[DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Oct 2016 21:33:11 +0000 (21:33 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Oct 2016 21:33:11 +0000 (21:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=163224

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

We use the GetGlobalObject DFG node to retrieve a global object from a DOM node.
This global object is necessary to check whether the world is normal before entering
the fast path of looking up the DOM wrapper cache.
We can sometimes constant-fold this GetGlobalObject. For example, if we performed
CheckStructure, the structure can offer the information about the possible result
of GetGlobalObject. By using this constant-folded global object, we can drop some
checks.

This patch introduces the way to tell the constant-folded values to DOMJIT::Patchpoint.
We pass DOMJIT::Value instead of DOMJIT::Reg as a parameter of DOMJIT::PatchpointParams.
This DOMJIT::Value is a pair of DOMJIT::Reg and JSValue. If the given parameter has a
constant value, this JSValue is filled with it.

* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGDOMJITPatchpointParams.h:
(JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCallDOM):
(JSC::DFG::SpeculativeJIT::compileCheckDOM):
* domjit/DOMJITPatchpointParams.h:
(JSC::DOMJIT::PatchpointParams::at):
(JSC::DOMJIT::PatchpointParams::operator[]):
(JSC::DOMJIT::PatchpointParams::PatchpointParams):
* domjit/DOMJITValue.h: Copied from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
(JSC::DOMJIT::Value::Value):
(JSC::DOMJIT::Value::isGPR):
(JSC::DOMJIT::Value::isFPR):
(JSC::DOMJIT::Value::isJSValueRegs):
(JSC::DOMJIT::Value::gpr):
(JSC::DOMJIT::Value::fpr):
(JSC::DOMJIT::Value::jsValueRegs):
(JSC::DOMJIT::Value::reg):
(JSC::DOMJIT::Value::value):
* ftl/FTLDOMJITPatchpointParams.h:
(JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
(JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):

Source/WebCore:

* domjit/DOMJITHelpers.h:
(WebCore::DOMJITHelpers::toWrapper):
* domjit/JSNodeDOMJIT.cpp:
(WebCore::createCallDOMForOffsetAccess):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@207166 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h
Source/JavaScriptCore/domjit/DOMJITValue.h [new file with mode: 0644]
Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/WebCore/ChangeLog
Source/WebCore/domjit/DOMJITHelpers.h
Source/WebCore/domjit/JSNodeDOMJIT.cpp

index 6b47577..eca9b65 100644 (file)
@@ -1,3 +1,49 @@
+2016-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
+        https://bugs.webkit.org/show_bug.cgi?id=163224
+
+        Reviewed by Filip Pizlo.
+
+        We use the GetGlobalObject DFG node to retrieve a global object from a DOM node.
+        This global object is necessary to check whether the world is normal before entering
+        the fast path of looking up the DOM wrapper cache.
+        We can sometimes constant-fold this GetGlobalObject. For example, if we performed
+        CheckStructure, the structure can offer the information about the possible result
+        of GetGlobalObject. By using this constant-folded global object, we can drop some
+        checks.
+
+        This patch introduces the way to tell the constant-folded values to DOMJIT::Patchpoint.
+        We pass DOMJIT::Value instead of DOMJIT::Reg as a parameter of DOMJIT::PatchpointParams.
+        This DOMJIT::Value is a pair of DOMJIT::Reg and JSValue. If the given parameter has a
+        constant value, this JSValue is filled with it.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGDOMJITPatchpointParams.h:
+        (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCallDOM):
+        (JSC::DFG::SpeculativeJIT::compileCheckDOM):
+        * domjit/DOMJITPatchpointParams.h:
+        (JSC::DOMJIT::PatchpointParams::at):
+        (JSC::DOMJIT::PatchpointParams::operator[]):
+        (JSC::DOMJIT::PatchpointParams::PatchpointParams):
+        * domjit/DOMJITValue.h: Copied from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
+        (JSC::DOMJIT::Value::Value):
+        (JSC::DOMJIT::Value::isGPR):
+        (JSC::DOMJIT::Value::isFPR):
+        (JSC::DOMJIT::Value::isJSValueRegs):
+        (JSC::DOMJIT::Value::gpr):
+        (JSC::DOMJIT::Value::fpr):
+        (JSC::DOMJIT::Value::jsValueRegs):
+        (JSC::DOMJIT::Value::reg):
+        (JSC::DOMJIT::Value::value):
+        * ftl/FTLDOMJITPatchpointParams.h:
+        (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallDOM):
+
 2016-10-10  Filip Pizlo  <fpizlo@apple.com>
 
