class="cx">     emitNakedNearCall(vm.getCTIStub(checkExceptionGenerator).retaggedCode<NoPtrTag>());
</span><span class="cx"> #endif // ENABLE(EXTRA_CTI_THUNKS)
</span><span class="cx"> 
</span><del>-    m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
-    m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
-    m_byValInstructionIndex++;
</del><ins>+    gen.reportSlowPathCall(coldPathBegin, call);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(EXTRA_CTI_THUNKS)
</span><span class="lines">@@ -695,24 +648,24 @@
</span><span class="cx">     if (!JITCode::useDataIC(JITType::BaselineJIT))
</span><span class="cx">         jit.tagReturnAddress();
</span><span class="cx"> 
</span><del>-    constexpr GPRReg bytecodeOffsetGPR = argumentGPR0;
</del><ins>+    constexpr GPRReg baseGPR = regT0;
+    constexpr GPRReg propertyGPR = regT1;
+    constexpr GPRReg valueGPR = regT2;
+    constexpr GPRReg stubInfoGPR = regT3;
+    constexpr GPRReg bytecodeOffsetGPR = regT4;
+
</ins><span class="cx">     jit.store32(bytecodeOffsetGPR, tagFor(CallFrameSlot::argumentCountIncludingThis));
</span><span class="cx"> 
</span><del>-    constexpr GPRReg globalObjectGPR = argumentGPR0;
-    constexpr GPRReg baseGPR = argumentGPR1;
-    constexpr GPRReg propertyGPR = argumentGPR2;
-    constexpr GPRReg valueGPR = argumentGPR3;
-    constexpr GPRReg byValInfoGPR = argumentGPR4;
-    constexpr GPRReg putKindGPR = argumentGPR5;
</del><ins>+    constexpr GPRReg globalObjectGPR = regT4;
</ins><span class="cx"> 
</span><span class="cx">     jit.loadPtr(addressFor(CallFrameSlot::codeBlock), globalObjectGPR);
</span><span class="cx">     jit.loadPtr(Address(globalObjectGPR, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
</span><span class="cx"> 
</span><del>-    jit.setupArguments<decltype(operationPutPrivateNameOptimize)>(globalObjectGPR, baseGPR, propertyGPR, valueGPR, byValInfoGPR, putKindGPR);
</del><ins>+    jit.setupArguments<decltype(operationPutByValDefinePrivateFieldOptimize)>(globalObjectGPR, baseGPR, propertyGPR, valueGPR, stubInfoGPR, TrustedImmPtr(nullptr));
</ins><span class="cx">     jit.prepareCallOperation(vm);
</span><span class="cx"> 
</span><span class="cx">     if (JITCode::useDataIC(JITType::BaselineJIT))
</span><del>-        jit.farJump(Address(argumentGPR4, ByValInfo::offsetOfSlowOperation()), OperationPtrTag);
</del><ins>+        jit.farJump(Address(argumentGPR4, StructureStubInfo::offsetOfSlowOperation()), OperationPtrTag);
</ins><span class="cx">     else
</span><span class="cx">         jit.ret();
</span><span class="cx"> 
</span><span class="lines">@@ -3060,62 +3013,8 @@
</span><span class="cx">         valueNotCell.link(this);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-template <typename Op>
-JITPutByIdGenerator JIT::emitPutByValWithCachedId(Op bytecode, PutKind putKind, CacheableIdentifier propertyName, JumpList& doneCases, JumpList& slowCases)
-{
-    // base: tag(regT1), payload(regT0)
-    // property: tag(regT3), payload(regT2)
-
-    VirtualRegister base = bytecode.m_base;
-    VirtualRegister value = bytecode.m_value;
-
-    slowCases.append(branchIfNotCell(regT3));
-    emitByValIdentifierCheck(regT2, regT2, propertyName, slowCases);
-
-    // Write barrier breaks the registers. So after issuing the write barrier,
-    // reload the registers.
-    //
-    // IC can write new Structure without write-barrier if a base is cell.
-    // We are emitting write-barrier before writing here but this is OK since 32bit JSC does not have concurrent GC.
-    // FIXME: Use UnconditionalWriteBarrier in Baseline effectively to reduce code size.
-    // https://bugs.webkit.org/show_bug.cgi?id=209395
-    emitWriteBarrier(base, ShouldFilterBase);
-    emitLoadPayload(base, regT0);
-    emitLoad(value, regT3, regT2);
-
-    JITPutByIdGenerator gen(
-        m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), RegisterSet::stubUnavailableRegisters(), propertyName,
-        JSValueRegs::payloadOnly(regT0), JSValueRegs(regT3, regT2), InvalidGPRReg, regT1, ecmaMode(bytecode), putKind);
-    gen.generateFastPath(*this);
-    doneCases.append(jump());
-
-    Label coldPathBegin = label();
-    gen.slowPathJump().link(this);
-
-    // JITPutByIdGenerator only preserve the value and the base's payload, we have to reload the tag.
