Changeset 231316 in webkit

Timestamp:

May 3, 2018 11:18:34 AM (6 years ago)

Author:

keith_miller@apple.com

Message:

Remove the prototype caching for get_by_id in the LLInt
​https://bugs.webkit.org/show_bug.cgi?id=185226

Reviewed by Michael Saboff.

There is no evidence that this is actually a speedup and we keep
getting bugs with it. At this point it seems like we should just
remove this code.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• bytecode/BytecodeDumper.cpp:

(JSC::BytecodeDumper<Block>::printGetByIdOp):
(JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
(JSC::BytecodeDumper<Block>::dumpBytecode):

• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finalizeLLIntInlineCaches):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.

• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeFromLLInt):

• bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
• bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetById):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::setupGetByIdPrototypeCache): Deleted.

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/Options.h:

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (8 diffs)
• Sources.txt (modified) (1 diff)
• bytecode/BytecodeDumper.cpp (modified) (4 diffs)
• bytecode/BytecodeList.json (modified) (1 diff)
• bytecode/BytecodeUseDef.h (modified) (2 diffs)
• bytecode/CodeBlock.cpp (modified) (3 diffs)
• bytecode/CodeBlock.h (modified) (3 diffs)
• bytecode/GetByIdStatus.cpp (modified) (1 diff)
• bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp (deleted)
• bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h (deleted)
• bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCapabilities.cpp (modified) (1 diff)
• jit/JIT.cpp (modified) (2 diffs)
• llint/LLIntSlowPaths.cpp (modified) (5 diffs)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (3 diffs)
• runtime/Options.h (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -449 +449 @@
     bytecode/JumpTable.h
     bytecode/LLIntCallLinkInfo.h
-    bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
     bytecode/LazyOperandValueProfile.h
     bytecode/ObjectAllocationProfile.h