         Air should be able to replace constant materializations with adds
index e5727f5..8e7be67 100644 (file)
                E3EF88741B66DF23003F26CB /* JSPropertyNameIterator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E3EF88721B66DF23003F26CB /* JSPropertyNameIterator.cpp */; };
                E3EF88751B66DF23003F26CB /* JSPropertyNameIterator.h in Headers */ = {isa = PBXBuildFile; fileRef = E3EF88731B66DF23003F26CB /* JSPropertyNameIterator.h */; settings = {ATTRIBUTES = (Private, ); }; };
                E3FF75331D9CEA1800C7E16D /* DOMJITGetterSetter.h in Headers */ = {isa = PBXBuildFile; fileRef = E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */; settings = {ATTRIBUTES = (Private, ); }; };
+               E3FFC8531DAD7D1500DEA53E /* DOMJITValue.h in Headers */ = {isa = PBXBuildFile; fileRef = E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
                E49DC16B12EF293E00184A1F /* SourceProviderCache.cpp in Sources */ = {isa = PBXBuildFile; fileRef = E49DC15512EF277200184A1F /* SourceProviderCache.cpp */; };
                E49DC16C12EF294E00184A1F /* SourceProviderCache.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC15112EF272200184A1F /* SourceProviderCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
                E49DC16D12EF295300184A1F /* SourceProviderCacheItem.h in Headers */ = {isa = PBXBuildFile; fileRef = E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */; settings = {ATTRIBUTES = (Private, ); }; };
                E3EF88721B66DF23003F26CB /* JSPropertyNameIterator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSPropertyNameIterator.cpp; sourceTree = "<group>"; };
                E3EF88731B66DF23003F26CB /* JSPropertyNameIterator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSPropertyNameIterator.h; sourceTree = "<group>"; };
                E3FF752F1D9CEA1200C7E16D /* DOMJITGetterSetter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITGetterSetter.h; sourceTree = "<group>"; };
+               E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITValue.h; sourceTree = "<group>"; };
                E49DC14912EF261A00184A1F /* SourceProviderCacheItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceProviderCacheItem.h; sourceTree = "<group>"; };
                E49DC15112EF272200184A1F /* SourceProviderCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SourceProviderCache.h; sourceTree = "<group>"; };
                E49DC15512EF277200184A1F /* SourceProviderCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SourceProviderCache.cpp; sourceTree = "<group>"; };
                                E37AD83A1DA4928000F3D412 /* DOMJITPatchpointParams.h */,
                                E37AD83B1DA4928000F3D412 /* DOMJITReg.h */,
                                E3CB1E241DA7540A00FA1E56 /* DOMJITSlowPathCalls.h */,
+                               E3FFC8521DAD7D1000DEA53E /* DOMJITValue.h */,
                        );
                        path = domjit;
                        sourceTree = "<group>";
                                0FFFC95814EF90A200C72532 /* DFGCFAPhase.h in Headers */,
                                0F338DFE1BED51270013C88F /* AirSimplifyCFG.h in Headers */,
                                0F3B3A281544C997003ED0FF /* DFGCFGSimplificationPhase.h in Headers */,
+                               E3FFC8531DAD7D1500DEA53E /* DOMJITValue.h in Headers */,
                                0F9D36951AE9CC33000D4DFB /* DFGCleanUpPhase.h in Headers */,
                                A77A424017A0BBFD00A8DB81 /* DFGClobberize.h in Headers */,
                                0F37308D1C0BD29100052BFA /* B3PhiChildren.h in Headers */,
index 346d0da..46fdd4b 100644 (file)
@@ -35,7 +35,7 @@ class SpeculativeJIT;
 
 class DOMJITPatchpointParams : public DOMJIT::PatchpointParams {
 public:
-    DOMJITPatchpointParams(SpeculativeJIT* jit, Vector<DOMJIT::Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+    DOMJITPatchpointParams(SpeculativeJIT* jit, Vector<DOMJIT::Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
         : DOMJIT::PatchpointParams(WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
         , m_jit(jit)
     {
index 84421ef..8df5140 100644 (file)
@@ -7134,7 +7134,7 @@ void SpeculativeJIT::compileCallDOM(Node* node)
 
     Vector<GPRReg> gpScratch;
     Vector<FPRReg> fpScratch;
-    Vector<DOMJIT::Reg> regs;
+    Vector<DOMJIT::Value> regs;
 
     // FIXME: patchpoint should have a way to tell this can reuse "base" register.
     // Teaching DFG about DOMJIT::Patchpoint clobber information is nice.
@@ -7143,8 +7143,8 @@ void SpeculativeJIT::compileCallDOM(Node* node)
     JSValueRegsTemporary result(this);
 
     regs.append(result.regs());
-    regs.append(globalObject.gpr());
-    regs.append(base.gpr());
+    regs.append(DOMJIT::Value(globalObject.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 0)).value()));
+    regs.append(DOMJIT::Value(base.gpr(), m_state.forNode(m_jit.graph().varArgChild(node, 1)).value()));
 #if USE(JSVALUE64)
     regs.append(static_cast<GPRReg>(GPRInfo::tagMaskRegister));
     regs.append(static_cast<GPRReg>(GPRInfo::tagTypeNumberRegister));
@@ -7165,11 +7165,11 @@ void SpeculativeJIT::compileCheckDOM(Node* node)
 