-    emitLoadTag(base, regT1);
-
-    Call call;
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        gen.stubInfo()->m_slowOperation = gen.slowPathFunction();
-        move(TrustedImmPtr(gen.stubInfo()), GPRInfo::nonArgGPR0);
-        callOperation<decltype(gen.slowPathFunction())>(Address(GPRInfo::nonArgGPR0, StructureStubInfo::offsetOfSlowOperation()), m_codeBlock->globalObject(), GPRInfo::nonArgGPR0, JSValueRegs(regT3, regT2), JSValueRegs(regT1, regT0), propertyName.rawBits());
-    } else
-        call = callOperation(gen.slowPathFunction(), m_codeBlock->globalObject(), gen.stubInfo(), JSValueRegs(regT3, regT2), JSValueRegs(regT1, regT0), propertyName.rawBits());
-    gen.reportSlowPathCall(coldPathBegin, call);
-    doneCases.append(jump());
-
-    return gen;
-}
-
</del><span class="cx"> #endif // USE(JSVALUE64)
</span><span class="cx"> 
</span><del>-JITPutByIdGenerator JIT::emitPutPrivateNameWithCachedId(OpPutPrivateName bytecode, CacheableIdentifier propertyName, JumpList& doneCases, JumpList& slowCases)
-{
-    auto putKind = bytecode.m_putKind.isDefine() ? PutKind::DirectPrivateFieldDefine : PutKind::DirectPrivateFieldSet;
-    return emitPutByValWithCachedId(bytecode, putKind, propertyName, doneCases, slowCases);
-}
-
</del><span class="cx"> void JIT::emitWriteBarrier(VirtualRegister owner, WriteBarrierMode mode)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(mode == UnconditionalWriteBarrier || mode == ShouldFilterBase);
</span><span class="lines">@@ -3129,58 +3028,6 @@
</span><span class="cx">     ownerIsRememberedOrInEden.link(this);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void JIT::emitByValIdentifierCheck(RegisterID cell, RegisterID scratch, CacheableIdentifier propertyName, JumpList& slowCases)
-{
-    if (propertyName.isSymbolCell())
-        slowCases.append(branchPtr(NotEqual, cell, TrustedImmPtr(propertyName.cell())));
-    else {
-        slowCases.append(branchIfNotString(cell));
-        loadPtr(Address(cell, JSString::offsetOfValue()), scratch);
-        slowCases.append(branchPtr(NotEqual, scratch, TrustedImmPtr(propertyName.uid())));
-    }
-}
-
-void JIT::privateCompilePutPrivateNameWithCachedId(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, CacheableIdentifier propertyName)
-{
-    const Instruction* currentInstruction = m_codeBlock->instructions().at(byValInfo->bytecodeIndex).ptr();
-    auto bytecode = currentInstruction->as<OpPutPrivateName>();
-
-    JumpList doneCases;
-    JumpList slowCases;
-
-    JITPutByIdGenerator gen = emitPutPrivateNameWithCachedId(bytecode, propertyName, doneCases, slowCases);
-
-    ConcurrentJSLocker locker(m_codeBlock->m_lock);
-    LinkBuffer patchBuffer(*this, m_codeBlock, LinkBuffer::Profile::InlineCache);
-    patchBuffer.link(slowCases, byValInfo->slowPathTarget);
-    patchBuffer.link(doneCases, byValInfo->doneTarget);
-    if (!m_exceptionChecks.empty())
-        patchBuffer.link(m_exceptionChecks, byValInfo->exceptionHandler);
-
-    for (const auto& callSite : m_nearCalls) {
-        if (callSite.callee)
-            patchBuffer.link(callSite.from, callSite.callee);
-    }
-    for (const auto& callSite : m_farCalls) {
-        if (callSite.callee)
-            patchBuffer.link(callSite.from, callSite.callee);
-    }
-    gen.finalize(patchBuffer, patchBuffer);
-
-    byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
-        m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
-        "Baseline put_private_name with cached property name '%s' stub for %s, return point %p", propertyName.uid()->utf8().data(), toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
-    byValInfo->stubInfo = gen.stubInfo();
-
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        byValInfo->m_notIndexJumpTarget = CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code());
-        byValInfo->m_slowOperation = operationPutPrivateNameGeneric;
-    } else {
-        MacroAssembler::repatchJump(byValInfo->m_notIndexJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
-        MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(operationPutPrivateNameGeneric));
