Regression(r188105): Seems to have caused crashes during PLT on some iPads
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 9 Aug 2015 22:55:54 +0000 (22:55 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 9 Aug 2015 22:55:54 +0000 (22:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=147818

Unreviewed, roll out r188105.

Source/JavaScriptCore:

* bytecode/ByValInfo.h:
(JSC::ByValInfo::ByValInfo):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::getByValInfoMap): Deleted.
(JSC::CodeBlock::addByValInfo): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::getByValInfo):
(JSC::CodeBlock::setNumberOfByValInfos):
(JSC::CodeBlock::numberOfByValInfos):
(JSC::CodeBlock::byValInfo):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString): Deleted.
* bytecode/ExitKind.h:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): Deleted.
* bytecode/GetByIdStatus.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): Deleted.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize): Deleted.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC): Deleted.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode): Deleted.
(JSC::DFG::FixupPhase::observeUseKindOnNode): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::hasUidOperand): Deleted.
(JSC::DFG::Node::uidOperand): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()): Deleted.
(JSC::DFG::safeToExecute): Deleted.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
(JSC::DFG::SpeculativeJIT::speculateSymbol): Deleted.
(JSC::DFG::SpeculativeJIT::speculate): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile): Deleted.
* dfg/DFGUseKind.cpp:
(WTF::printInternal): Deleted.
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor): Deleted.
(JSC::DFG::isCell): Deleted.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile): Deleted.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckIdent): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::lowSymbol): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::speculate): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::isNotSymbol): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::speculateSymbol): Deleted.
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JIT.h:
(JSC::ByValCompilationInfo::ByValCompilationInfo):
(JSC::JIT::compileGetByValWithCachedId): Deleted.
* jit/JITInlines.h:
(JSC::JIT::callOperation): Deleted.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
* jit/JITOperations.cpp:
(JSC::getByVal):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitGetByValWithCachedId): Deleted.
(JSC::JIT::privateCompileGetByVal): Deleted.
(JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitGetByValWithCachedId): Deleted.
* runtime/Symbol.h:
* tests/stress/get-by-val-with-string-constructor.js: Removed.
* tests/stress/get-by-val-with-string-exit.js: Removed.
* tests/stress/get-by-val-with-string-generated.js: Removed.
* tests/stress/get-by-val-with-string-getter.js: Removed.
* tests/stress/get-by-val-with-string.js: Removed.
* tests/stress/get-by-val-with-symbol-constructor.js: Removed.
* tests/stress/get-by-val-with-symbol-exit.js: Removed.
* tests/stress/get-by-val-with-symbol-getter.js: Removed.
* tests/stress/get-by-val-with-symbol.js: Removed.

LayoutTests:

* js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-expected.txt: Removed.
* js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple-expected.txt: Removed.
* js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple.html: Removed.
* js/regress/get-by-val-with-string-bimorphic-check-structure-elimination.html: Removed.
* js/regress/get-by-val-with-string-chain-from-try-block-expected.txt: Removed.
* js/regress/get-by-val-with-string-chain-from-try-block.html: Removed.
* js/regress/get-by-val-with-string-check-structure-elimination-expected.txt: Removed.
* js/regress/get-by-val-with-string-check-structure-elimination.html: Removed.
* js/regress/get-by-val-with-string-proto-or-self-expected.txt: Removed.
* js/regress/get-by-val-with-string-proto-or-self.html: Removed.
* js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple-expected.txt: Removed.
* js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.html: Removed.
* js/regress/get-by-val-with-string-self-or-proto-expected.txt: Removed.
* js/regress/get-by-val-with-string-self-or-proto.html: Removed.
* js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-expected.txt: Removed.
* js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple-expected.txt: Removed.
* js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.html: Removed.
* js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination.html: Removed.
* js/regress/get-by-val-with-symbol-chain-from-try-block-expected.txt: Removed.
* js/regress/get-by-val-with-symbol-chain-from-try-block.html: Removed.
* js/regress/get-by-val-with-symbol-check-structure-elimination-expected.txt: Removed.
* js/regress/get-by-val-with-symbol-check-structure-elimination.html: Removed.
* js/regress/get-by-val-with-symbol-proto-or-self-expected.txt: Removed.
* js/regress/get-by-val-with-symbol-proto-or-self.html: Removed.
* js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple-expected.txt: Removed.
* js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.html: Removed.
* js/regress/get-by-val-with-symbol-self-or-proto-expected.txt: Removed.
* js/regress/get-by-val-with-symbol-self-or-proto.html: Removed.
* js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination-simple.js: Removed.
* js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination.js: Removed.
* js/regress/script-tests/get-by-val-with-string-chain-from-try-block.js: Removed.
* js/regress/script-tests/get-by-val-with-string-check-structure-elimination.js: Removed.
* js/regress/script-tests/get-by-val-with-string-proto-or-self.js: Removed.
* js/regress/script-tests/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.js: Removed.
* js/regress/script-tests/get-by-val-with-string-self-or-proto.js: Removed.
* js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.js: Removed.
* js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination.js: Removed.
* js/regress/script-tests/get-by-val-with-symbol-chain-from-try-block.js: Removed.
* js/regress/script-tests/get-by-val-with-symbol-check-structure-elimination.js: Removed.
* js/regress/script-tests/get-by-val-with-symbol-proto-or-self.js: Removed.
* js/regress/script-tests/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.js: Removed.
* js/regress/script-tests/get-by-val-with-symbol-self-or-proto.js: Removed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@188201 268f45cc-cd09-0410-ab3c-d52691b4dbfc

89 files changed:
LayoutTests/ChangeLog
LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple.html [deleted file]
LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination.html [deleted file]
LayoutTests/js/regress/get-by-val-with-string-chain-from-try-block-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-string-chain-from-try-block.html [deleted file]
LayoutTests/js/regress/get-by-val-with-string-check-structure-elimination-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-string-check-structure-elimination.html [deleted file]
LayoutTests/js/regress/get-by-val-with-string-proto-or-self-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-string-proto-or-self.html [deleted file]
LayoutTests/js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.html [deleted file]
LayoutTests/js/regress/get-by-val-with-string-self-or-proto-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-string-self-or-proto.html [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.html [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination.html [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-chain-from-try-block-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-chain-from-try-block.html [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-check-structure-elimination-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-check-structure-elimination.html [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-proto-or-self-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-proto-or-self.html [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.html [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-self-or-proto-expected.txt [deleted file]
LayoutTests/js/regress/get-by-val-with-symbol-self-or-proto.html [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination-simple.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-string-chain-from-try-block.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-string-check-structure-elimination.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-string-proto-or-self.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-string-self-or-proto.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-symbol-chain-from-try-block.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-symbol-check-structure-elimination.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-symbol-proto-or-self.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.js [deleted file]
LayoutTests/js/regress/script-tests/get-by-val-with-symbol-self-or-proto.js [deleted file]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ByValInfo.h
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/bytecode/ExitKind.cpp
Source/JavaScriptCore/bytecode/ExitKind.h
Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
Source/JavaScriptCore/bytecode/GetByIdStatus.h
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGNode.h
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/dfg/DFGUseKind.cpp
Source/JavaScriptCore/dfg/DFGUseKind.h
Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
Source/JavaScriptCore/jit/JIT.cpp
Source/JavaScriptCore/jit/JIT.h
Source/JavaScriptCore/jit/JITInlines.h
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/jit/JITOperations.h
Source/JavaScriptCore/jit/JITPropertyAccess.cpp
Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
Source/JavaScriptCore/runtime/Symbol.h
Source/JavaScriptCore/tests/stress/get-by-val-with-string-constructor.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-string-exit.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-string-generated.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-string-getter.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-string.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-constructor.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-exit.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-getter.js [deleted file]
Source/JavaScriptCore/tests/stress/get-by-val-with-symbol.js [deleted file]

index dbbc14f..206d187 100644 (file)
@@ -1,3 +1,53 @@
+2015-08-09  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r188105): Seems to have caused crashes during PLT on some iPads
+        https://bugs.webkit.org/show_bug.cgi?id=147818
+
+        Unreviewed, roll out r188105.
+
+        * js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-expected.txt: Removed.
+        * js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple-expected.txt: Removed.
+        * js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple.html: Removed.
+        * js/regress/get-by-val-with-string-bimorphic-check-structure-elimination.html: Removed.
+        * js/regress/get-by-val-with-string-chain-from-try-block-expected.txt: Removed.
+        * js/regress/get-by-val-with-string-chain-from-try-block.html: Removed.
+        * js/regress/get-by-val-with-string-check-structure-elimination-expected.txt: Removed.
+        * js/regress/get-by-val-with-string-check-structure-elimination.html: Removed.
+        * js/regress/get-by-val-with-string-proto-or-self-expected.txt: Removed.
+        * js/regress/get-by-val-with-string-proto-or-self.html: Removed.
+        * js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple-expected.txt: Removed.
+        * js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.html: Removed.
+        * js/regress/get-by-val-with-string-self-or-proto-expected.txt: Removed.
+        * js/regress/get-by-val-with-string-self-or-proto.html: Removed.
+        * js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-expected.txt: Removed.
+        * js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple-expected.txt: Removed.
+        * js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.html: Removed.
+        * js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination.html: Removed.
+        * js/regress/get-by-val-with-symbol-chain-from-try-block-expected.txt: Removed.
+        * js/regress/get-by-val-with-symbol-chain-from-try-block.html: Removed.
+        * js/regress/get-by-val-with-symbol-check-structure-elimination-expected.txt: Removed.
+        * js/regress/get-by-val-with-symbol-check-structure-elimination.html: Removed.
+        * js/regress/get-by-val-with-symbol-proto-or-self-expected.txt: Removed.
+        * js/regress/get-by-val-with-symbol-proto-or-self.html: Removed.
+        * js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple-expected.txt: Removed.
+        * js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.html: Removed.
+        * js/regress/get-by-val-with-symbol-self-or-proto-expected.txt: Removed.
+        * js/regress/get-by-val-with-symbol-self-or-proto.html: Removed.
+        * js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination-simple.js: Removed.
+        * js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination.js: Removed.
+        * js/regress/script-tests/get-by-val-with-string-chain-from-try-block.js: Removed.
+        * js/regress/script-tests/get-by-val-with-string-check-structure-elimination.js: Removed.
+        * js/regress/script-tests/get-by-val-with-string-proto-or-self.js: Removed.
+        * js/regress/script-tests/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.js: Removed.
+        * js/regress/script-tests/get-by-val-with-string-self-or-proto.js: Removed.
+        * js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.js: Removed.
+        * js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination.js: Removed.
+        * js/regress/script-tests/get-by-val-with-symbol-chain-from-try-block.js: Removed.
+        * js/regress/script-tests/get-by-val-with-symbol-check-structure-elimination.js: Removed.
+        * js/regress/script-tests/get-by-val-with-symbol-proto-or-self.js: Removed.
+        * js/regress/script-tests/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.js: Removed.
+        * js/regress/script-tests/get-by-val-with-symbol-self-or-proto.js: Removed.
+
 2015-08-09  Myles C. Maxfield  <mmaxfield@apple.com>
 