     Vector<GPRReg> gpScratch;
     Vector<FPRReg> fpScratch;
-    Vector<DOMJIT::Reg> regs;
+    Vector<DOMJIT::Value> regs;
 
     SpeculateCellOperand base(this, node->child1());
     GPRReg baseGPR = base.gpr();
-    regs.append(baseGPR);
+    regs.append(DOMJIT::Value(baseGPR, m_state.forNode(node->child1()).value()));
 
     Vector<GPRTemporary> gpTempraries;
     Vector<FPRTemporary> fpTempraries;
index a04ed1b..aeece1b 100644 (file)
@@ -28,8 +28,8 @@
 #if ENABLE(JIT)
 
 #include "CCallHelpers.h"
-#include "DOMJITReg.h"
 #include "DOMJITSlowPathCalls.h"
+#include "DOMJITValue.h"
 #include "JITOperations.h"
 #include "RegisterSet.h"
 
@@ -41,13 +41,13 @@ public:
     virtual ~PatchpointParams() { }
 
     unsigned size() const { return m_regs.size(); }
-    const Reg& at(unsigned index) const { return m_regs[index]; }
-    const Reg& operator[](unsigned index) const { return at(index); }
+    const Value& at(unsigned index) const { return m_regs[index]; }
+    const Value& operator[](unsigned index) const { return at(index); }
 
     GPRReg gpScratch(unsigned index) const { return m_gpScratch[index]; }
     FPRReg fpScratch(unsigned index) const { return m_fpScratch[index]; }
 
-    PatchpointParams(Vector<Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+    PatchpointParams(Vector<Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
         : m_regs(WTFMove(regs))
         , m_gpScratch(WTFMove(gpScratch))
         , m_fpScratch(WTFMove(fpScratch))
@@ -65,7 +65,7 @@ private:
     DOMJIT_SLOW_PATH_CALLS(JSC_DEFINE_CALL_OPERATIONS)
 #undef JSC_DEFINE_CALL_OPERATIONS
 
-    Vector<Reg> m_regs;
+    Vector<Value> m_regs;
     Vector<GPRReg> m_gpScratch;
     Vector<FPRReg> m_fpScratch;
 };
diff --git a/Source/JavaScriptCore/domjit/DOMJITValue.h b/Source/JavaScriptCore/domjit/DOMJITValue.h
new file mode 100644 (file)
index 0000000..de6cb93
--- /dev/null
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "DOMJITReg.h"
+
+#if ENABLE(JIT)
+
+namespace JSC { namespace DOMJIT {
+
+class Value {
+public:
+    Value(Reg reg)
+        : m_reg(reg)
+    {
+    }
+
+    Value(Reg reg, JSValue value)
+        : m_reg(reg)
+        , m_value(value)
+    {
+    }
+
+    bool isGPR() const { return m_reg.isGPR(); }
+    bool isFPR() const { return m_reg.isFPR(); }
+    bool isJSValueRegs() const { return m_reg.isJSValueRegs(); }
+    GPRReg gpr() const { return m_reg.gpr(); }
+    FPRReg fpr() const { return m_reg.fpr(); }
+    JSValueRegs jsValueRegs() const { return m_reg.jsValueRegs(); }
+
+    Reg reg() const
+    {
+        return m_reg;
+    }
+
+    JSValue value() const
+    {
+        return m_value;
+    }
+
+private:
+    Reg m_reg;
+    JSValue m_value;
+};
+
+} }
+
+#endif
index 5d0f5b6..2d13eea 100644 (file)
@@ -36,7 +36,7 @@ class State;
 
 class DOMJITPatchpointParams : public DOMJIT::PatchpointParams {
 public:
-    DOMJITPatchpointParams(State& state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, Vector<DOMJIT::Reg>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
+    DOMJITPatchpointParams(State& state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, Vector<DOMJIT::Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
         : DOMJIT::PatchpointParams(WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
         , m_state(state)
         , m_params(params)
index b5b6fc6..6e79717 100644 (file)
@@ -8739,14 +8739,15 @@ private:
         unsigned osrExitArgumentOffset = patchpoint->numChildren();
         OSRExitDescriptor* exitDescriptor = appendOSRExitDescriptor(jsValueValue(cell), m_node->child1().node());
         patchpoint->appendColdAnys(buildExitArguments(exitDescriptor, origin.forExit, jsValueValue(cell)));
+        JSValue child1Constant = m_state.forNode(m_node->child1()).value();
 
         patchpoint->setGenerator(
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
                 Vector<GPRReg> gpScratch;
                 Vector<FPRReg> fpScratch;
-                Vector<DOMJIT::Reg> regs;
+                Vector<DOMJIT::Value> regs;
 