-    }
-}
-
</del><span class="cx"> } // namespace JSC
</span><span class="cx"> 
</span><span class="cx"> #endif // ENABLE(JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccess32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp       2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp  2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -340,44 +340,46 @@
</span><span class="cx">     auto bytecode = currentInstruction->as<OpPutPrivateName>();
</span><span class="cx">     VirtualRegister base = bytecode.m_base;
</span><span class="cx">     VirtualRegister property = bytecode.m_property;
</span><del>-    ByValInfo* byValInfo = m_codeBlock->addByValInfo(m_bytecodeIndex);
</del><ins>+    VirtualRegister value = bytecode.m_value;
</ins><span class="cx"> 
</span><span class="cx">     emitLoad2(base, regT1, regT0, property, regT3, regT2);
</span><ins>+    emitLoad(value, regT5, regT4);
</ins><span class="cx"> 
</span><span class="cx">     emitJumpSlowCaseIfNotJSCell(base, regT1);
</span><del>-    PatchableJump fastPathJmp = patchableJump();
-    addSlowCase(fastPathJmp);
</del><span class="cx"> 
</span><del>-    Label done = label();
-    
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeIndex, fastPathJmp, done, done));
</del><ins>+    JITPutByValGenerator gen(
+        m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), AccessType::PutByVal, RegisterSet::stubUnavailableRegisters(),
+        JSValueRegs(regT1, regT0), JSValueRegs(regT3, regT2), JSValueRegs(regT5, regT4), InvalidGPRReg, InvalidGPRReg);
+    gen.stubInfo()->propertyIsSymbol = true;
+    gen.generateFastPath(*this);
+    addSlowCase(gen.slowPathJump());
+    m_putByVals.append(gen);
+
+    // IC can write new Structure without write-barrier if a base is cell.
+    // FIXME: Use UnconditionalWriteBarrier in Baseline effectively to reduce code size.
+    // https://bugs.webkit.org/show_bug.cgi?id=209395
+    emitWriteBarrier(base, ShouldFilterBase);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emitSlow_op_put_private_name(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span><span class="cx"> {
</span><span class="cx">     auto bytecode = currentInstruction->as<OpPutPrivateName>();
</span><del>-    VirtualRegister base = bytecode.m_base;
-    VirtualRegister property = bytecode.m_property;
-    VirtualRegister value = bytecode.m_value;
-
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
</del><span class="cx">     PrivateFieldPutKind putKind = bytecode.m_putKind;
</span><span class="cx"> 
</span><ins>+    JITPutByValGenerator& gen = m_putByVals[m_putByValIndex++];
+
</ins><span class="cx">     linkAllSlowCases(iter);
</span><del>-    Label slowPath = label();
</del><span class="cx"> 
</span><ins>+    Label coldPathBegin = label();
+
</ins><span class="cx">     JSValueRegs baseRegs(regT1, regT0);
</span><span class="cx">     JSValueRegs propertyRegs(regT3, regT2);
</span><span class="cx">     JSValueRegs valueRegs(regT5, regT4);
</span><span class="cx"> 
</span><del>-    emitLoad(base, baseRegs.tagGPR(), baseRegs.payloadGPR());
-    emitLoad(property, propertyRegs.tagGPR(), propertyRegs.payloadGPR());
-    emitLoad(value, valueRegs.tagGPR(), valueRegs.payloadGPR());
-    Call call = callOperation(operationPutPrivateNameOptimize, TrustedImmPtr(m_codeBlock->globalObject()), baseRegs, propertyRegs, valueRegs, byValInfo, TrustedImm32(putKind.value()));
</del><ins>+    auto operation = putKind.isDefine() ? operationPutByValDefinePrivateFieldOptimize : operationPutByValSetPrivateFieldOptimize;
+    Call call = callOperation(operation, TrustedImmPtr(m_codeBlock->globalObject()), baseRegs, propertyRegs, valueRegs, gen.stubInfo(), TrustedImmPtr(nullptr));
</ins><span class="cx"> 
</span><del>-    m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
-    m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
-    m_byValInstructionIndex++;