         Crash in ComplexTextController when laying out obscure text
diff --git a/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-expected.txt b/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-expected.txt
deleted file mode 100644 (file)
index accf43a..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-string-bimorphic-check-structure-elimination
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple-expected.txt b/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple-expected.txt
deleted file mode 100644 (file)
index 1b37c50..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-string-bimorphic-check-structure-elimination-simple
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple.html b/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination-simple.html
deleted file mode 100644 (file)
index 0482c45..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination.html b/LayoutTests/js/regress/get-by-val-with-string-bimorphic-check-structure-elimination.html
deleted file mode 100644 (file)
index e9ef141..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-string-chain-from-try-block-expected.txt b/LayoutTests/js/regress/get-by-val-with-string-chain-from-try-block-expected.txt
deleted file mode 100644 (file)
index 216a667..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-string-chain-from-try-block
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-string-chain-from-try-block.html b/LayoutTests/js/regress/get-by-val-with-string-chain-from-try-block.html
deleted file mode 100644 (file)
index e6c963a..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-string-chain-from-try-block.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-string-check-structure-elimination-expected.txt b/LayoutTests/js/regress/get-by-val-with-string-check-structure-elimination-expected.txt
deleted file mode 100644 (file)
index eec0fc7..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-string-check-structure-elimination
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-string-check-structure-elimination.html b/LayoutTests/js/regress/get-by-val-with-string-check-structure-elimination.html
deleted file mode 100644 (file)
index 836f58d..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-string-check-structure-elimination.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-string-proto-or-self-expected.txt b/LayoutTests/js/regress/get-by-val-with-string-proto-or-self-expected.txt
deleted file mode 100644 (file)
index bef92c9..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-string-proto-or-self
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-string-proto-or-self.html b/LayoutTests/js/regress/get-by-val-with-string-proto-or-self.html
deleted file mode 100644 (file)
index 76ab611..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-string-proto-or-self.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple-expected.txt b/LayoutTests/js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple-expected.txt
deleted file mode 100644 (file)
index 9b1aa57..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.html b/LayoutTests/js/regress/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.html
deleted file mode 100644 (file)
index d3751b6..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-string-self-or-proto-expected.txt b/LayoutTests/js/regress/get-by-val-with-string-self-or-proto-expected.txt
deleted file mode 100644 (file)
index 0421713..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-string-self-or-proto
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-string-self-or-proto.html b/LayoutTests/js/regress/get-by-val-with-string-self-or-proto.html
deleted file mode 100644 (file)
index d04a6b9..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-string-self-or-proto.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-expected.txt b/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-expected.txt
deleted file mode 100644 (file)
index 4100c5d..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-symbol-bimorphic-check-structure-elimination
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple-expected.txt b/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple-expected.txt
deleted file mode 100644 (file)
index 4390ed9..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.html b/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.html
deleted file mode 100644 (file)
index 0482c45..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination.html b/LayoutTests/js/regress/get-by-val-with-symbol-bimorphic-check-structure-elimination.html
deleted file mode 100644 (file)
index e9ef141..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-chain-from-try-block-expected.txt b/LayoutTests/js/regress/get-by-val-with-symbol-chain-from-try-block-expected.txt
deleted file mode 100644 (file)
index c754bb0..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-symbol-chain-from-try-block
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-chain-from-try-block.html b/LayoutTests/js/regress/get-by-val-with-symbol-chain-from-try-block.html
deleted file mode 100644 (file)
index 7975f99..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-chain-from-try-block.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-check-structure-elimination-expected.txt b/LayoutTests/js/regress/get-by-val-with-symbol-check-structure-elimination-expected.txt
deleted file mode 100644 (file)
index 431494a..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-symbol-check-structure-elimination
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-check-structure-elimination.html b/LayoutTests/js/regress/get-by-val-with-symbol-check-structure-elimination.html
deleted file mode 100644 (file)
index d9bfaca..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-check-structure-elimination.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-proto-or-self-expected.txt b/LayoutTests/js/regress/get-by-val-with-symbol-proto-or-self-expected.txt
deleted file mode 100644 (file)
index a15d262..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-symbol-proto-or-self
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-proto-or-self.html b/LayoutTests/js/regress/get-by-val-with-symbol-proto-or-self.html
deleted file mode 100644 (file)
index 55815ce..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-proto-or-self.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple-expected.txt b/LayoutTests/js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple-expected.txt
deleted file mode 100644 (file)
index f4605c0..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.html b/LayoutTests/js/regress/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.html
deleted file mode 100644 (file)
index 65ce462..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-self-or-proto-expected.txt b/LayoutTests/js/regress/get-by-val-with-symbol-self-or-proto-expected.txt
deleted file mode 100644 (file)
index 0766910..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-JSRegress/get-by-val-with-symbol-self-or-proto
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS no exception thrown
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
diff --git a/LayoutTests/js/regress/get-by-val-with-symbol-self-or-proto.html b/LayoutTests/js/regress/get-by-val-with-symbol-self-or-proto.html
deleted file mode 100644 (file)
index ff5f3d7..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src="../../resources/js-test-pre.js"></script>
-</head>
-<body>
-<script src="../../resources/regress-pre.js"></script>
-<script src="script-tests/get-by-val-with-symbol-self-or-proto.js"></script>
-<script src="../../resources/regress-post.js"></script>
-<script src="../../resources/js-test-post.js"></script>
-</body>
-</html>
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination-simple.js b/LayoutTests/js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination-simple.js
deleted file mode 100644 (file)
index 92589f1..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-(function() {
-    var a = 'a', l = 'l';
-    var o = {[a]:1};
-    var p = {[a]:2, [l]:13};
-    var result = 0;
-    for (var i = 0; i < 1000000; ++i) {
-        result ^= o[a];
-        var tmp = o;
-        o = p;
-        p = tmp;
-    }
-    if (result != 0)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination.js b/LayoutTests/js/regress/script-tests/get-by-val-with-string-bimorphic-check-structure-elimination.js
deleted file mode 100644 (file)
index db59401..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-(function() {
-    var a = 'a', b = 'b', c = 'c', d = 'd', e = 'e', f = 'f', g = 'g', h = 'h', i = 'i', j = 'j', k = 'k', l = 'l';
-    var o = {[a]:1, [b]:2, [c]:3, [d]:4, [e]:5, [f]:6, [g]:7, [h]:8, [i]:9, [j]:10, [k]:11};
-    var p = {[a]:2, [b]:3, [c]:4, [d]:5, [e]:6, [f]:7, [g]:8, [h]:9, [i]:10, [j]:11, [k]:12, [l]:13};
-    var result = 0;
-    for (var index = 0; index < 1000000; ++index) {
-        result += o[a] ^ o[b] ^ o[c] ^ o[d] ^ o[e] ^ o[f] ^ o[g] ^ o[h] ^ o[i] ^ o[j] ^ o[k];
-        var tmp = o;
-        o = p;
-        p = tmp;
-    }
-    if (result != 6500000)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-string-chain-from-try-block.js b/LayoutTests/js/regress/script-tests/get-by-val-with-string-chain-from-try-block.js
deleted file mode 100644 (file)
index df970fe..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-var f = 'f';
-
-function A() { }
-
-A.prototype = {[f]:42};
-
-function B() { }
-
-B.prototype = new A();
-
-function C() { }
-
-C.prototype = new B();
-
-function D() { }
-
-D.prototype = new C();
-
-function E() { }
-
-E.prototype = new D();
-
-function F() { }
-
-F.prototype = new E();
-
-function G() { }
-
-G.prototype = new F();
-
-function foo(o) {
-    try {
-        var result = 0;
-        for (var i = 0; i < 1000; ++i)
-            result += o[f];
-        return result;
-    } catch (e) {
-        return 52;
-    }
-}
-
-var result = 0;
-
-for (var i = 0; i < 1000; ++i)
-    result += foo(new G());
-
-if (result != 42000000)
-    throw "Error: bad result: " + result;
-
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-string-check-structure-elimination.js b/LayoutTests/js/regress/script-tests/get-by-val-with-string-check-structure-elimination.js
deleted file mode 100644 (file)
index bb88aa5..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-(function() {
-    var a = 'a', b = 'b', c = 'c', d = 'd', e = 'e', f = 'f', g = 'g', h = 'h', i = 'i', j = 'j', k = 'k';
-    var o = {[a]:1, [b]:2, [c]:3, [d]:4, [e]:5, [f]:6, [g]:7, [h]:8, [i]:9, [j]:10, [k]:11};
-    var result = 0;
-    for (var index = 0; index < 1000000; ++index)
-        result += o[a] ^ o[b] | o[c] ^ o[d] & o[e] ^ o[f] | o[g] ^ o[h] & o[i] ^ o[j] | o[k];
-    if (result != 15000000)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-string-proto-or-self.js b/LayoutTests/js/regress/script-tests/get-by-val-with-string-proto-or-self.js
deleted file mode 100644 (file)
index ef7493b..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-var f = 'f';
-
-function foo(o) {
-    return o[f];
-}
-
-function bar(a) {
-    var result = 0;
-    for (var i = 0; i < 2000000; ++i) {
-        for (var j = 0; j < a.length; ++j)
-            result += foo(a[j]);
-    }
-    return result;
-}
-
-function Foo() {
-}
-
-Foo.prototype[f] = 42;
-
-var result = bar([new Foo(), {[f]:24}]);
-
-if (result != 132000000)
-    throw "Error bad result: " + result;
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.js b/LayoutTests/js/regress/script-tests/get-by-val-with-string-quadmorphic-check-structure-elimination-simple.js
deleted file mode 100644 (file)
index 991dce3..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-(function() {
-    var a = 'a';
-    var l = 'l';
-    var b = 'b';
-    var c = 'c';
-
-    var o = {[a]:1};
-    var p = {[a]:2, [l]:13};
-    var q = {[a]:3, [b]:3};
-    var r = {[a]:4, [c]:5};
-    var result = 0;
-    for (var i = 0; i < 1000000; ++i) {
-        result ^= o[a];
-        var tmp = o;
-        o = p;
-        p = q;
-        q = r;
-        r = tmp;
-    }
-    if (result != 0)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-string-self-or-proto.js b/LayoutTests/js/regress/script-tests/get-by-val-with-string-self-or-proto.js
deleted file mode 100644 (file)
index 9bec107..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-var f = 'f';
-
-function foo(o) {
-    return o[f];
-}
-
-function bar(a) {
-    var result = 0;
-    for (var i = 0; i < 2000000; ++i) {
-        for (var j = 0; j < a.length; ++j)
-            result += foo(a[j]);
-    }
-    return result;
-}
-
-function Foo() {
-}
-
-Foo.prototype[f] = 42;
-
-var result = bar([{[f]:24}, new Foo()]);
-
-if (result != 132000000)
-    throw "Error bad result: " + result;
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.js b/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination-simple.js
deleted file mode 100644 (file)
index e85d32a..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-(function() {
-    var a = Symbol(), l = Symbol();
-    var o = {[a]:1};
-    var p = {[a]:2, [l]:13};
-    var result = 0;
-    for (var i = 0; i < 1000000; ++i) {
-        result ^= o[a];
-        var tmp = o;
-        o = p;
-        p = tmp;
-    }
-    if (result != 0)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination.js b/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-bimorphic-check-structure-elimination.js
deleted file mode 100644 (file)
index fbbe971..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-(function() {
-    var a = Symbol(), b = Symbol(), c = Symbol(), d = Symbol(), e = Symbol(), f = Symbol(), g = Symbol(), h = Symbol(), i = Symbol(), j = Symbol(), k = Symbol(), l = Symbol();
-    var o = {[a]:1, [b]:2, [c]:3, [d]:4, [e]:5, [f]:6, [g]:7, [h]:8, [i]:9, [j]:10, [k]:11};
-    var p = {[a]:2, [b]:3, [c]:4, [d]:5, [e]:6, [f]:7, [g]:8, [h]:9, [i]:10, [j]:11, [k]:12, [l]: 13};
-    var result = 0;
-    for (var index = 0; index < 1000000; ++index) {
-        result += o[a] ^ o[b] ^ o[c] ^ o[d] ^ o[e] ^ o[f] ^ o[g] ^ o[h] ^ o[i] ^ o[j] ^ o[k];
-        var tmp = o;
-        o = p;
-        p = tmp;
-    }
-    if (result != 6500000)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-chain-from-try-block.js b/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-chain-from-try-block.js
deleted file mode 100644 (file)
index 3f8ac78..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-var f = Symbol("Cocoa");
-
-function A() { }
-
-A.prototype = {[f]:42};
-
-function B() { }
-
-B.prototype = new A();
-
-function C() { }
-
-C.prototype = new B();
-
-function D() { }
-
-D.prototype = new C();
-
-function E() { }
-
-E.prototype = new D();
-
-function F() { }
-
-F.prototype = new E();
-
-function G() { }
-
-G.prototype = new F();
-
-function foo(o) {
-    try {
-        var result = 0;
-        for (var i = 0; i < 1000; ++i)
-            result += o[f];
-        return result;
-    } catch (e) {
-        return 52;
-    }
-}
-
-var result = 0;
-
-for (var i = 0; i < 1000; ++i)
-    result += foo(new G());
-
-if (result != 42000000)
-    throw "Error: bad result: " + result;
-
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-check-structure-elimination.js b/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-check-structure-elimination.js
deleted file mode 100644 (file)
index 9d59fd8..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-(function() {
-    var a = Symbol(), b = Symbol(), c = Symbol(), d = Symbol(), e = Symbol(), f = Symbol(), g = Symbol(), h = Symbol(), i = Symbol(), j = Symbol(), k = Symbol();
-    var o = {[a]:1, [b]:2, [c]:3, [d]:4, [e]:5, [f]:6, [g]:7, [h]:8, [i]:9, [j]:10, [k]:11};
-    var result = 0;
-    for (var index = 0; index < 1000000; ++index)
-        result += o[a] ^ o[b] | o[c] ^ o[d] & o[e] ^ o[f] | o[g] ^ o[h] & o[i] ^ o[j] | o[k];
-    if (result != 15000000)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-proto-or-self.js b/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-proto-or-self.js
deleted file mode 100644 (file)
index e2f82ab..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-var f = Symbol("Cocoa");
-
-function foo(o) {
-    return o[f];
-}
-
-function bar(a) {
-    var result = 0;
-    for (var i = 0; i < 2000000; ++i) {
-        for (var j = 0; j < a.length; ++j)
-            result += foo(a[j]);
-    }
-    return result;
-}
-
-function Foo() {
-}
-
-Foo.prototype[f] = 42;
-
-var result = bar([new Foo(), {[f]:24}]);
-
-if (result != 132000000)
-    throw "Error bad result: " + result;
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.js b/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-quadmorphic-check-structure-elimination-simple.js
deleted file mode 100644 (file)
index a58362a..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-(function() {
-    var a = Symbol("Cocoa");
-    var l = Symbol();
-    var b = Symbol();
-    var c = Symbol();
-
-    var o = {[a]:1};
-    var p = {[a]:2, [l]:13};
-    var q = {[a]:3, [b]:3};
-    var r = {[a]:4, [c]:5};
-    var result = 0;
-    for (var i = 0; i < 1000000; ++i) {
-        result ^= o[a];
-        var tmp = o;
-        o = p;
-        p = q;
-        q = r;
-        r = tmp;
-    }
-    if (result != 0)
-        throw "Error: bad result: " + result;
-})();
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-self-or-proto.js b/LayoutTests/js/regress/script-tests/get-by-val-with-symbol-self-or-proto.js
deleted file mode 100644 (file)
index 3008c36..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-var f = Symbol('Cocoa');
-
-function foo(o) {
-    return o[f];
-}
-
-function bar(a) {
-    var result = 0;
-    for (var i = 0; i < 2000000; ++i) {
-        for (var j = 0; j < a.length; ++j)
-            result += foo(a[j]);
-    }
-    return result;
-}
-
-function Foo() {
-}
-
-Foo.prototype[f] = 42;
-
-var result = bar([{[f]:24}, new Foo()]);
-
-if (result != 132000000)
-    throw "Error bad result: " + result;
index 7bb672a..0137b2a 100644 (file)
@@ -1,3 +1,116 @@
+2015-08-09  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r188105): Seems to have caused crashes during PLT on some iPads
+        https://bugs.webkit.org/show_bug.cgi?id=147818
+
+        Unreviewed, roll out r188105.
+
+        * bytecode/ByValInfo.h:
+        (JSC::ByValInfo::ByValInfo):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::getByValInfoMap): Deleted.
+        (JSC::CodeBlock::addByValInfo): Deleted.
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::getByValInfo):
+        (JSC::CodeBlock::setNumberOfByValInfos):
+        (JSC::CodeBlock::numberOfByValInfos):
+        (JSC::CodeBlock::byValInfo):
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindToString): Deleted.
+        * bytecode/ExitKind.h:
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFor):
+        (JSC::GetByIdStatus::computeForStubInfo):
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): Deleted.
+        * bytecode/GetByIdStatus.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Deleted.
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): Deleted.
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize): Deleted.
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC): Deleted.
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode): Deleted.
+        (JSC::DFG::FixupPhase::observeUseKindOnNode): Deleted.
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasUidOperand): Deleted.
+        (JSC::DFG::Node::uidOperand): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate): Deleted.
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::SafeToExecuteEdge::operator()): Deleted.
+        (JSC::DFG::safeToExecute): Deleted.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateSymbol): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculate): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Deleted.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Deleted.
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal): Deleted.
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor): Deleted.
+        (JSC::DFG::isCell): Deleted.
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile): Deleted.
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode): Deleted.
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckIdent): Deleted.
+        (JSC::FTL::DFG::LowerDFGToLLVM::lowSymbol): Deleted.
+        (JSC::FTL::DFG::LowerDFGToLLVM::speculate): Deleted.
+        (JSC::FTL::DFG::LowerDFGToLLVM::isNotSymbol): Deleted.
+        (JSC::FTL::DFG::LowerDFGToLLVM::speculateSymbol): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompile):
+        * jit/JIT.h:
+        (JSC::ByValCompilationInfo::ByValCompilationInfo):
+        (JSC::JIT::compileGetByValWithCachedId): Deleted.
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_has_indexed_property):
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_has_indexed_property):
+        (JSC::JIT::emitSlow_op_has_indexed_property):
+        * jit/JITOperations.cpp:
+        (JSC::getByVal):
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::emitGetByValWithCachedId): Deleted.
+        (JSC::JIT::privateCompileGetByVal): Deleted.
+        (JSC::JIT::privateCompileGetByValWithCachedId): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::emitGetByValWithCachedId): Deleted.
+        * runtime/Symbol.h:
+        * tests/stress/get-by-val-with-string-constructor.js: Removed.
+        * tests/stress/get-by-val-with-string-exit.js: Removed.
+        * tests/stress/get-by-val-with-string-generated.js: Removed.
+        * tests/stress/get-by-val-with-string-getter.js: Removed.
+        * tests/stress/get-by-val-with-string.js: Removed.
+        * tests/stress/get-by-val-with-symbol-constructor.js: Removed.
+        * tests/stress/get-by-val-with-symbol-exit.js: Removed.
+        * tests/stress/get-by-val-with-symbol-getter.js: Removed.
+        * tests/stress/get-by-val-with-symbol.js: Removed.
+
 2015-08-07  Gyuyoung Kim  <gyuyoung.kim@webkit.org>
 