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-05-03  Keith Miller  <keith_miller@apple.com>
+
+        Remove the prototype caching for get_by_id in the LLInt
+        https://bugs.webkit.org/show_bug.cgi?id=185226
+
+        Reviewed by Michael Saboff.
+
+        There is no evidence that this is actually a speedup and we keep
+        getting bugs with it. At this point it seems like we should just
+        remove this code.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper<Block>::printGetByIdOp):
+        (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
+        (JSC::BytecodeDumper<Block>::dumpBytecode):
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finalizeLLIntInlineCaches):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::llintGetByIdWatchpointMap): Deleted.
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp: Removed.
+        * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h: Removed.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetById):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        (JSC::LLInt::setupGetByIdPrototypeCache): Deleted.
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Options.h:
+
 2018-05-03  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1036 +1036 @@
                 53F6BF6D1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 53F8D2001E8387D400D21116 /* WasmBBQPlanInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F8D1FF1E8387D400D21116 /* WasmBBQPlanInlines.h */; };
-                53FA2AE11CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 53FD04D41D7AB291003287D3 /* WasmCallingConvention.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FD04D21D7AB187003287D3 /* WasmCallingConvention.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 53FF7F991DBFCD9000A26CCC /* WasmValidate.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FF7F981DBFCD9000A26CCC /* WasmValidate.h */; };
@@ -3459 +3458 @@
                 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InternalFunctionAllocationProfile.h; sourceTree = "<group>"; };
                 53F8D1FF1E8387D400D21116 /* WasmBBQPlanInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmBBQPlanInlines.h; sourceTree = "<group>"; };
-                53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LLIntPrototypeLoadAdaptiveStructureWatchpoint.h; sourceTree = "<group>"; };
-                53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp; sourceTree = "<group>"; };
                 53FD04D11D7AB187003287D3 /* WasmCallingConvention.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmCallingConvention.cpp; sourceTree = "<group>"; };
                 53FD04D21D7AB187003287D3 /* WasmCallingConvention.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmCallingConvention.h; sourceTree = "<group>"; };
@@ -6671 +6668 @@
                                 FE2B0B681FD0D2970075DA5F /* JSCPoison.cpp */,
                                 FE2B0B701FD8C4630075DA5F /* JSCPoison.h */,
+                                FE7497E5209001B00003565B /* JSCPtrTag.h */,
                                 72AAF7CB1D0D318B005E60BE /* JSCustomGetterSetterFunction.cpp */,
                                 72AAF7CC1D0D318B005E60BE /* JSCustomGetterSetterFunction.h */,
@@ -6756 +6754 @@
                                 862553CE16136AA5009F17D0 /* JSProxy.cpp */,
                                 862553CF16136AA5009F17D0 /* JSProxy.h */,
-                                FE7497E5209001B00003565B /* JSCPtrTag.h */,
                                 534638721E70D01500F12AC1 /* JSRunLoopTimer.cpp */,
                                 534638701E70CF3D00F12AC1 /* JSRunLoopTimer.h */,
@@ -7635 +7632 @@
                                 0FB5467614F59AD1002C2989 /* LazyOperandValueProfile.h */,
                                 0F0FC45814BD15F100B81154 /* LLIntCallLinkInfo.h */,
-                                53FA2AE21CF380390022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp */,
-                                53FA2AE01CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h */,
                                 0FB5467C14F5CFD3002C2989 /* MethodOfGettingAValueProfile.cpp */,
                                 0FB5467A14F5C7D4002C2989 /* MethodOfGettingAValueProfile.h */,
@@ -9001 +8996 @@
                                 148CD1D8108CF902008163C6 /* JSContextRefPrivate.h in Headers */,
                                 FE2B0B731FD9EF700075DA5F /* JSCPoison.h in Headers */,
+                                FE7497E6209001B10003565B /* JSCPtrTag.h in Headers */,
                                 A72028B81797601E0098028C /* JSCTestRunnerUtils.h in Headers */,
                                 72AAF7CE1D0D31B3005E60BE /* JSCustomGetterSetterFunction.h in Headers */,
@@ -9076 +9072 @@
                                 7C184E1F17BEE22E007CB63A /* JSPromisePrototype.h in Headers */,
                                 996B731F1BDA08EF00331B84 /* JSPromisePrototype.lut.h in Headers */,
-                                FE7497E6209001B10003565B /* JSCPtrTag.h in Headers */,
                                 2A05ABD61961DF2400341750 /* JSPropertyNameEnumerator.h in Headers */,
                                 862553D216136E1A009F17D0 /* JSProxy.h in Headers */,
@@ -9165 +9160 @@
                                 FED287B215EC9A5700DA8161 /* LLIntOpcode.h in Headers */,
                                 79CFC6F01C33B10000C768EA /* LLIntPCRanges.h in Headers */,
-                                53FA2AE11CF37F3F0022711D /* LLIntPrototypeLoadAdaptiveStructureWatchpoint.h in Headers */,
                                 0F4680A514BA7F8D00BFE272 /* LLIntSlowPaths.h in Headers */,
                                 0F0B839D14BCF46600885B4F /* LLIntThunks.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -226 +226 @@
 bytecode/IntrinsicGetterAccessCase.cpp
 bytecode/JumpTable.cpp
-bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
 bytecode/LazyOperandValueProfile.cpp
 bytecode/MethodOfGettingAValueProfile.cpp

trunk/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp

@@ -378 +378 @@
         op = "get_by_id";
         break;
-    case op_get_by_id_proto_load:
-        op = "get_by_id_proto_load";
-        break;
-    case op_get_by_id_unset:
-        op = "get_by_id_unset";
-        break;
     case op_get_array_length:
         op = "array_length";
@@ -398 +392 @@
     printLocationAndOp(out, location, it, op);
     out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), idName(id0, identifier(id0)).data());
-    it += 4; // Increment up to the value profiler.
+    it += 3; // Increment up to the value profiler.
 }
 
@@ -443 +437 @@
         dumpStructure(out, "struct", structure, ident);
         out.printf(")");
-        if (Interpreter::getOpcodeID(instruction[0]) == op_get_by_id_proto_load)
-            out.printf(" proto(%p)", getPointer(instruction[6]));
     }
 
@@ -1039 +1031 @@
     }
     case op_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset:
     case op_get_array_length: {
         printGetByIdOp(out, location, it);