</del><ins>+    gen.reportSlowPathCall(coldPathBegin, call);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void JIT::emit_op_set_private_brand(const Instruction* currentInstruction)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.cpp (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.cpp      2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Source/JavaScriptCore/jit/Repatch.cpp 2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -600,9 +600,12 @@
</span><span class="cx">             if (slot.isStrictMode())
</span><span class="cx">                 return operationDirectPutByValStrictGeneric;
</span><span class="cx">             return operationDirectPutByValNonStrictGeneric;
</span><del>-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            break;
</del><ins>+        case PutKind::DirectPrivateFieldDefine:
+            ASSERT(slot.isStrictMode());
+            return operationPutByValDefinePrivateFieldGeneric;
+        case PutKind::DirectPrivateFieldSet:
+            ASSERT(slot.isStrictMode());
+            return operationPutByValSetPrivateFieldGeneric;
</ins><span class="cx">         }
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="lines">@@ -633,7 +636,7 @@
</span><span class="cx">             return operationPutByIdSetPrivateFieldStrictOptimize;
</span><span class="cx">         }
</span><span class="cx">         break;
</span><del>-    case PutByKind::ByVal: {
</del><ins>+    case PutByKind::ByVal:
</ins><span class="cx">         switch (putKind) {
</span><span class="cx">         case PutKind::NotDirect:
</span><span class="cx">             if (slot.isStrictMode())
</span><span class="lines">@@ -643,13 +646,15 @@
</span><span class="cx">             if (slot.isStrictMode())
</span><span class="cx">                 return operationDirectPutByValStrictOptimize;
</span><span class="cx">             return operationDirectPutByValNonStrictOptimize;
</span><del>-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            break;
</del><ins>+        case PutKind::DirectPrivateFieldDefine:
+            ASSERT(slot.isStrictMode());
+            return operationPutByValDefinePrivateFieldOptimize;
+        case PutKind::DirectPrivateFieldSet:
+            ASSERT(slot.isStrictMode());
+            return operationPutByValSetPrivateFieldOptimize;
</ins><span class="cx">         }
</span><span class="cx">         break;
</span><span class="cx">     }
</span><del>-    }
</del><span class="cx">     // Make win port compiler happy
</span><span class="cx">     RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">     return nullptr;
</span><span class="lines">@@ -1922,6 +1927,10 @@
</span><span class="cx">             optimizedFunction = operationPutByValNonStrictOptimize;
</span><span class="cx">         else if (unoptimizedFunction == operationDirectPutByValStrictGeneric || unoptimizedFunction == operationDirectPutByValStrictOptimize)
</span><span class="cx">             optimizedFunction = operationDirectPutByValStrictOptimize;
</span><ins>+        else if (unoptimizedFunction == operationPutByValDefinePrivateFieldGeneric || unoptimizedFunction == operationPutByValDefinePrivateFieldOptimize)
+            optimizedFunction = operationPutByValDefinePrivateFieldOptimize;
+        else if (unoptimizedFunction == operationPutByValSetPrivateFieldGeneric || unoptimizedFunction == operationPutByValSetPrivateFieldOptimize)
+            optimizedFunction = operationPutByValSetPrivateFieldOptimize;
</ins><span class="cx">         else {
</span><span class="cx">             ASSERT(unoptimizedFunction == operationDirectPutByValNonStrictGeneric || unoptimizedFunction == operationDirectPutByValNonStrictOptimize);
</span><span class="cx">             optimizedFunction = operationDirectPutByValNonStrictOptimize;
</span></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog    2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Tools/ChangeLog       2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -1,3 +1,12 @@
</span><ins>+2021-08-26  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] op_put_private_name should use modern IC and remove ByValInfo
+        https://bugs.webkit.org/show_bug.cgi?id=229544
+
+        Reviewed by Saam Barati.