         Reduce uses of PassRefPtr in bindings
index 67541fd..d988516 100644 (file)
 #ifndef ByValInfo_h
 #define ByValInfo_h
 
+#if ENABLE(JIT)
+
 #include "ClassInfo.h"
 #include "CodeLocation.h"
-#include "CodeOrigin.h"
 #include "IndexingType.h"
 #include "JITStubRoutine.h"
 #include "Structure.h"
-#include "StructureStubInfo.h"
 
 namespace JSC {
 
-#if ENABLE(JIT)
-
 enum JITArrayMode {
     JITInt32,
     JITDouble,
@@ -203,33 +201,24 @@ inline JITArrayMode jitArrayModeForStructure(Structure* structure)
 
 struct ByValInfo {
     ByValInfo() { }
-
-    ByValInfo(unsigned bytecodeIndex, CodeLocationJump notIndexJump, CodeLocationJump badTypeJump, JITArrayMode arrayMode, ArrayProfile* arrayProfile, int16_t badTypeJumpToDone, int16_t returnAddressToSlowPath)
+    
+    ByValInfo(unsigned bytecodeIndex, CodeLocationJump badTypeJump, JITArrayMode arrayMode, int16_t badTypeJumpToDone, int16_t returnAddressToSlowPath)
         : bytecodeIndex(bytecodeIndex)
-        , notIndexJump(notIndexJump)
         , badTypeJump(badTypeJump)
         , arrayMode(arrayMode)
-        , arrayProfile(arrayProfile)
         , badTypeJumpToDone(badTypeJumpToDone)
         , returnAddressToSlowPath(returnAddressToSlowPath)
         , slowPathCount(0)
-        , stubInfo(nullptr)
-        , tookSlowPath(false)
     {
     }
-
+    
     unsigned bytecodeIndex;
-    CodeLocationJump notIndexJump;
     CodeLocationJump badTypeJump;
     JITArrayMode arrayMode; // The array mode that was baked into the inline JIT code.
-    ArrayProfile* arrayProfile;
     int16_t badTypeJumpToDone;
     int16_t returnAddressToSlowPath;
     unsigned slowPathCount;
     RefPtr<JITStubRoutine> stubRoutine;
-    Identifier cachedId;
-    StructureStubInfo* stubInfo;
-    bool tookSlowPath;
 };
 
 inline unsigned getByValInfoBytecodeIndex(ByValInfo* info)
@@ -237,15 +226,9 @@ inline unsigned getByValInfoBytecodeIndex(ByValInfo* info)
     return info->bytecodeIndex;
 }
 
-typedef HashMap<CodeOrigin, ByValInfo*, CodeOriginApproximateHash> ByValInfoMap;
-
-#else // ENABLE(JIT)
-
-typedef HashMap<int, void*> ByValInfoMap;
+} // namespace JSC
 
 #endif // ENABLE(JIT)
 
-} // namespace JSC
-
 #endif // ByValInfo_h
 
index c9331f7..a361d6d 100644 (file)
@@ -2672,22 +2672,6 @@ void CodeBlock::getCallLinkInfoMap(CallLinkInfoMap& result)
     getCallLinkInfoMap(locker, result);
 }
 
-void CodeBlock::getByValInfoMap(const ConcurrentJITLocker&, ByValInfoMap& result)
-{
-#if ENABLE(JIT)
-    for (auto* byValInfo : m_byValInfos)
-        result.add(CodeOrigin(byValInfo->bytecodeIndex), byValInfo);
-#else
-    UNUSED_PARAM(result);
-#endif
-}
-
-void CodeBlock::getByValInfoMap(ByValInfoMap& result)
-{
-    ConcurrentJITLocker locker(m_lock);
-    getByValInfoMap(locker, result);
-}
-
 #if ENABLE(JIT)
 StructureStubInfo* CodeBlock::addStubInfo()
 {
@@ -2704,12 +2688,6 @@ StructureStubInfo* CodeBlock::findStubInfo(CodeOrigin codeOrigin)
     return nullptr;
 }
 
-ByValInfo* CodeBlock::addByValInfo()
-{
-    ConcurrentJITLocker locker(m_lock);
-    return m_byValInfos.add();
-}
-
 CallLinkInfo* CodeBlock::addCallLinkInfo()
 {
     ConcurrentJITLocker locker(m_lock);
index 960791d..6c3a115 100644 (file)
@@ -200,9 +200,6 @@ public:
     
     void getCallLinkInfoMap(const ConcurrentJITLocker&, CallLinkInfoMap& result);
     void getCallLinkInfoMap(CallLinkInfoMap& result);
-
-    void getByValInfoMap(const ConcurrentJITLocker&, ByValInfoMap& result);
-    void getByValInfoMap(ByValInfoMap& result);
     
 #if ENABLE(JIT)
     StructureStubInfo* addStubInfo();
@@ -214,8 +211,11 @@ public:
     StructureStubInfo* findStubInfo(CodeOrigin);
 
     void resetStub(StructureStubInfo&);
-
-    ByValInfo* addByValInfo();
+    
+    ByValInfo& getByValInfo(unsigned bytecodeIndex)
+    {
+        return *(binarySearch<ByValInfo, unsigned>(m_byValInfos, m_byValInfos.size(), bytecodeIndex, getByValInfoBytecodeIndex));
+    }
 
     CallLinkInfo* addCallLinkInfo();
     Bag<CallLinkInfo>::iterator callLinkInfosBegin() { return m_callLinkInfos.begin(); }
@@ -367,6 +367,12 @@ public:
 
     String nameForRegister(VirtualRegister);
 
+#if ENABLE(JIT)
+    void setNumberOfByValInfos(size_t size) { m_byValInfos.resizeToFit(size); }
+    size_t numberOfByValInfos() const { return m_byValInfos.size(); }
+    ByValInfo& byValInfo(size_t index) { return m_byValInfos[index]; }
+#endif
+
     unsigned numberOfArgumentValueProfiles()
     {
         ASSERT(m_numParameters >= 0);
@@ -1010,7 +1016,7 @@ private:
     RefPtr<JITCode> m_jitCode;
 #if ENABLE(JIT)
     Bag<StructureStubInfo> m_stubInfos;
-    Bag<ByValInfo> m_byValInfos;
+    Vector<ByValInfo> m_byValInfos;
     Bag<CallLinkInfo> m_callLinkInfos;
     SentinelLinkedList<CallLinkInfo, BasicRawSentinelNode<CallLinkInfo>> m_incomingCalls;
     SentinelLinkedList<PolymorphicCallNode, BasicRawSentinelNode<PolymorphicCallNode>> m_incomingPolymorphicCalls;
index 2524300..4f79f2c 100644 (file)
@@ -40,8 +40,6 @@ const char* exitKindToString(ExitKind kind)
         return "BadType";
     case BadCell:
         return "BadCell";
-    case BadIdent:
-        return "BadIdent";
     case BadExecutable:
         return "BadExecutable";
     case BadCache:
index 6f8c512..59cbbf5 100644 (file)
@@ -32,7 +32,6 @@ enum ExitKind : uint8_t {
     ExitKindUnset,
     BadType, // We exited because a type prediction was wrong.
     BadCell, // We exited because we made an incorrect assumption about what cell we would see. Usually used for function checks.
-    BadIdent, // We exited because we made an incorrect assumption about what identifier we would see. Usually used for cached Id check in get_by_val.
     BadExecutable, // We exited because we made an incorrect assumption about what executable we would see.
     BadCache, // We exited because an inline cache was wrong.
     BadConstantCache, // We exited because a cache on a weak constant (usually a prototype) was wrong.
index 89e5035..1d97c9f 100644 (file)
@@ -98,7 +98,7 @@ GetByIdStatus GetByIdStatus::computeFor(CodeBlock* profiledBlock, StubInfoMap& m
     GetByIdStatus result;
 
 #if ENABLE(DFG_JIT)
-    result = computeForStubInfoWithoutExitSiteFeedback(
+    result = computeForStubInfo(
         locker, profiledBlock, map.get(CodeOrigin(bytecodeIndex)), uid,
         CallLinkStatus::computeExitSiteData(locker, profiledBlock, bytecodeIndex));
     
@@ -116,20 +116,7 @@ GetByIdStatus GetByIdStatus::computeFor(CodeBlock* profiledBlock, StubInfoMap& m
 }
 
 #if ENABLE(JIT)
-GetByIdStatus GetByIdStatus::computeForStubInfo(const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, StructureStubInfo* stubInfo, CodeOrigin codeOrigin, UniquedStringImpl* uid)
-{
-    GetByIdStatus result = GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback(
-        locker, profiledBlock, stubInfo, uid,
-        CallLinkStatus::computeExitSiteData(locker, profiledBlock, codeOrigin.bytecodeIndex));
-
-    if (!result.takesSlowPath() && GetByIdStatus::hasExitSite(locker, profiledBlock, codeOrigin.bytecodeIndex))
-        return GetByIdStatus(result.makesCalls() ? GetByIdStatus::MakesCalls : GetByIdStatus::TakesSlowPath, true);
-    return result;
-}
-#endif // ENABLE(JIT)
-
-#if ENABLE(JIT)
-GetByIdStatus GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback(
+GetByIdStatus GetByIdStatus::computeForStubInfo(
     const ConcurrentJITLocker& locker, CodeBlock* profiledBlock, StructureStubInfo* stubInfo, UniquedStringImpl* uid,
     CallLinkStatus::ExitSiteData callExitSiteData)
 {
@@ -255,7 +242,7 @@ GetByIdStatus GetByIdStatus::computeFor(
         GetByIdStatus result;
         {
             ConcurrentJITLocker locker(dfgBlock->m_lock);
-            result = computeForStubInfoWithoutExitSiteFeedback(
+            result = computeForStubInfo(
                 locker, dfgBlock, dfgMap.get(codeOrigin), uid, exitSiteData);
         }
         
index d7f0ae4..32372cd 100644 (file)
@@ -71,11 +71,7 @@ public:
     static GetByIdStatus computeFor(const StructureSet&, UniquedStringImpl* uid);
     
     static GetByIdStatus computeFor(CodeBlock* baselineBlock, CodeBlock* dfgBlock, StubInfoMap& baselineMap, StubInfoMap& dfgMap, CodeOrigin, UniquedStringImpl* uid);
-
-#if ENABLE(JIT)
-    static GetByIdStatus computeForStubInfo(const ConcurrentJITLocker&, CodeBlock* baselineBlock, StructureStubInfo*, CodeOrigin, UniquedStringImpl* uid);
-#endif
-
+    
     State state() const { return m_state; }
     
     bool isSet() const { return m_state != NoInformation; }
@@ -99,7 +95,7 @@ private:
     static bool hasExitSite(const ConcurrentJITLocker&, CodeBlock*, unsigned bytecodeIndex);
 #endif
 #if ENABLE(JIT)
-    static GetByIdStatus computeForStubInfoWithoutExitSiteFeedback(
+    static GetByIdStatus computeForStubInfo(
         const ConcurrentJITLocker&, CodeBlock* profiledBlock, StructureStubInfo*,
         UniquedStringImpl* uid, CallLinkStatus::ExitSiteData);
 #endif
index 229087d..3734c76 100644 (file)
@@ -2163,32 +2163,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
         break;
     }
 
-    case CheckIdent: {
-        AbstractValue& value = forNode(node->child1());
-        UniquedStringImpl* uid = node->uidOperand();
-        ASSERT(uid->isSymbol() ? !(value.m_type & ~SpecSymbol) : !(value.m_type & ~SpecStringIdent)); // Edge filtering should have already ensured this.
-
-        JSValue childConstant = value.value();
-        if (childConstant) {
-            if (uid->isSymbol()) {
-                ASSERT(childConstant.isSymbol());
-                if (asSymbol(childConstant)->privateName().uid() == uid) {
-                    m_state.setFoundConstants(true);
-                    break;
-                }
-            } else {
-                ASSERT(childConstant.isString());
-                if (asString(childConstant)->tryGetValueImpl() == uid) {
-                    m_state.setFoundConstants(true);
-                    break;
-                }
-            }
-        }
-
-        filter(value, uid->isSymbol() ? SpecSymbol : SpecStringIdent);
-        break;
-    }
-
     case CheckInBounds: {
         JSValue left = forNode(node->child1()).value();
         JSValue right = forNode(node->child2()).value();
index 268a757..56422b1 100644 (file)
@@ -969,7 +969,6 @@ private:
         
         CallLinkInfoMap m_callLinkInfos;
         StubInfoMap m_stubInfos;
-        ByValInfoMap m_byValInfos;
         
         // Did we see any returns? We need to handle the (uncommon but necessary)
         // case where a procedure that does not return was inlined.
@@ -3398,35 +3397,12 @@ bool ByteCodeParser::parseBlock(unsigned limit)
 
         case op_get_by_val: {
             SpeculatedType prediction = getPredictionWithoutOSRExit();
-
+            
             Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
+            ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read);
             Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
-            bool compiledAsGetById = false;
-            {
-                ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
-                ByValInfo* byValInfo = m_inlineStackTop->m_byValInfos.get(CodeOrigin(currentCodeOrigin().bytecodeIndex));
-                // FIXME: When the bytecode is not compiled in the baseline JIT, byValInfo becomes null.
-                // At that time, there is no information.
-                if (byValInfo && byValInfo->stubInfo && !byValInfo->tookSlowPath && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)) {
-                    compiledAsGetById = true;
-                    unsigned identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.impl());
-                    UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
-
-                    addToGraph(CheckIdent, OpInfo(uid), property);
-
-                    GetByIdStatus getByIdStatus = GetByIdStatus::computeForStubInfo(
-                        locker, m_inlineStackTop->m_profiledBlock,
-                        byValInfo->stubInfo, currentCodeOrigin(), uid);
-
-                    handleGetById(currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus);
-                }
-            }
-
-            if (!compiledAsGetById) {
-                ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read);
-                Node* getByVal = addToGraph(GetByVal, OpInfo(arrayMode.asWord()), OpInfo(prediction), base, property);
-                set(VirtualRegister(currentInstruction[1].u.operand), getByVal);
-            }
+            Node* getByVal = addToGraph(GetByVal, OpInfo(arrayMode.asWord()), OpInfo(prediction), base, property);
+            set(VirtualRegister(currentInstruction[1].u.operand), getByVal);
 