-                regs.append(params[0].gpr());
+                regs.append(DOMJIT::Value(params[0].gpr(), child1Constant));
 
                 for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)
                     gpScratch.append(params.gpScratch(i));
@@ -8785,19 +8786,21 @@ private:
 
         State* state = &m_ftlState;
         Node* node = m_node;
+        JSValue child1Constant = m_state.forNode(m_graph.varArgChild(m_node, 0)).value();
+        JSValue child2Constant = m_state.forNode(m_graph.varArgChild(m_node, 1)).value();
         patchpoint->setGenerator(
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
                 AllowMacroScratchRegisterUsage allowScratch(jit);
 
                 Vector<GPRReg> gpScratch;
                 Vector<FPRReg> fpScratch;
-                Vector<DOMJIT::Reg> regs;
+                Vector<DOMJIT::Value> regs;
 
                 // FIXME: patchpoint should have a way to tell this can reuse "base" register.
                 // Teaching DFG about DOMJIT::Patchpoint clobber information is nice.
                 regs.append(JSValueRegs(params[0].gpr()));
-                regs.append(params[1].gpr());
-                regs.append(params[2].gpr());
+                regs.append(DOMJIT::Value(params[1].gpr(), child1Constant));
+                regs.append(DOMJIT::Value(params[2].gpr(), child2Constant));
 
                 for (unsigned i = 0; i < domJIT->numGPScratchRegisters; ++i)
                     gpScratch.append(params.gpScratch(i));
index 482b61a..a00e173 100644 (file)
@@ -1,3 +1,15 @@
+2016-10-11  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DOMJIT] DOMJIT::Patchpoint should have a way to receive constant folded arguments
+        https://bugs.webkit.org/show_bug.cgi?id=163224
+
+        Reviewed by Filip Pizlo.
+
+        * domjit/DOMJITHelpers.h:
+        (WebCore::DOMJITHelpers::toWrapper):
+        * domjit/JSNodeDOMJIT.cpp:
+        (WebCore::createCallDOMForOffsetAccess):
+
 2016-10-11  Alex Christensen  <achristensen@webkit.org>
 
         Enable URLParser by default
index 8991624..dbe5365 100644 (file)
@@ -59,13 +59,22 @@ void tryLookUpWrapperCache(CCallHelpers& jit, CCallHelpers::JumpList& failureCas
 }
 
 template<typename WrappedType, typename ToJSFunction>
-void toWrapper(CCallHelpers& jit, const JSC::DOMJIT::PatchpointParams& params, GPRReg wrapped, GPRReg globalObject, JSValueRegs result, ToJSFunction function)
+void toWrapper(CCallHelpers& jit, const JSC::DOMJIT::PatchpointParams& params, GPRReg wrapped, GPRReg globalObject, JSValueRegs result, ToJSFunction function, JSC::JSValue globalObjectConstant)
 {
     ASSERT(wrapped != result.payloadGPR());
     ASSERT(globalObject != result.payloadGPR());
     GPRReg payloadGPR = result.payloadGPR();
     CCallHelpers::JumpList slowCases;
-    slowCases.append(branchIfNotWorldIsNormal(jit, globalObject));
+
+    if (globalObjectConstant) {
+        if (!JSC::jsCast<JSDOMGlobalObject*>(globalObjectConstant)->worldIsNormal()) {
+            slowCases.append(jit.jump());
+            params.addSlowPathCall(slowCases, jit, function, result, globalObject, wrapped);
+            return;
+        }
+    } else
+        slowCases.append(branchIfNotWorldIsNormal(jit, globalObject));
+
     tryLookUpWrapperCache<WrappedType>(jit, slowCases, wrapped, payloadGPR);
     jit.boxCell(payloadGPR, result);
     params.addSlowPathCall(slowCases, jit, function, result, globalObject, wrapped);
index f360663..a79f095 100644 (file)
@@ -70,7 +70,7 @@ static Ref<DOMJIT::Patchpoint> createCallDOMForOffsetAccess(ptrdiff_t offset, Is
         jit.loadPtr(CCallHelpers::Address(scratch, offset), scratch);
         nullCases.append(jit.branchTestPtr(CCallHelpers::Zero, scratch));
 
-        DOMJITHelpers::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>);
+        DOMJITHelpers::toWrapper<WrappedNode>(jit, params, scratch, globalObject, result, toWrapperSlow<WrappedNode>, params[1].value());
         CCallHelpers::Jump done = jit.jump();
 
         nullCases.link(&jit);