+
+        * Scripts/run-jsc-benchmarks:
+
</ins><span class="cx"> 2021-08-26  Jonathan Bedard  <jbedard@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [kill-old-processes] Invoke with Python 3
</span></span></pre></div>
<a id="trunkToolsScriptsrunjscbenchmarks"></a>
<div class="modfile"><h4>Modified: trunk/Tools/Scripts/run-jsc-benchmarks (281683 => 281684)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/Scripts/run-jsc-benchmarks   2021-08-27 03:52:54 UTC (rev 281683)
+++ trunk/Tools/Scripts/run-jsc-benchmarks      2021-08-27 04:26:35 UTC (rev 281684)
</span><span class="lines">@@ -51,7 +51,6 @@
</span><span class="cx"> TAILBENCH_PATH = PERFORMANCETESTS_PATH + "TailBench9000"
</span><span class="cx"> BIGINTBENCH_PATH = PERFORMANCETESTS_PATH + "BigIntBench"
</span><span class="cx"> MICROBENCHMARKS_PATH = OPENSOURCE_PATH + "JSTests" + "microbenchmarks"
</span><del>-PRIVATEFIELDSBENCH_PATH = MICROBENCHMARKS_PATH + "class-fields-private"
</del><span class="cx"> SLOW_MICROBENCHMARKS_PATH = OPENSOURCE_PATH + "JSTests" + "slowMicrobenchmarks"
</span><span class="cx"> OPENSOURCE_OCTANE_PATH = PERFORMANCETESTS_PATH + "Octane"
</span><span class="cx"> OCTANE_WRAPPER_PATH = OPENSOURCE_OCTANE_PATH + "wrappers"
</span><span class="lines">@@ -236,7 +235,6 @@
</span><span class="cx"> $includeSixSpeed = false
</span><span class="cx"> $includeTailBench = true
</span><span class="cx"> $includeBigIntBench = false
</span><del>-$includePrivateFieldsBench = false
</del><span class="cx"> $ldd=nil
</span><span class="cx"> $measureGC=false
</span><span class="cx"> $benchmarkPattern=nil
</span><span class="lines">@@ -1786,22 +1784,6 @@
</span><span class="cx">   end
</span><span class="cx"> end
</span><span class="cx"> 
</span><del>-class PrivateFieldsBenchmark
-    include Benchmark
-
-    def initialize(name)
-        @name = name
-    end
-
-    def emitRunCode(plan)
-        emitBenchRunCode(fullname, plan, SingleFileTimedBenchmarkParameters.new(ensureFile("PrivateFieldsBench-#{@name}", "#{PRIVATEFIELDSBENCH_PATH}/#{@name}.js")))
-    end
-
-    def environment
-        {}
-    end
-end
-
</del><span class="cx"> class MicrobenchmarksBenchmark
</span><span class="cx">   include Benchmark
</span><span class="cx">   
</span><span class="lines">@@ -2910,7 +2892,6 @@
</span><span class="cx">                  ['--six-speed', GetoptLong::NO_ARGUMENT],
</span><span class="cx">                  ['--tail-bench', GetoptLong::NO_ARGUMENT],
</span><span class="cx">                  ['--big-int-bench', GetoptLong::NO_ARGUMENT],
</span><del>-                 ['--private-fields-bench', GetoptLong::NO_ARGUMENT],
</del><span class="cx">                  ['--benchmarks', GetoptLong::REQUIRED_ARGUMENT],
</span><span class="cx">                  ['--measure-gc', GetoptLong::OPTIONAL_ARGUMENT],
</span><span class="cx">                  ['--force-vm-kind', GetoptLong::REQUIRED_ARGUMENT],
</span><span class="lines">@@ -3028,9 +3009,6 @@
</span><span class="cx">     when '--big-int-bench'
</span><span class="cx">       resetBenchOptionsIfNecessary
</span><span class="cx">       $includeBigIntBench = true
</span><del>-    when '--private-fields-bench'
-      resetBenchOptionsIfNecessary
-      $includePrivateFieldsBench = true
</del><span class="cx">     when '--benchmarks'
</span><span class="cx">       $benchmarkPattern = Regexp.new(arg)
</span><span class="cx">     when '--measure-gc'
</span><span class="lines">@@ -3270,15 +3248,6 @@
</span><span class="cx">     end
</span><span class="cx">   }
</span><span class="cx"> 
</span><del>-  PRIVATEFIELDSBENCH = BenchmarkSuite.new("PrivateFieldsBench", :geometricMean, 0)
-  Dir.foreach(PRIVATEFIELDSBENCH_PATH) {
-    | filename |
-    if filename =~ /\.js$/
-        name = $~.pre_match
-        PRIVATEFIELDSBENCH.add PrivateFieldsBenchmark.new(name)
-    end
-  }
-
</del><span class="cx">   MICROBENCHMARKS = BenchmarkSuite.new("Microbenchmarks", :geometricMean, 0)
</span><span class="cx">   Dir.foreach(MICROBENCHMARKS_PATH) {
</span><span class="cx">     | filename |
</span><span class="lines">@@ -3450,10 +3419,6 @@
</span><span class="cx">     $suites << BIGINTBENCH
</span><span class="cx">   end
</span><span class="cx"> 
</span><del>-  if $includePrivateFieldsBench and not PRIVATEFIELDSBENCH.empty?
-    $suites << PRIVATEFIELDSBENCH
-  end
-
</del><span class="cx">   if $includeAsmBench and not ASMBENCH.empty?
</span><span class="cx">     if ASMBENCH_PATH
</span><span class="cx">       $suites << ASMBENCH
</span></span></pre>
</div>
</div>

</body>
</html>