             NEXT_OPCODE(op_get_by_val);
         }
@@ -4329,7 +4305,6 @@ ByteCodeParser::InlineStackEntry::InlineStackEntry(
         if (m_profiledBlock->hasBaselineJITProfiling()) {
             m_profiledBlock->getStubInfoMap(locker, m_stubInfos);
             m_profiledBlock->getCallLinkInfoMap(locker, m_callLinkInfos);
-            m_profiledBlock->getByValInfoMap(locker, m_byValInfos);
         }
     }
     
index 46f5fe4..296749d 100644 (file)
@@ -268,10 +268,6 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
         def(PureValue(CheckNotEmpty, AdjacencyList(AdjacencyList::Fixed, node->child1())));
         return;
 
-    case CheckIdent:
-        def(PureValue(CheckIdent, AdjacencyList(AdjacencyList::Fixed, node->child1()), node->uidOperand()));
-        return;
-
     case ConstantStoragePointer:
         def(PureValue(node, node->storagePointer()));
         return;
index 3d85caa..ba4c035 100644 (file)
@@ -208,33 +208,6 @@ private:
                 break;
             }
 
-            case CheckIdent: {
-                UniquedStringImpl* uid = node->uidOperand();
-                JSValue childConstant = m_state.forNode(node->child1()).value();
-                const UniquedStringImpl* constantUid = nullptr;
-                if (childConstant) {
-                    if (uid->isSymbol()) {
-                        if (childConstant.isSymbol())
-                            constantUid = asSymbol(childConstant)->privateName().uid();
-                    } else {
-                        if (childConstant.isString()) {
-                            // Since we already filtered the value with StringIdentUse,
-                            // the held impl is always atomic.
-                            if (const auto* impl = asString(childConstant)->tryGetValueImpl()) {
-                                ASSERT(impl->isAtomic());
-                                constantUid = static_cast<const UniquedStringImpl*>(impl);
-                            }
-                        }
-                    }
-                }
-
-                if (constantUid == uid) {
-                    node->remove();
-                    eliminated = true;
-                }
-                break;
-            }
-
             case CheckInBounds: {
                 JSValue left = m_state.forNode(node->child1()).value();
                 JSValue right = m_state.forNode(node->child2()).value();
index e470b8d..08ffb2a 100644 (file)
@@ -107,7 +107,6 @@ bool doesGC(Graph& graph, Node* node)
     case VarInjectionWatchpoint:
     case CheckCell:
     case CheckNotEmpty:
-    case CheckIdent:
     case RegExpExec:
     case RegExpTest:
     case CompareLess:
index d6a9790..c442310 100644 (file)
@@ -1012,15 +1012,6 @@ private:
             fixEdge<CellUse>(node->child1());
             break;
         }
-
-        case CheckIdent: {
-            UniquedStringImpl* uid = node->uidOperand();
-            if (uid->isSymbol())
-                fixEdge<SymbolUse>(node->child1());
-            else
-                fixEdge<StringIdentUse>(node->child1());
-            break;
-        }
             
         case Arrayify:
         case ArrayifyToStructure: {
@@ -1769,7 +1760,6 @@ private:
         case FunctionUse:
         case StringUse:
         case KnownStringUse:
-        case SymbolUse:
         case StringObjectUse:
         case StringOrStringObjectUse:
             if (alwaysUnboxSimplePrimitives()
index 83fcf5c..28cab05 100644 (file)
@@ -1328,17 +1328,6 @@ struct Node {
         return reinterpret_cast<void*>(m_opInfo);
     }
 
-    bool hasUidOperand()
-    {
-        return op() == CheckIdent;
-    }
-
-    UniquedStringImpl* uidOperand()
-    {
-        ASSERT(hasUidOperand());
-        return reinterpret_cast<UniquedStringImpl*>(m_opInfo);
-    }
-
     bool hasTransition()
     {
         switch (op()) {
index e9bf727..62e7ca9 100644 (file)
@@ -209,7 +209,6 @@ namespace JSC { namespace DFG {
     macro(CheckNotEmpty, NodeMustGenerate) \
     macro(CheckBadCell, NodeMustGenerate) \
     macro(CheckInBounds, NodeMustGenerate) \
-    macro(CheckIdent, NodeMustGenerate) \
     \
     /* Optimizations for array mutation. */\
     macro(ArrayPush, NodeResultJS | NodeMustGenerate) \
index 36f2df7..76af6a2 100644 (file)
@@ -649,7 +649,6 @@ private:
         case CheckStructure:
         case CheckCell:
         case CheckNotEmpty:
-        case CheckIdent:
         case CheckBadCell:
         case PutStructure:
         case VarInjectionWatchpoint:
index b2d07d5..0c0a277 100644 (file)
@@ -59,7 +59,6 @@ public:
         case ObjectOrOtherUse:
         case StringIdentUse:
         case StringUse:
-        case SymbolUse:
         case StringObjectUse:
         case StringOrStringObjectUse:
         case NotStringVarUse:
@@ -189,7 +188,6 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node)
     case CheckCell:
     case CheckBadCell:
     case CheckNotEmpty:
-    case CheckIdent:
     case RegExpExec:
     case RegExpTest:
     case CompareLess:
index 0537363..f3f8af7 100644 (file)
@@ -4576,31 +4576,6 @@ void SpeculativeJIT::compileGetArrayLength(Node* node)
     } }
 }
 
-void SpeculativeJIT::compileCheckIdent(Node* node)
-{
-    SpeculateCellOperand operand(this, node->child1());
-    UniquedStringImpl* uid = node->uidOperand();
-    if (uid->isSymbol()) {
-        speculateSymbol(node->child1(), operand.gpr());
-        speculationCheck(
-            BadIdent, JSValueSource(), nullptr,
-            m_jit.branchPtr(
-                JITCompiler::NotEqual,
-                JITCompiler::Address(operand.gpr(), Symbol::offsetOfPrivateName()),
-                TrustedImmPtr(uid)));
-    } else {
-        speculateString(node->child1(), operand.gpr());
-        speculateStringIdent(node->child1(), operand.gpr());
-        speculationCheck(
-            BadIdent, JSValueSource(), nullptr,
-            m_jit.branchPtr(
-                JITCompiler::NotEqual,
-                JITCompiler::Address(operand.gpr(), JSString::offsetOfValue()),
-                TrustedImmPtr(uid)));
-    }
-    noResult(node);
-}
-
 void SpeculativeJIT::compileNewFunction(Node* node)
 {
     SpeculateCellOperand scope(this, node->child1());
@@ -5756,20 +5731,6 @@ void SpeculativeJIT::speculateNotStringVar(Edge edge)
     notCell.link(&m_jit);
 }
 
-void SpeculativeJIT::speculateSymbol(Edge edge, GPRReg cell)
-{
-    DFG_TYPE_CHECK(JSValueSource::unboxedCell(cell), edge, SpecSymbol, m_jit.branchIfNotSymbol(cell));
-}
-
-void SpeculativeJIT::speculateSymbol(Edge edge)
-{
-    if (!needsTypeCheck(edge, SpecSymbol))
-        return;
-
-    SpeculateCellOperand operand(this, edge);
-    speculateSymbol(edge, operand.gpr());
-}
-
 void SpeculativeJIT::speculateNotCell(Edge edge)
 {
     if (!needsTypeCheck(edge, ~SpecCell))
@@ -5881,9 +5842,6 @@ void SpeculativeJIT::speculate(Node*, Edge edge)
     case StringUse:
         speculateString(edge);
         break;
-    case SymbolUse:
-        speculateSymbol(edge);
-        break;
     case StringObjectUse:
         speculateStringObject(edge);
         break;
index 545ff2a..a5c4454 100644 (file)
@@ -2191,8 +2191,6 @@ public:
     void compileSkipScope(Node*);
 
     void compileGetArrayLength(Node*);
-
-    void compileCheckIdent(Node*);
     
     void compileValueRep(Node*);
     void compileDoubleRep(Node*);
@@ -2408,8 +2406,6 @@ public:
     void speculateStringObject(Edge, GPRReg);
     void speculateStringObject(Edge);
     void speculateStringOrStringObject(Edge);
-    void speculateSymbol(Edge, GPRReg cell);
-    void speculateSymbol(Edge);
     void speculateNotCell(Edge);
     void speculateOther(Edge);
     void speculateMisc(Edge, JSValueRegs);
index 12ab8d0..5042905 100644 (file)
@@ -3820,10 +3820,6 @@ void SpeculativeJIT::compile(Node* node)
         break;
     }
 
-    case CheckIdent:
-        compileCheckIdent(node);
-        break;
-
     case GetExecutable: {
         SpeculateCellOperand function(this, node->child1());
         GPRTemporary result(this, Reuse, function);
index 13c7c87..770bda5 100644 (file)
@@ -3850,10 +3850,6 @@ void SpeculativeJIT::compile(Node* node)
         break;
     }
 
-    case CheckIdent:
-        compileCheckIdent(node);
-        break;
-
     case GetExecutable: {
         SpeculateCellOperand function(this, node->child1());
         GPRTemporary result(this, Reuse, function);
index 936ef55..efa104f 100644 (file)
@@ -97,9 +97,6 @@ void printInternal(PrintStream& out, UseKind useKind)
     case KnownStringUse:
         out.print("KnownString");
         return;
-    case SymbolUse:
-        out.print("Symbol");
-        return;
     case StringObjectUse:
         out.print("StringObject");
         return;
index 289b783..ebf99da 100644 (file)
@@ -57,7 +57,6 @@ enum UseKind {
     StringIdentUse,
     StringUse,
     KnownStringUse,
-    SymbolUse,
     StringObjectUse,
     StringOrStringObjectUse,
     NotStringVarUse,
@@ -118,8 +117,6 @@ inline SpeculatedType typeFilterFor(UseKind useKind)
     case StringUse:
     case KnownStringUse:
         return SpecString;
-    case SymbolUse:
-        return SpecSymbol;
     case StringObjectUse:
         return SpecStringObject;
     case StringOrStringObjectUse:
@@ -199,7 +196,6 @@ inline bool isCell(UseKind kind)
     case StringIdentUse:
     case StringUse:
     case KnownStringUse:
-    case SymbolUse:
     case StringObjectUse:
     case StringOrStringObjectUse:
         return true;
index 581f4cb..912754d 100644 (file)
@@ -87,8 +87,7 @@ namespace JSC { namespace FTL {
     macro(Structure_classInfo, Structure::classInfoOffset()) \
     macro(Structure_globalObject, Structure::globalObjectOffset()) \
     macro(Structure_prototype, Structure::prototypeOffset()) \
-    macro(Structure_structureID, Structure::structureIDOffset()) \
-    macro(Symbol_privateName, Symbol::offsetOfPrivateName())
+    macro(Structure_structureID, Structure::structureIDOffset())
 
 #define FOR_EACH_INDEXED_ABSTRACT_HEAP(macro) \
     macro(DirectArguments_storage, DirectArguments::storageOffset(), sizeof(EncodedJSValue)) \
index b493f30..62728c7 100644 (file)
@@ -118,7 +118,6 @@ inline CapabilityLevel canCompile(Node* node)
     case CheckCell:
     case CheckBadCell:
     case CheckNotEmpty:
-    case CheckIdent:
     case StringCharCodeAt:
     case AllocatePropertyStorage:
     case ReallocatePropertyStorage:
@@ -416,7 +415,6 @@ CapabilityLevel canCompile(Graph& graph)
                 case KnownStringUse:
                 case StringObjectUse:
                 case StringOrStringObjectUse:
-                case SymbolUse:
                 case FinalObjectUse:
                 case NotCellUse:
                 case OtherUse:
index a1b19bf..5fb4e24 100644 (file)
@@ -532,9 +532,6 @@ private:
         case CheckBadCell:
             compileCheckBadCell();
             break;
-        case CheckIdent:
-            compileCheckIdent();
-            break;
         case GetExecutable:
             compileGetExecutable();
             break;
@@ -2032,20 +2029,6 @@ private:
         speculate(TDZFailure, noValue(), nullptr, m_out.isZero64(lowJSValue(m_node->child1())));
     }
 
-    void compileCheckIdent()
-    {
-        UniquedStringImpl* uid = m_node->uidOperand();
-        if (uid->isSymbol()) {
-            LValue symbol = lowSymbol(m_node->child1());
-            LValue stringImpl = m_out.loadPtr(symbol, m_heaps.Symbol_privateName);
-            speculate(BadIdent, noValue(), nullptr, m_out.notEqual(stringImpl, m_out.constIntPtr(uid)));
-        } else {
-            LValue string = lowStringIdent(m_node->child1());
-            LValue stringImpl = m_out.loadPtr(string, m_heaps.JSString_value);
-            speculate(BadIdent, noValue(), nullptr, m_out.notEqual(stringImpl, m_out.constIntPtr(uid)));
-        }
-    }
-
     void compileGetExecutable()
     {
         LValue cell = lowCell(m_node->child1());
@@ -7037,16 +7020,7 @@ private:
         speculateStringIdent(edge, string, stringImpl);
         return stringImpl;
     }
-
-    LValue lowSymbol(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)
-    {
-        ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || edge.useKind() == SymbolUse);
-
-        LValue result = lowCell(edge, mode);
-        speculateSymbol(edge, result);
-        return result;
-    }
-
+    
     LValue lowNonNullObject(Edge edge, OperandSpeculationMode mode = AutomaticOperandSpeculation)
     {
         ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || edge.useKind() == ObjectUse);
@@ -7443,9 +7417,6 @@ private:
         case StringIdentUse:
             speculateStringIdent(edge);
             break;
-        case SymbolUse:
-            speculateSymbol(edge);
-            break;
         case StringObjectUse:
             speculateStringObject(edge);
             break;
@@ -7542,16 +7513,7 @@ private:
             m_out.load32(cell, m_heaps.JSCell_structureID),
             m_out.constInt32(vm().stringStructure->id()));
     }
-
-    LValue isNotSymbol(LValue cell, SpeculatedType type = SpecFullTop)
-    {
-        if (LValue proven = isProvenValue(type & SpecCell, ~SpecSymbol))
-            return proven;
-        return m_out.notEqual(
-            m_out.load32(cell, m_heaps.JSCell_structureID),
-            m_out.constInt32(vm().symbolStructure->id()));
-    }
-
+    
     LValue isArrayType(LValue cell, ArrayMode arrayMode)
     {
         switch (arrayMode.type()) {
@@ -7774,17 +7736,7 @@ private:
             NotStringObject, noValue(), 0,
             m_out.notEqual(structureID, weakStructureID(stringObjectStructure)));
     }
-
-    void speculateSymbol(Edge edge, LValue cell)
-    {
-        FTL_TYPE_CHECK(jsValueValue(cell), edge, SpecSymbol | ~SpecCell, isNotSymbol(cell));
-    }
-
-    void speculateSymbol(Edge edge)
-    {
-        speculateSymbol(edge, lowCell(edge));
-    }
-
+    
     void speculateNonNullObject(Edge edge, LValue cell)
     {
         FTL_TYPE_CHECK(jsValueValue(cell), edge, SpecObject, isNotObject(cell));
index c505af0..5823d01 100644 (file)
@@ -657,22 +657,17 @@ CompilationResult JIT::privateCompile(JITCompilationEffort effort)
     for (unsigned i = m_putByIds.size(); i--;)
         m_putByIds[i].finalize(patchBuffer);
 
-    for (const auto& byValCompilationInfo : m_byValCompilationInfo) {
-        PatchableJump patchableNotIndexJump = byValCompilationInfo.notIndexJump;
-        CodeLocationJump notIndexJump = CodeLocationJump();
-        if (Jump(patchableNotIndexJump).isSet())
-            notIndexJump = CodeLocationJump(patchBuffer.locationOf(patchableNotIndexJump));
-        CodeLocationJump badTypeJump = CodeLocationJump(patchBuffer.locationOf(byValCompilationInfo.badTypeJump));
-        CodeLocationLabel doneTarget = patchBuffer.locationOf(byValCompilationInfo.doneTarget);
-        CodeLocationLabel slowPathTarget = patchBuffer.locationOf(byValCompilationInfo.slowPathTarget);
-        CodeLocationCall returnAddress = patchBuffer.locationOf(byValCompilationInfo.returnAddress);
-
-        *byValCompilationInfo.byValInfo = ByValInfo(
-            byValCompilationInfo.bytecodeIndex,
-            notIndexJump,
+    m_codeBlock->setNumberOfByValInfos(m_byValCompilationInfo.size());
+    for (unsigned i = 0; i < m_byValCompilationInfo.size(); ++i) {
+        CodeLocationJump badTypeJump = CodeLocationJump(patchBuffer.locationOf(m_byValCompilationInfo[i].badTypeJump));
+        CodeLocationLabel doneTarget = patchBuffer.locationOf(m_byValCompilationInfo[i].doneTarget);
+        CodeLocationLabel slowPathTarget = patchBuffer.locationOf(m_byValCompilationInfo[i].slowPathTarget);
+        CodeLocationCall returnAddress = patchBuffer.locationOf(m_byValCompilationInfo[i].returnAddress);
+        
+        m_codeBlock->byValInfo(i) = ByValInfo(
+            m_byValCompilationInfo[i].bytecodeIndex,
             badTypeJump,
-            byValCompilationInfo.arrayMode,
-            byValCompilationInfo.arrayProfile,
+            m_byValCompilationInfo[i].arrayMode,
             differenceBetweenCodePtr(badTypeJump, doneTarget),
             differenceBetweenCodePtr(returnAddress, slowPathTarget));
     }
index 90108af..1023820 100644 (file)
@@ -149,23 +149,17 @@ namespace JSC {
     struct ByValCompilationInfo {
         ByValCompilationInfo() { }
         
-        ByValCompilationInfo(ByValInfo* byValInfo, unsigned bytecodeIndex, MacroAssembler::PatchableJump notIndexJump, MacroAssembler::PatchableJump badTypeJump, JITArrayMode arrayMode, ArrayProfile* arrayProfile, MacroAssembler::Label doneTarget)
-            : byValInfo(byValInfo)
-            , bytecodeIndex(bytecodeIndex)
-            , notIndexJump(notIndexJump)
+        ByValCompilationInfo(unsigned bytecodeIndex, MacroAssembler::PatchableJump badTypeJump, JITArrayMode arrayMode, MacroAssembler::Label doneTarget)
+            : bytecodeIndex(bytecodeIndex)
             , badTypeJump(badTypeJump)
             , arrayMode(arrayMode)
-            , arrayProfile(arrayProfile)
             , doneTarget(doneTarget)
         {
         }
-
-        ByValInfo* byValInfo;
+        
         unsigned bytecodeIndex;
-        MacroAssembler::PatchableJump notIndexJump;
         MacroAssembler::PatchableJump badTypeJump;
         JITArrayMode arrayMode;
-        ArrayProfile* arrayProfile;
         MacroAssembler::Label doneTarget;
         MacroAssembler::Label slowPathTarget;
         MacroAssembler::Call returnAddress;
@@ -210,13 +204,6 @@ namespace JSC {
             jit.privateCompileGetByVal(byValInfo, returnAddress, arrayMode);
         }
 
-        static void compileGetByValWithCachedId(VM* vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, const Identifier& propertyName)
-        {
-            JIT jit(vm, codeBlock);
-            jit.m_bytecodeOffset = byValInfo->bytecodeIndex;
-            jit.privateCompileGetByValWithCachedId(byValInfo, returnAddress, propertyName);
-        }
-
         static void compilePutByVal(VM* vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
         {
             JIT jit(vm, codeBlock);
@@ -259,7 +246,6 @@ namespace JSC {
         CompilationResult privateCompile(JITCompilationEffort);
         
         void privateCompileGetByVal(ByValInfo*, ReturnAddressPtr, JITArrayMode);
-        void privateCompileGetByValWithCachedId(ByValInfo*, ReturnAddressPtr, const Identifier&);
         void privateCompilePutByVal(ByValInfo*, ReturnAddressPtr, JITArrayMode);
 
         void privateCompileHasIndexedProperty(ByValInfo*, ReturnAddressPtr, JITArrayMode);
@@ -385,9 +371,7 @@ namespace JSC {
         JumpList emitArrayStoragePutByVal(Instruction*, PatchableJump& badType);
         JumpList emitIntTypedArrayPutByVal(Instruction*, PatchableJump& badType, TypedArrayType);
         JumpList emitFloatTypedArrayPutByVal(Instruction*, PatchableJump& badType, TypedArrayType);
-
-        JITGetByIdGenerator emitGetByValWithCachedId(Instruction*, const Identifier&, JumpList& doneCases, JumpList& slowCases);
-
+        
         enum FinalObjectMode { MayBeFinal, KnownNotFinal };
 
         template <typename T> Jump branchStructure(RelationalCondition, T leftHandSide, Structure*);
@@ -718,7 +702,6 @@ namespace JSC {
         MacroAssembler::Call callOperation(J_JITOperation_EJIdc, int, GPRReg, const Identifier*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg);
         MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, ArrayProfile*);
-        MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, ByValInfo*);
         MacroAssembler::Call callOperation(C_JITOperation_EJsc, GPRReg);
         MacroAssembler::Call callOperation(J_JITOperation_EJscC, int, GPRReg, JSCell*);
         MacroAssembler::Call callOperation(C_JITOperation_EJscZ, GPRReg, int32_t);
@@ -763,7 +746,6 @@ namespace JSC {
 #endif
         MacroAssembler::Call callOperation(V_JITOperation_EJJJ, RegisterID, RegisterID, RegisterID);
         MacroAssembler::Call callOperation(V_JITOperation_EJJJAp, RegisterID, RegisterID, RegisterID, ArrayProfile*);
-        MacroAssembler::Call callOperation(V_JITOperation_EJJJBy, RegisterID, RegisterID, RegisterID, ByValInfo*);
         MacroAssembler::Call callOperation(V_JITOperation_EJZJ, RegisterID, int32_t, RegisterID);
         MacroAssembler::Call callOperation(V_JITOperation_EJZ, RegisterID, int32_t);
         MacroAssembler::Call callOperation(V_JITOperation_EPc, Instruction*);
@@ -780,7 +762,6 @@ namespace JSC {
         MacroAssembler::Call callOperation(J_JITOperation_EJIdc, int, GPRReg, GPRReg, const Identifier*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg, GPRReg, GPRReg);
         MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, GPRReg, GPRReg, ArrayProfile*);
-        MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, GPRReg, GPRReg, ByValInfo*);
         MacroAssembler::Call callOperation(P_JITOperation_EJS, GPRReg, GPRReg, size_t);
         MacroAssembler::Call callOperation(S_JITOperation_EJ, RegisterID, RegisterID);
         MacroAssembler::Call callOperation(S_JITOperation_EJJ, RegisterID, RegisterID, RegisterID, RegisterID);
@@ -788,7 +769,6 @@ namespace JSC {
         MacroAssembler::Call callOperation(V_JITOperation_EJ, RegisterID, RegisterID);
         MacroAssembler::Call callOperation(V_JITOperation_EJJJ, RegisterID, RegisterID, RegisterID, RegisterID, RegisterID, RegisterID);
         MacroAssembler::Call callOperation(V_JITOperation_EJJJAp, RegisterID, RegisterID, RegisterID, RegisterID, RegisterID, RegisterID, ArrayProfile*);
-        MacroAssembler::Call callOperation(V_JITOperation_EJJJBy, RegisterID, RegisterID, RegisterID, RegisterID, RegisterID, RegisterID, ByValInfo*);
         MacroAssembler::Call callOperation(V_JITOperation_EJZ, RegisterID, RegisterID, int32_t);
         MacroAssembler::Call callOperation(V_JITOperation_EJZJ, RegisterID, RegisterID, int32_t, RegisterID, RegisterID);
         MacroAssembler::Call callOperation(V_JITOperation_EZJ, int32_t, RegisterID, RegisterID);
index 5d68690..d08d73e 100644 (file)
@@ -411,12 +411,6 @@ ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EJJJAp oper
     return appendCallWithExceptionCheck(operation);
 }
 
-ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EJJJBy operation, RegisterID regOp1, RegisterID regOp2, RegisterID regOp3, ByValInfo* byValInfo)
-{
-    setupArgumentsWithExecState(regOp1, regOp2, regOp3, TrustedImmPtr(byValInfo));
-    return appendCallWithExceptionCheck(operation);
-}
-
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EZJ operation, int dst, GPRReg arg)
 {
     setupArgumentsWithExecState(TrustedImm32(dst), arg);
@@ -465,12 +459,6 @@ ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJJAp opera
     return appendCallWithExceptionCheckSetJSValueResult(operation, dst);
 }
 
-ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJJBy operation, int dst, GPRReg arg1, GPRReg arg2, ByValInfo* byValInfo)
-{
-    setupArgumentsWithExecState(arg1, arg2, TrustedImmPtr(byValInfo));
-    return appendCallWithExceptionCheckSetJSValueResult(operation, dst);
-}
-
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperationNoExceptionCheck(V_JITOperation_EJ operation, GPRReg arg1)
 {
     setupArgumentsWithExecState(arg1);
@@ -612,12 +600,6 @@ ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJJAp opera
     return appendCallWithExceptionCheckSetJSValueResult(operation, dst);
 }
 
-ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(J_JITOperation_EJJBy operation, int dst, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload, ByValInfo* byValInfo)
-{
-    setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, SH4_32BIT_DUMMY_ARG arg2Payload, arg2Tag, TrustedImmPtr(byValInfo));
-    return appendCallWithExceptionCheckSetJSValueResult(operation, dst);
-}
-
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(JIT::WithProfileTag, J_JITOperation_EJJ operation, int dst, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload)
 {
     setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, SH4_32BIT_DUMMY_ARG arg2Payload, arg2Tag);
@@ -684,12 +666,6 @@ ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EJJJAp oper
     return appendCallWithExceptionCheck(operation);
 }
 
-ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EJJJBy operation, RegisterID regOp1Tag, RegisterID regOp1Payload, RegisterID regOp2Tag, RegisterID regOp2Payload, RegisterID regOp3Tag, RegisterID regOp3Payload, ByValInfo* byValInfo)
-{
-    setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG regOp1Payload, regOp1Tag, SH4_32BIT_DUMMY_ARG regOp2Payload, regOp2Tag, regOp3Payload, regOp3Tag, TrustedImmPtr(byValInfo));
-    return appendCallWithExceptionCheck(operation);
-}
-
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(V_JITOperation_EZJ operation, int dst, RegisterID regOp1Tag, RegisterID regOp1Payload)
 {
     setupArgumentsWithExecState(TrustedImm32(dst), regOp1Payload, regOp1Tag);
index 8c8be78..d3cf0df 100644 (file)
@@ -1067,7 +1067,6 @@ void JIT::emit_op_has_indexed_property(Instruction* currentInstruction)
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo();
     
     emitGetVirtualRegisters(base, regT0, property, regT1);
 
@@ -1099,7 +1098,7 @@ void JIT::emit_op_has_indexed_property(Instruction* currentInstruction)
     
     emitPutVirtualRegister(dst);
     
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeOffset, PatchableJump(), badType, mode, profile, done));
+    m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
 }
 
 void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
@@ -1107,7 +1106,7 @@ void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vect
     int dst = currentInstruction[1].u.operand;
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
+    ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
     
     linkSlowCaseIfNotJSCell(iter, base); // base cell check
     linkSlowCase(iter); // base array check
@@ -1118,7 +1117,7 @@ void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vect
     
     emitGetVirtualRegister(base, regT0);
     emitGetVirtualRegister(property, regT1);
-    Call call = callOperation(operationHasIndexedPropertyDefault, dst, regT0, regT1, byValInfo);
+    Call call = callOperation(operationHasIndexedPropertyDefault, dst, regT0, regT1, profile);
 
     m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
     m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
index 2578e5b..43e02ee 100644 (file)
@@ -1067,7 +1067,6 @@ void JIT::emit_op_has_indexed_property(Instruction* currentInstruction)
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo();
     
     emitLoadPayload(base, regT0);
     emitJumpSlowCaseIfNotJSCell(base);
@@ -1100,7 +1099,7 @@ void JIT::emit_op_has_indexed_property(Instruction* currentInstruction)
     
     emitStoreBool(dst, regT0);
     
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeOffset, PatchableJump(), badType, mode, profile, done));
+    m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
 }
 
 void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
@@ -1108,7 +1107,7 @@ void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vect
     int dst = currentInstruction[1].u.operand;
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
+    ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
     
     linkSlowCaseIfNotJSCell(iter, base); // base cell check
     linkSlowCase(iter); // base array check
@@ -1119,7 +1118,7 @@ void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vect
     
     emitLoad(base, regT1, regT0);
     emitLoad(property, regT3, regT2);
-    Call call = callOperation(operationHasIndexedPropertyDefault, dst, regT1, regT0, regT3, regT2, byValInfo);
+    Call call = callOperation(operationHasIndexedPropertyDefault, dst, regT1, regT0, regT3, regT2, profile);
 
     m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
     m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
index 7ae43f0..b59134e 100644 (file)
@@ -478,7 +478,7 @@ void JIT_OPERATION operationReallocateStorageAndFinishPut(ExecState* exec, JSObj
     base->putDirect(vm, offset, JSValue::decode(value));
 }
 
-static void putByVal(CallFrame* callFrame, JSValue baseValue, JSValue subscript, JSValue value, ByValInfo* byValInfo)
+static void putByVal(CallFrame* callFrame, JSValue baseValue, JSValue subscript, JSValue value, ArrayProfile* arrayProfile)
 {
     VM& vm = callFrame->vm();
     if (LIKELY(subscript.isUInt32())) {
@@ -488,7 +488,7 @@ static void putByVal(CallFrame* callFrame, JSValue baseValue, JSValue subscript,
             if (object->canSetIndexQuickly(i))
                 object->setIndexQuickly(callFrame->vm(), i, value);
             else {
-                byValInfo->arrayProfile->setOutOfBounds();
+                arrayProfile->setOutOfBounds();
                 object->methodTable(vm)->putByIndex(object, callFrame, i, value, callFrame->codeBlock()->isStrictMode());
             }
         } else
@@ -502,7 +502,7 @@ static void putByVal(CallFrame* callFrame, JSValue baseValue, JSValue subscript,
     }
 }
 
-static void directPutByVal(CallFrame* callFrame, JSObject* baseObject, JSValue subscript, JSValue value, ByValInfo* byValInfo)
+static void directPutByVal(CallFrame* callFrame, JSObject* baseObject, JSValue subscript, JSValue value, ArrayProfile* arrayProfile)
 {
     bool isStrictMode = callFrame->codeBlock()->isStrictMode();
     if (LIKELY(subscript.isUInt32())) {
@@ -514,7 +514,7 @@ static void directPutByVal(CallFrame* callFrame, JSObject* baseObject, JSValue s
             return;
         }
 
-        byValInfo->arrayProfile->setOutOfBounds();
+        arrayProfile->setOutOfBounds();
         baseObject->putDirectIndex(callFrame, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         return;
     }
@@ -540,7 +540,7 @@ static void directPutByVal(CallFrame* callFrame, JSObject* baseObject, JSValue s
         baseObject->putDirect(callFrame->vm(), property, value, slot);
     }
 }
-void JIT_OPERATION operationPutByVal(ExecState* exec, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo)
+void JIT_OPERATION operationPutByVal(ExecState* exec, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ArrayProfile* arrayProfile)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
@@ -554,19 +554,21 @@ void JIT_OPERATION operationPutByVal(ExecState* exec, EncodedJSValue encodedBase
         JSObject* object = asObject(baseValue);
         bool didOptimize = false;
 
-        ASSERT(exec->locationAsBytecodeOffset());
-        ASSERT(!byValInfo->stubRoutine);
+        unsigned bytecodeOffset = exec->locationAsBytecodeOffset();
+        ASSERT(bytecodeOffset);
+        ByValInfo& byValInfo = exec->codeBlock()->getByValInfo(bytecodeOffset - 1);
+        ASSERT(!byValInfo.stubRoutine);
 
         Structure* structure = object->structure(vm);
         if (hasOptimizableIndexing(structure)) {
             // Attempt to optimize.
             JITArrayMode arrayMode = jitArrayModeForStructure(structure);
-            if (jitArrayModePermitsPut(arrayMode) && arrayMode != byValInfo->arrayMode) {
+            if (jitArrayModePermitsPut(arrayMode) && arrayMode != byValInfo.arrayMode) {
                 CodeBlock* codeBlock = exec->codeBlock();
                 ConcurrentJITLocker locker(codeBlock->m_lock);
-                byValInfo->arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
+                arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
 
-                JIT::compilePutByVal(&vm, exec->codeBlock(), byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
+                JIT::compilePutByVal(&vm, exec->codeBlock(), &byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
                 didOptimize = true;
             }
         }
@@ -577,7 +579,7 @@ void JIT_OPERATION operationPutByVal(ExecState* exec, EncodedJSValue encodedBase
             // that intercepts indexed get, then don't even wait until 10 times. For cases
             // where we see non-index-intercepting objects, this gives 10 iterations worth of
             // opportunity for us to observe that the get_by_val may be polymorphic.
-            if (++byValInfo->slowPathCount >= 10
+            if (++byValInfo.slowPathCount >= 10
                 || object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
                 // Don't ever try to optimize.
                 ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationPutByValGeneric));
@@ -585,10 +587,10 @@ void JIT_OPERATION operationPutByVal(ExecState* exec, EncodedJSValue encodedBase
         }
     }
 
-    putByVal(exec, baseValue, subscript, value, byValInfo);
+    putByVal(exec, baseValue, subscript, value, arrayProfile);
 }
 
-void JIT_OPERATION operationDirectPutByVal(ExecState* callFrame, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo)
+void JIT_OPERATION operationDirectPutByVal(ExecState* callFrame, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ArrayProfile* arrayProfile)
 {
     VM& vm = callFrame->vm();
     NativeCallFrameTracer tracer(&vm, callFrame);
@@ -601,20 +603,22 @@ void JIT_OPERATION operationDirectPutByVal(ExecState* callFrame, EncodedJSValue
     if (subscript.isInt32()) {
         // See if it's worth optimizing at all.
         bool didOptimize = false;
-
-        ASSERT(callFrame->locationAsBytecodeOffset());
-        ASSERT(!byValInfo->stubRoutine);
+        
+        unsigned bytecodeOffset = callFrame->locationAsBytecodeOffset();
+        ASSERT(bytecodeOffset);
+        ByValInfo& byValInfo = callFrame->codeBlock()->getByValInfo(bytecodeOffset - 1);
+        ASSERT(!byValInfo.stubRoutine);
 
         Structure* structure = object->structure(vm);
         if (hasOptimizableIndexing(structure)) {
             // Attempt to optimize.
             JITArrayMode arrayMode = jitArrayModeForStructure(structure);
-            if (jitArrayModePermitsPut(arrayMode) && arrayMode != byValInfo->arrayMode) {
+            if (jitArrayModePermitsPut(arrayMode) && arrayMode != byValInfo.arrayMode) {
                 CodeBlock* codeBlock = callFrame->codeBlock();
                 ConcurrentJITLocker locker(codeBlock->m_lock);
-                byValInfo->arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
+                arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
 
-                JIT::compileDirectPutByVal(&vm, callFrame->codeBlock(), byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
+                JIT::compileDirectPutByVal(&vm, callFrame->codeBlock(), &byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
                 didOptimize = true;
             }
         }
@@ -625,17 +629,17 @@ void JIT_OPERATION operationDirectPutByVal(ExecState* callFrame, EncodedJSValue
             // that intercepts indexed get, then don't even wait until 10 times. For cases
             // where we see non-index-intercepting objects, this gives 10 iterations worth of
             // opportunity for us to observe that the get_by_val may be polymorphic.
-            if (++byValInfo->slowPathCount >= 10
+            if (++byValInfo.slowPathCount >= 10
                 || object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
                 // Don't ever try to optimize.
                 ctiPatchCallByReturnAddress(callFrame->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationDirectPutByValGeneric));
             }
         }
     }
-    directPutByVal(callFrame, object, subscript, value, byValInfo);
+    directPutByVal(callFrame, object, subscript, value, arrayProfile);
 }
 
-void JIT_OPERATION operationPutByValGeneric(ExecState* exec, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo)
+void JIT_OPERATION operationPutByValGeneric(ExecState* exec, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ArrayProfile* arrayProfile)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
@@ -644,11 +648,11 @@ void JIT_OPERATION operationPutByValGeneric(ExecState* exec, EncodedJSValue enco
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
 
-    putByVal(exec, baseValue, subscript, value, byValInfo);
+    putByVal(exec, baseValue, subscript, value, arrayProfile);
 }
 
 
-void JIT_OPERATION operationDirectPutByValGeneric(ExecState* exec, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo)
+void JIT_OPERATION operationDirectPutByValGeneric(ExecState* exec, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ArrayProfile* arrayProfile)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
@@ -657,7 +661,7 @@ void JIT_OPERATION operationDirectPutByValGeneric(ExecState* exec, EncodedJSValu
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
     RELEASE_ASSERT(baseValue.isObject());
-    directPutByVal(exec, asObject(baseValue), subscript, value, byValInfo);
+    directPutByVal(exec, asObject(baseValue), subscript, value, arrayProfile);
 }
 
 EncodedJSValue JIT_OPERATION operationCallEval(ExecState* exec, ExecState* execCallee)
@@ -1410,41 +1414,34 @@ static bool canAccessArgumentIndexQuickly(JSObject& object, uint32_t index)
     return false;
 }
 
-static JSValue getByVal(ExecState* exec, JSValue baseValue, JSValue subscript, ByValInfo* byValInfo, ReturnAddressPtr returnAddress)
+static JSValue getByVal(ExecState* exec, JSValue baseValue, JSValue subscript, ArrayProfile* arrayProfile, ReturnAddressPtr returnAddress)
 {
     if (LIKELY(baseValue.isCell() && subscript.isString())) {
         VM& vm = exec->vm();
         Structure& structure = *baseValue.asCell()->structure(vm);
         if (JSCell::canUseFastGetOwnProperty(structure)) {
             if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
-                if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get())) {
-                    ASSERT(exec->locationAsBytecodeOffset());
-                    if (byValInfo->stubInfo && byValInfo->cachedId.impl() != existingAtomicString)
-                        byValInfo->tookSlowPath = true;
+                if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
                     return result;
-                }
             }
         }
     }
 
     if (subscript.isUInt32()) {
-        ASSERT(exec->locationAsBytecodeOffset());
-        byValInfo->tookSlowPath = true;
-
         uint32_t i = subscript.asUInt32();
         if (isJSString(baseValue)) {
             if (asString(baseValue)->canGetIndex(i)) {
                 ctiPatchCallByReturnAddress(exec->codeBlock(), returnAddress, FunctionPtr(operationGetByValString));
                 return asString(baseValue)->getIndex(exec, i);
             }
-            byValInfo->arrayProfile->setOutOfBounds();
+            arrayProfile->setOutOfBounds();
         } else if (baseValue.isObject()) {
             JSObject* object = asObject(baseValue);
             if (object->canGetIndexQuickly(i))
                 return object->getIndexQuickly(i);
 
             if (!canAccessArgumentIndexQuickly(*object, i))
-                byValInfo->arrayProfile->setOutOfBounds();
+                arrayProfile->setOutOfBounds();
         }
 
         return baseValue.get(exec, i);
@@ -1456,91 +1453,74 @@ static JSValue getByVal(ExecState* exec, JSValue baseValue, JSValue subscript, B
     auto property = subscript.toPropertyKey(exec);
     if (exec->hadException())
         return jsUndefined();
-
-    ASSERT(exec->locationAsBytecodeOffset());
-    if (byValInfo->stubInfo && byValInfo->cachedId != property)
-        byValInfo->tookSlowPath = true;
-
     return baseValue.get(exec, property);
 }
 
 extern "C" {
     
-EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo* byValInfo)
+EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile* arrayProfile)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
     JSValue baseValue = JSValue::decode(encodedBase);
     JSValue subscript = JSValue::decode(encodedSubscript);
 
-    JSValue result = getByVal(exec, baseValue, subscript, byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS));
+    JSValue result = getByVal(exec, baseValue, subscript, arrayProfile, ReturnAddressPtr(OUR_RETURN_ADDRESS));
     return JSValue::encode(result);
 }
 
-EncodedJSValue JIT_OPERATION operationGetByValOptimize(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo* byValInfo)
+EncodedJSValue JIT_OPERATION operationGetByValOptimize(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile* arrayProfile)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
     JSValue baseValue = JSValue::decode(encodedBase);
     JSValue subscript = JSValue::decode(encodedSubscript);
-
+    
     if (baseValue.isObject() && subscript.isInt32()) {
         // See if it's worth optimizing this at all.
         JSObject* object = asObject(baseValue);
         bool didOptimize = false;
 
-        ASSERT(exec->locationAsBytecodeOffset());
-        ASSERT(!byValInfo->stubRoutine);
-
+        unsigned bytecodeOffset = exec->locationAsBytecodeOffset();
+        ASSERT(bytecodeOffset);
+        ByValInfo& byValInfo = exec->codeBlock()->getByValInfo(bytecodeOffset - 1);
+        ASSERT(!byValInfo.stubRoutine);
+        
         if (hasOptimizableIndexing(object->structure(vm))) {
             // Attempt to optimize.
             Structure* structure = object->structure(vm);
             JITArrayMode arrayMode = jitArrayModeForStructure(structure);
-            if (arrayMode != byValInfo->arrayMode) {
+            if (arrayMode != byValInfo.arrayMode) {
                 // If we reached this case, we got an interesting array mode we did not expect when we compiled.
                 // Let's update the profile to do better next time.
                 CodeBlock* codeBlock = exec->codeBlock();
                 ConcurrentJITLocker locker(codeBlock->m_lock);
-                byValInfo->arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
+                arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
 
-                JIT::compileGetByVal(&vm, exec->codeBlock(), byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
+                JIT::compileGetByVal(&vm, exec->codeBlock(), &byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
                 didOptimize = true;
             }
         }
-
+        
         if (!didOptimize) {
             // If we take slow path more than 10 times without patching then make sure we
             // never make that mistake again. Or, if we failed to patch and we have some object
             // that intercepts indexed get, then don't even wait until 10 times. For cases
             // where we see non-index-intercepting objects, this gives 10 iterations worth of
             // opportunity for us to observe that the get_by_val may be polymorphic.
-            if (++byValInfo->slowPathCount >= 10
+            if (++byValInfo.slowPathCount >= 10
                 || object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
                 // Don't ever try to optimize.
                 ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationGetByValGeneric));
             }
         }
     }
-
-    if (baseValue.isObject() && (subscript.isSymbol() || subscript.isString())) {
-        const Identifier propertyName = subscript.toPropertyKey(exec);
-
-        if (!subscript.isString() || !parseIndex(propertyName)) {
-            ASSERT(exec->locationAsBytecodeOffset());
-            ASSERT(!byValInfo->stubRoutine);
-            JIT::compileGetByValWithCachedId(&vm, exec->codeBlock(), byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), propertyName);
-        }
-
-        PropertySlot slot(baseValue);
-        bool hasResult = baseValue.getPropertySlot(exec, propertyName, slot);
-        return JSValue::encode(hasResult ? slot.getValue(exec, propertyName) : jsUndefined());
-    }
-
-    JSValue result = getByVal(exec, baseValue, subscript, byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS));
+    
+    JSValue result = getByVal(exec, baseValue, subscript, arrayProfile, ReturnAddressPtr(OUR_RETURN_ADDRESS));
     return JSValue::encode(result);
 }
-
-EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo* byValInfo)
+    
+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile* arrayProfile)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
@@ -1553,14 +1533,16 @@ EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState* exec,
     JSObject* object = asObject(baseValue);
     bool didOptimize = false;
 
-    ASSERT(exec->locationAsBytecodeOffset());
-    ASSERT(!byValInfo->stubRoutine);
+    unsigned bytecodeOffset = exec->locationAsBytecodeOffset();
+    ASSERT(bytecodeOffset);
+    ByValInfo& byValInfo = exec->codeBlock()->getByValInfo(bytecodeOffset - 1);
+    ASSERT(!byValInfo.stubRoutine);
     
     if (hasOptimizableIndexing(object->structure(vm))) {
         // Attempt to optimize.
         JITArrayMode arrayMode = jitArrayModeForStructure(object->structure(vm));
-        if (arrayMode != byValInfo->arrayMode) {
-            JIT::compileHasIndexedProperty(&vm, exec->codeBlock(), byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
+        if (arrayMode != byValInfo.arrayMode) {
+            JIT::compileHasIndexedProperty(&vm, exec->codeBlock(), &byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS), arrayMode);
             didOptimize = true;
         }
     }
@@ -1571,10 +1553,10 @@ EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState* exec,
         // that intercepts indexed get, then don't even wait until 10 times. For cases
         // where we see non-index-intercepting objects, this gives 10 iterations worth of
         // opportunity for us to observe that the get_by_val may be polymorphic.
-        if (++byValInfo->slowPathCount >= 10
+        if (++byValInfo.slowPathCount >= 10
             || object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {
             // Don't ever try to optimize.
-            ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationHasIndexedPropertyGeneric));
+            ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(operationHasIndexedPropertyGeneric)); 
         }
     }
 
@@ -1583,11 +1565,11 @@ EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState* exec,
         return JSValue::encode(JSValue(JSValue::JSTrue));
 
     if (!canAccessArgumentIndexQuickly(*object, index))
-        byValInfo->arrayProfile->setOutOfBounds();
+        arrayProfile->setOutOfBounds();
     return JSValue::encode(jsBoolean(object->hasProperty(exec, index)));
 }
     
-EncodedJSValue JIT_OPERATION operationHasIndexedPropertyGeneric(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo* byValInfo)
+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyGeneric(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile* arrayProfile)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
@@ -1603,11 +1585,11 @@ EncodedJSValue JIT_OPERATION operationHasIndexedPropertyGeneric(ExecState* exec,
         return JSValue::encode(JSValue(JSValue::JSTrue));
 
     if (!canAccessArgumentIndexQuickly(*object, index))
-        byValInfo->arrayProfile->setOutOfBounds();
+        arrayProfile->setOutOfBounds();
     return JSValue::encode(jsBoolean(object->hasProperty(exec, subscript.asUInt32())));
 }
     
-EncodedJSValue JIT_OPERATION operationGetByValString(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo* byValInfo)
+EncodedJSValue JIT_OPERATION operationGetByValString(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript)
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
@@ -1622,8 +1604,10 @@ EncodedJSValue JIT_OPERATION operationGetByValString(ExecState* exec, EncodedJSV
         else {
             result = baseValue.get(exec, i);
             if (!isJSString(baseValue)) {
-                ASSERT(exec->locationAsBytecodeOffset());
-                ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(byValInfo->stubRoutine ? operationGetByValGeneric : operationGetByValOptimize));
+                unsigned bytecodeOffset = exec->locationAsBytecodeOffset();
+                ASSERT(bytecodeOffset);
+                ByValInfo& byValInfo = exec->codeBlock()->getByValInfo(bytecodeOffset - 1);
+                ctiPatchCallByReturnAddress(exec->codeBlock(), ReturnAddressPtr(OUR_RETURN_ADDRESS), FunctionPtr(byValInfo.stubRoutine ? operationGetByValGeneric : operationGetByValOptimize));
             }
         }
     } else {
index 3d83f59..2ef2a56 100644 (file)
@@ -58,7 +58,6 @@ extern "C" {
     A: JSArray*
     Aap: ArrayAllocationProfile*
     Ap: ArrayProfile*
-    By: ByValInfo*
     C: JSCell*
     Cb: CodeBlock*
     Cli: CallLinkInfo*
@@ -114,7 +113,6 @@ typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJI)(ExecState*, EncodedJS
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJIdc)(ExecState*, EncodedJSValue, const Identifier*);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJ)(ExecState*, EncodedJSValue, EncodedJSValue);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJAp)(ExecState*, EncodedJSValue, EncodedJSValue, ArrayProfile*);
-typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJJBy)(ExecState*, EncodedJSValue, EncodedJSValue, ByValInfo*);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJssZ)(ExecState*, JSString*, int32_t);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EJP)(ExecState*, EncodedJSValue, void*);
 typedef EncodedJSValue JIT_OPERATION (*J_JITOperation_EP)(ExecState*, void*);
@@ -197,7 +195,6 @@ typedef void JIT_OPERATION (*V_JITOperation_EJIdJ)(ExecState*, EncodedJSValue, I
 typedef void JIT_OPERATION (*V_JITOperation_EJIdJJ)(ExecState*, EncodedJSValue, Identifier*, EncodedJSValue, EncodedJSValue);
 typedef void JIT_OPERATION (*V_JITOperation_EJJJ)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue);
 typedef void JIT_OPERATION (*V_JITOperation_EJJJAp)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ArrayProfile*);
-typedef void JIT_OPERATION (*V_JITOperation_EJJJBy)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*);
 typedef void JIT_OPERATION (*V_JITOperation_EJPP)(ExecState*, EncodedJSValue, void*, void*);
 typedef void JIT_OPERATION (*V_JITOperation_EJZJ)(ExecState*, EncodedJSValue, int32_t, EncodedJSValue);
 typedef void JIT_OPERATION (*V_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
@@ -262,10 +259,10 @@ void JIT_OPERATION operationPutByIdNonStrictBuildList(ExecState*, StructureStubI
 void JIT_OPERATION operationPutByIdDirectStrictBuildList(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL;
 void JIT_OPERATION operationPutByIdDirectNonStrictBuildList(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL;
 void JIT_OPERATION operationReallocateStorageAndFinishPut(ExecState*, JSObject*, Structure*, PropertyOffset, EncodedJSValue) WTF_INTERNAL;
-void JIT_OPERATION operationPutByVal(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*) WTF_INTERNAL;
-void JIT_OPERATION operationDirectPutByVal(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*) WTF_INTERNAL;
-void JIT_OPERATION operationPutByValGeneric(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*) WTF_INTERNAL;
-void JIT_OPERATION operationDirectPutByValGeneric(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*) WTF_INTERNAL;
+void JIT_OPERATION operationPutByVal(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ArrayProfile*) WTF_INTERNAL;
+void JIT_OPERATION operationDirectPutByVal(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ArrayProfile*) WTF_INTERNAL;
+void JIT_OPERATION operationPutByValGeneric(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ArrayProfile*) WTF_INTERNAL;
+void JIT_OPERATION operationDirectPutByValGeneric(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ArrayProfile*) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationCallEval(ExecState*, ExecState*) WTF_INTERNAL;
 char* JIT_OPERATION operationLinkCall(ExecState*, CallLinkInfo*) WTF_INTERNAL;
 char* JIT_OPERATION operationLinkPolymorphicCall(ExecState*, CallLinkInfo*) WTF_INTERNAL;
@@ -312,11 +309,11 @@ void JIT_OPERATION operationPopScope(ExecState*, int32_t) WTF_INTERNAL;
 void JIT_OPERATION operationProfileDidCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
 void JIT_OPERATION operationProfileWillCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState*, EncodedJSValue, EncodedJSValue baseVal) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationGetByValOptimize(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationGetByValString(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationHasIndexedPropertyGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationGetByValOptimize(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationGetByValString(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyDefault(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ArrayProfile*) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationDeleteById(ExecState*, EncodedJSValue base, const Identifier*) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationGetPNames(ExecState*, JSObject*) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationInstanceOf(ExecState*, EncodedJSValue, EncodedJSValue proto) WTF_INTERNAL;
index a00ccb2..4ef06d9 100644 (file)
@@ -98,14 +98,9 @@ void JIT::emit_op_get_by_val(Instruction* currentInstruction)
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo();
-
+    
     emitGetVirtualRegisters(base, regT0, property, regT1);
-
-    emitJumpSlowCaseIfNotJSCell(regT0, base);
-
-    PatchableJump notIndex = emitPatchableJumpIfNotImmediateInteger(regT1);
-    addSlowCase(notIndex);
+    emitJumpSlowCaseIfNotImmediateInteger(regT1);
 
     // This is technically incorrect - we're zero-extending an int32.  On the hot path this doesn't matter.
     // We check the value as if it was a uint32 against the m_vectorLength - which will always fail if
@@ -115,6 +110,7 @@ void JIT::emit_op_get_by_val(Instruction* currentInstruction)
     // extending since it makes it easier to re-tag the value in the slow case.
     zeroExtend32ToPtr(regT1, regT1);
 
+    emitJumpSlowCaseIfNotJSCell(regT0, base);
     emitArrayProfilingSiteWithCell(regT0, regT2, profile);
     and32(TrustedImm32(IndexingShapeMask), regT2);
 
@@ -153,8 +149,8 @@ void JIT::emit_op_get_by_val(Instruction* currentInstruction)
 
     emitValueProfilingSite();
     emitPutVirtualRegister(dst);
-
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeOffset, notIndex, badType, mode, profile, done));
+    
+    m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
 }
 
 JIT::JumpList JIT::emitDoubleLoad(Instruction*, PatchableJump& badType)
@@ -199,52 +195,15 @@ JIT::JumpList JIT::emitArrayStorageLoad(Instruction*, PatchableJump& badType)
     return slowCases;
 }
 
-JITGetByIdGenerator JIT::emitGetByValWithCachedId(Instruction* currentInstruction, const Identifier& propertyName, JumpList& doneCases, JumpList& slowCases)
-{
-    // base: regT0
-    // property: regT1
-    // scratch: regT3
-
-    int dst = currentInstruction[1].u.operand;
-
-    slowCases.append(emitJumpIfNotJSCell(regT1));
-    if (propertyName.isSymbol()) {
-        slowCases.append(branchStructure(NotEqual, Address(regT1, JSCell::structureIDOffset()), m_vm->symbolStructure.get()));
-        loadPtr(Address(regT1, Symbol::offsetOfPrivateName()), regT3);
-    } else {
-        slowCases.append(branchStructure(NotEqual, Address(regT1, JSCell::structureIDOffset()), m_vm->stringStructure.get()));
-        loadPtr(Address(regT1, JSString::offsetOfValue()), regT3);
-        slowCases.append(branchTestPtr(Zero, regT3));
-        slowCases.append(branchTest32(Zero, Address(regT3, StringImpl::flagsOffset()), TrustedImm32(StringImpl::flagIsAtomic())));
-    }
-    slowCases.append(branchPtr(NotEqual, regT3, TrustedImmPtr(propertyName.impl())));
-
-    JITGetByIdGenerator gen(
-        m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
-        JSValueRegs(regT0), JSValueRegs(regT0), DontSpill);
-    gen.generateFastPath(*this);
-
-    doneCases.append(jump());
-
-    Label coldPathBegin = label();
-    gen.slowPathJump().link(this);
-
-    Call call = callOperation(WithProfile, operationGetByIdOptimize, dst, gen.stubInfo(), regT0, propertyName.impl());
-    gen.reportSlowPathCall(coldPathBegin, call);
-    doneCases.append(jump());
-
-    return gen;
-}
-
 void JIT::emitSlow_op_get_by_val(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
     int dst = currentInstruction[1].u.operand;
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
+    ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
     
-    linkSlowCaseIfNotJSCell(iter, base); // base cell check
     linkSlowCase(iter); // property int32 check
+    linkSlowCaseIfNotJSCell(iter, base); // base cell check
     Jump nonCell = jump();
     linkSlowCase(iter); // base array check
     Jump notString = branchStructure(NotEqual, 
@@ -265,7 +224,7 @@ void JIT::emitSlow_op_get_by_val(Instruction* currentInstruction, Vector<SlowCas
     
     emitGetVirtualRegister(base, regT0);
     emitGetVirtualRegister(property, regT1);
-    Call call = callOperation(operationGetByValOptimize, dst, regT0, regT1, byValInfo);
+    Call call = callOperation(operationGetByValOptimize, dst, regT0, regT1, profile);
 
     m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
     m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
@@ -304,7 +263,6 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction)
     int base = currentInstruction[1].u.operand;
     int property = currentInstruction[2].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo();
 
     emitGetVirtualRegisters(base, regT0, property, regT1);
     emitJumpSlowCaseIfNotImmediateInteger(regT1);
@@ -341,7 +299,8 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction)
     
     Label done = label();
     
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeOffset, PatchableJump(), badType, mode, profile, done));
+    m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
+
 }
 
 JIT::JumpList JIT::emitGenericContiguousPutByVal(Instruction* currentInstruction, PatchableJump& badType, IndexingType indexingShape)
@@ -440,7 +399,6 @@ void JIT::emitSlow_op_put_by_val(Instruction* currentInstruction, Vector<SlowCas
     int property = currentInstruction[2].u.operand;
     int value = currentInstruction[3].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
 
     linkSlowCase(iter); // property int32 check
     linkSlowCaseIfNotJSCell(iter, base); // base cell check
@@ -466,7 +424,7 @@ void JIT::emitSlow_op_put_by_val(Instruction* currentInstruction, Vector<SlowCas
     emitGetVirtualRegister(property, regT1);
     emitGetVirtualRegister(value, regT2);
     bool isDirect = m_interpreter->getOpcodeID(currentInstruction->u.opcode) == op_put_by_val_direct;
-    Call call = callOperation(isDirect ? operationDirectPutByVal : operationPutByVal, regT0, regT1, regT2, byValInfo);
+    Call call = callOperation(isDirect ? operationDirectPutByVal : operationPutByVal, regT0, regT1, regT2, profile);
 
     m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
     m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
@@ -1041,36 +999,6 @@ void JIT::privateCompileGetByVal(ByValInfo* byValInfo, ReturnAddressPtr returnAd
     repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(operationGetByValGeneric));
 }
 
-void JIT::privateCompileGetByValWithCachedId(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, const Identifier& propertyName)
-{
-    Instruction* currentInstruction = m_codeBlock->instructions().begin() + byValInfo->bytecodeIndex;
-
-    JumpList doneCases;
-    JumpList slowCases;
-
-    JITGetByIdGenerator gen = emitGetByValWithCachedId(currentInstruction, propertyName, doneCases, slowCases);
-
-    ConcurrentJITLocker locker(m_codeBlock->m_lock);
-    LinkBuffer patchBuffer(*m_vm, *this, m_codeBlock);
-    patchBuffer.link(slowCases, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath));
-    patchBuffer.link(doneCases, byValInfo->badTypeJump.labelAtOffset(byValInfo->badTypeJumpToDone));
-    for (const auto& callSite : m_calls) {
-        if (callSite.to)
-            patchBuffer.link(callSite.from, FunctionPtr(callSite.to));
-    }
-    gen.finalize(patchBuffer);
-
-    byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
-        m_codeBlock, patchBuffer,
-        ("Baseline get_by_val with cached property name '%s' stub for %s, return point %p", propertyName.impl()->utf8().data(), toCString(*m_codeBlock).data(), returnAddress.value()));
-    byValInfo->cachedId = propertyName;
-    byValInfo->stubInfo = gen.stubInfo();
-
-    RepatchBuffer repatchBuffer(m_codeBlock);
-    repatchBuffer.relink(byValInfo->notIndexJump, CodeLocationLabel(byValInfo->stubRoutine->code().code()));
-    repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(operationGetByValGeneric));
-}
-
 void JIT::privateCompilePutByVal(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
 {
     Instruction* currentInstruction = m_codeBlock->instructions().begin() + byValInfo->bytecodeIndex;
index a8d69ac..609ca13 100644 (file)
@@ -149,13 +149,11 @@ void JIT::emit_op_get_by_val(Instruction* currentInstruction)
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo();
     
     emitLoad2(base, regT1, regT0, property, regT3, regT2);
     
+    addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag)));
     emitJumpSlowCaseIfNotJSCell(base, regT1);
-    PatchableJump notIndex = patchableBranch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag));
-    addSlowCase(notIndex);
     emitArrayProfilingSiteWithCell(regT0, regT1, profile);
     and32(TrustedImm32(IndexingShapeMask), regT1);
 
@@ -194,7 +192,7 @@ void JIT::emit_op_get_by_val(Instruction* currentInstruction)
     emitValueProfilingSite();
     emitStore(dst, regT1, regT0);
     
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeOffset, notIndex, badType, mode, profile, done));
+    m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
 }
 
 JIT::JumpList JIT::emitContiguousLoad(Instruction*, PatchableJump& badType, IndexingType expectedShape)
@@ -238,53 +236,16 @@ JIT::JumpList JIT::emitArrayStorageLoad(Instruction*, PatchableJump& badType)
     
     return slowCases;
 }
-
-JITGetByIdGenerator JIT::emitGetByValWithCachedId(Instruction* currentInstruction, const Identifier& propertyName, JumpList& doneCases, JumpList& slowCases)
-{
-    int dst = currentInstruction[1].u.operand;
-
-    // base: tag(regT1), payload(regT0)
-    // property: tag(regT3), payload(regT2)
-    // scratch: regT4
-
-    slowCases.append(emitJumpIfNotJSCell(regT3));
-    if (propertyName.isSymbol()) {
-        slowCases.append(branchStructure(NotEqual, Address(regT2, JSCell::structureIDOffset()), m_vm->symbolStructure.get()));
-        loadPtr(Address(regT2, Symbol::offsetOfPrivateName()), regT4);
-    } else {
-        slowCases.append(branchStructure(NotEqual, Address(regT2, JSCell::structureIDOffset()), m_vm->stringStructure.get()));
-        loadPtr(Address(regT2, JSString::offsetOfValue()), regT4);
-        slowCases.append(branchTestPtr(Zero, regT4));
-        slowCases.append(branchTest32(Zero, Address(regT4, StringImpl::flagsOffset()), TrustedImm32(StringImpl::flagIsAtomic())));
-    }
-    slowCases.append(branchPtr(NotEqual, regT4, TrustedImmPtr(propertyName.impl())));
-
-    JITGetByIdGenerator gen(
-        m_codeBlock, CodeOrigin(m_bytecodeOffset), RegisterSet::specialRegisters(),
-        JSValueRegs::payloadOnly(regT0), JSValueRegs(regT1, regT0), DontSpill);
-    gen.generateFastPath(*this);
-
-    doneCases.append(jump());
-
-    Label coldPathBegin = label();
-    gen.slowPathJump().link(this);
-
-    Call call = callOperation(WithProfile, operationGetByIdOptimize, dst, gen.stubInfo(), regT1, regT0, propertyName.impl());
-    gen.reportSlowPathCall(coldPathBegin, call);
-    doneCases.append(jump());
-
-    return gen;
-}
-
+    
 void JIT::emitSlow_op_get_by_val(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
     int dst = currentInstruction[1].u.operand;
     int base = currentInstruction[2].u.operand;
     int property = currentInstruction[3].u.operand;
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
-
-    linkSlowCaseIfNotJSCell(iter, base); // base cell check
+    ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+    
     linkSlowCase(iter); // property int32 check
+    linkSlowCaseIfNotJSCell(iter, base); // base cell check
 
     Jump nonCell = jump();
     linkSlowCase(iter); // base array check
@@ -304,7 +265,7 @@ void JIT::emitSlow_op_get_by_val(Instruction* currentInstruction, Vector<SlowCas
     
     emitLoad(base, regT1, regT0);
     emitLoad(property, regT3, regT2);
-    Call call = callOperation(operationGetByValOptimize, dst, regT1, regT0, regT3, regT2, byValInfo);
+    Call call = callOperation(operationGetByValOptimize, dst, regT1, regT0, regT3, regT2, profile);
 
     m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
     m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
@@ -318,7 +279,6 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction)
     int base = currentInstruction[1].u.operand;
     int property = currentInstruction[2].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo();
     
     emitLoad2(base, regT1, regT0, property, regT3, regT2);
     
@@ -354,7 +314,7 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction)
     
     Label done = label();
     
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeOffset, PatchableJump(), badType, mode, profile, done));
+    m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
 }
 
 JIT::JumpList JIT::emitGenericContiguousPutByVal(Instruction* currentInstruction, PatchableJump& badType, IndexingType indexingShape)
@@ -459,7 +419,6 @@ void JIT::emitSlow_op_put_by_val(Instruction* currentInstruction, Vector<SlowCas
     int property = currentInstruction[2].u.operand;
     int value = currentInstruction[3].u.operand;
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
     
     linkSlowCase(iter); // property int32 check
     linkSlowCaseIfNotJSCell(iter, base); // base cell check
@@ -499,7 +458,7 @@ void JIT::emitSlow_op_put_by_val(Instruction* currentInstruction, Vector<SlowCas
     emitLoad(value, regT0, regT1);
     addCallArgument(regT1);
     addCallArgument(regT0);
-    addCallArgument(TrustedImmPtr(byValInfo));
+    addCallArgument(TrustedImmPtr(profile));
     Call call = appendCallWithExceptionCheck(isDirect ? operationDirectPutByVal : operationPutByVal);
 #else
     // The register selection below is chosen to reduce register swapping on ARM.
@@ -507,7 +466,7 @@ void JIT::emitSlow_op_put_by_val(Instruction* currentInstruction, Vector<SlowCas
     emitLoad(base, regT2, regT1);
     emitLoad(property, regT3, regT0);
     emitLoad(value, regT5, regT4);
-    Call call = callOperation(isDirect ? operationDirectPutByVal : operationPutByVal, regT2, regT1, regT3, regT0, regT5, regT4, byValInfo);
+    Call call = callOperation(isDirect ? operationDirectPutByVal : operationPutByVal, regT2, regT1, regT3, regT0, regT5, regT4, profile);
 #endif
 
     m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
index 83f5de2..e5790d7 100644 (file)
@@ -79,8 +79,6 @@ public:
     JSObject* toObject(ExecState*, JSGlobalObject*) const;
     double toNumber(ExecState*) const;
 
-    static size_t offsetOfPrivateName() { return OBJECT_OFFSETOF(Symbol, m_privateName); }
-
 protected:
     static void destroy(JSCell*);
 
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-string-constructor.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-string-constructor.js
deleted file mode 100644 (file)
index ac58516..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-var symbol = "@@species";
-function Hello() {
-}
-
-Object.defineProperty(Hello, symbol, {
-    get: function () {
-        return this;
-    }
-});
-
-Hello.prototype.generate = function () {
-    return new this.constructor[symbol]();
-};
-
-function ok() {
-    var object = new Hello();
-    if (!(object.generate() instanceof Hello))
-        throw new Error("bad instance");
-}
-noInline(ok);
-
-for (var i = 0; i < 10000; ++i)
-    ok();
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-string-exit.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-string-exit.js
deleted file mode 100644 (file)
index 9aa262d..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-function shouldBe(actual, expected) {
-    if (actual !== expected)
-        throw new Error('bad value: ' + actual);
-}
-
-function getByVal(object, name)
-{
-    return object[name];
-}
-noInline(getByVal);
-
-function getStr1()
-{
-    return "hello";
-}
-noInline(getStr1);
-
-function getStr2()
-{
-    return "hello";
-}
-noInline(getStr2);
-
-var object = {
-    hello: 42
-};
-
-for (var i = 0; i < 100; ++i)
-    shouldBe(getByVal(object, i % 2 === 0 ? getStr1() : getStr2()), 42);
-shouldBe(getByVal(object, { toString() { return 'hello'; } }), 42);
-
-for (var i = 0; i < 10000; ++i)
-    shouldBe(getByVal(object, i % 2 === 0 ? getStr1() : getStr2()), 42);
-shouldBe(getByVal(object, { toString() { return 'hello'; } }), 42);
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-string-generated.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-string-generated.js
deleted file mode 100644 (file)
index e813a7e..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-function shouldBe(actual, expected) {
-    if (actual !== expected)
-        throw new Error('bad value: ' + actual);
-}
-
-function getByVal(object, name)
-{
-    return object[name];
-}
-noInline(getByVal);
-
-var value = 'lo';
-
-function getStr1()
-{
-    return "hel" + value;
-}
-noInline(getStr1);
-
-function getStr2()
-{
-    return "hello";
-}
-noInline(getStr2);
-
-var object = {
-    hello: 42,
-    world: 50
-};
-
-for (var i = 0; i < 10000; ++i)
-    shouldBe(getByVal(object, i % 2 === 0 ? getStr1() : getStr2()), 42);
-shouldBe(getByVal(object, 'world'), 50);
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-string-getter.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-string-getter.js
deleted file mode 100644 (file)
index 858ec0a..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-
-var object = {
-    get hello() {
-        return 42;
-    }
-};
-
-function ok() {
-    var value = 'hello';
-    if (object[value] + 20 !== 62)
-        throw new Error();
-}
-noInline(ok);
-
-for (var i = 0; i < 10000; ++i)
-    ok();
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-string.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-string.js
deleted file mode 100644 (file)
index 6db33d9..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-function shouldBe(actual, expected) {
-    if (actual !== expected)
-        throw new Error('bad value: ' + actual);
-}
-
-function getByVal(object, name)
-{
-    return object[name];
-}
-noInline(getByVal);
-
-function getStr1()
-{
-    return "hello";
-}
-noInline(getStr1);
-
-function getStr2()
-{
-    return "hello";
-}
-noInline(getStr2);
-
-var object = {
-    hello: 42,
-    world: 50
-};
-
-for (var i = 0; i < 10000; ++i)
-    shouldBe(getByVal(object, i % 2 === 0 ? getStr1() : getStr2()), 42);
-shouldBe(getByVal(object, 'world'), 50);
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-constructor.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-constructor.js
deleted file mode 100644 (file)
index 2895c26..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-var symbol = Symbol();
-function Hello() {
-}
-
-Object.defineProperty(Hello, symbol, {
-    get: function () {
-        return this;
-    }
-});
-
-Hello.prototype.generate = function () {
-    return new this.constructor[symbol]();
-};
-
-function ok() {
-    var object = new Hello();
-    if (!(object.generate() instanceof Hello))
-        throw new Error("bad instance");
-}
-noInline(ok);
-
-for (var i = 0; i < 10000; ++i)
-    ok();
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-exit.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-exit.js
deleted file mode 100644 (file)
index c0cdcb6..0000000
+++ /dev/null
@@ -1,38 +0,0 @@
-var symbol1 = Symbol();
-var symbol2 = Object.getOwnPropertySymbols({ [symbol1]: 42 })[0];
-
-function shouldBe(actual, expected) {
-    if (actual !== expected)
-        throw new Error('bad value: ' + actual);
-}
-
-function getByVal(object, name)
-{
-    return object[name];
-}
-noInline(getByVal);
-
-function getSym1()
-{
-    return symbol1;
-}
-noInline(getSym1);
-
-function getSym2()
-{
-    return symbol2;
-}
-noInline(getSym2);
-
-var object = {
-    [symbol1]: 42,
-    hello: 50
-};
-
-for (var i = 0; i < 100; ++i)
-    shouldBe(getByVal(object, i % 2 === 0 ? getSym1() : getSym2()), 42);
-shouldBe(getByVal(object, 'hello'), 50);
-
-for (var i = 0; i < 10000; ++i)
-    shouldBe(getByVal(object, i % 2 === 0 ? getSym1() : getSym2()), 42);
-shouldBe(getByVal(object, 'hello'), 50);
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-getter.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol-getter.js
deleted file mode 100644 (file)
index 7035e4b..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-
-var object = {
-    get hello() {
-        return 42;
-    }
-};
-
-var symbol = Symbol();
-
-Object.defineProperty(object, symbol, {
-    get: function () {
-        return 42;
-    }
-});
-
-function ok() {
-    if (object[symbol] + 20 !== 62)
-        throw new Error();
-}
-noInline(ok);
-
-for (var i = 0; i < 10000; ++i)
-    ok();
diff --git a/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol.js b/Source/JavaScriptCore/tests/stress/get-by-val-with-symbol.js
deleted file mode 100644 (file)
index 2c834eb..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-var symbol1 = Symbol();
-var symbol2 = Object.getOwnPropertySymbols({ [symbol1]: 42 })[0];
-
-function shouldBe(actual, expected) {
-    if (actual !== expected)
-        throw new Error('bad value: ' + actual);
-}
-
-function getByVal(object, name)
-{
-    return object[name];
-}
-noInline(getByVal);
-
-function getSym1()
-{
-    return symbol1;
-}
-noInline(getSym1);
-
-function getSym2()
-{
-    return symbol2;
-}
-noInline(getSym2);
-
-var object = {
-    [symbol1]: 42,
-    hello: 50
-};
-
-for (var i = 0; i < 10000; ++i)
-    shouldBe(getByVal(object, i % 2 === 0 ? getSym1() : getSym2()), 42);