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -82 +82 @@
             { "name" : "op_is_cell_with_type", "length" : 4 },
             { "name" : "op_in", "length" : 5 },
-            { "name" : "op_get_array_length", "length" : 9 },
-            { "name" : "op_get_by_id", "length" : 9  },
-            { "name" : "op_get_by_id_proto_load", "length" : 9 },
-            { "name" : "op_get_by_id_unset", "length" : 9 },
+            { "name" : "op_get_array_length", "length" : 8 },
+            { "name" : "op_get_by_id", "length" : 8  },
             { "name" : "op_get_by_id_with_this", "length" : 6 },
             { "name" : "op_get_by_val_with_this", "length" : 6 },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -183 +183 @@
     case op_try_get_by_id:
     case op_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset:
     case op_get_by_id_direct:
     case op_get_array_length:
@@ -435 +433 @@
     case op_try_get_by_id:
     case op_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset:
     case op_get_by_id_direct:
     case op_get_by_id_with_this:

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -66 +66 @@
 #include "LLIntData.h"
 #include "LLIntEntrypoint.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
 #include "LowLevelInterpreter.h"
 #include "ModuleProgramCodeBlock.h"
@@ -1244 +1243 @@
         Instruction* curInstruction = &instructions()[propertyAccessInstructions[i]];
         switch (Interpreter::getOpcodeID(curInstruction[0])) {
-        case op_get_by_id:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset: {
+        case op_get_by_id: {
             StructureID oldStructureID = curInstruction[4].u.structureID;
             if (!oldStructureID || Heap::isMarked(vm.heap.structureIDTable().get(oldStructureID)))
@@ -1339 +1336 @@
         }
     }
-
-    // We can't just remove all the sets when we clear the caches since we might have created a watchpoint set
-    // then cleared the cache without GCing in between.
-    m_llintGetByIdWatchpointMap.removeIf([](const StructureWatchpointMap::KeyValuePairType& pair) -> bool {
-        return !Heap::isMarked(pair.key);
-    });
 
     for (unsigned i = 0; i < m_llintCallLinkInfos.size(); ++i) {

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -55 +55 @@
 #include "JumpTable.h"
 #include "LLIntCallLinkInfo.h"
-#include "LLIntPrototypeLoadAdaptiveStructureWatchpoint.h"
 #include "LazyOperandValueProfile.h"
 #include "ModuleProgramExecutable.h"
@@ -628 +627 @@
     }
 
-    typedef HashMap<Structure*, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>> StructureWatchpointMap;
-    StructureWatchpointMap& llintGetByIdWatchpointMap() { return m_llintGetByIdWatchpointMap; }
-
     // Functions for controlling when tiered compilation kicks in. This
     // controls both when the optimizing compiler is invoked and when OSR
@@ -975 +971 @@
     RefCountedArray<LLIntCallLinkInfo> m_llintCallLinkInfos;
     SentinelLinkedList<LLIntCallLinkInfo, BasicRawSentinelNode<LLIntCallLinkInfo>> m_incomingLLIntCalls;
-    StructureWatchpointMap m_llintGetByIdWatchpointMap;
     PoisonedRefPtr<CodeBlockPoison, JITCode> m_jitCode;
 #if ENABLE(JIT)

trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp

@@ -105 +105 @@
 
     case op_get_array_length:
-    case op_try_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset: {
-        // FIXME: We should not just bail if we see a try_get_by_id or a get_by_id_proto_load.
-        // https://bugs.webkit.org/show_bug.cgi?id=158039
+    case op_try_get_by_id: {
         return GetByIdStatus(NoInformation, false);
     }

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -2704 +2704 @@
     instructions().append(0);
     instructions().append(0);
-    instructions().append(Options::prototypeHitCountForLLIntCaching());
     instructions().append(profile);
     return dst;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -5139 +5139 @@
         case op_try_get_by_id:
         case op_get_by_id:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset:
         case op_get_array_length: {
             SpeculatedType prediction = getPrediction();

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -165 +165 @@
     case op_try_get_by_id:
     case op_get_by_id:
-    case op_get_by_id_proto_load:
-    case op_get_by_id_unset:
     case op_get_by_id_with_this:
     case op_get_by_id_direct:

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -331 +331 @@
         DEFINE_OP(op_try_get_by_id)
         case op_get_array_length:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset:
         DEFINE_OP(op_get_by_id)
         DEFINE_OP(op_get_by_id_with_this)
@@ -510 +508 @@
         DEFINE_SLOWCASE_OP(op_try_get_by_id)
         case op_get_array_length:
-        case op_get_by_id_proto_load:
-        case op_get_by_id_unset:
         DEFINE_SLOWCASE_OP(op_get_by_id)
         DEFINE_SLOWCASE_OP(op_get_by_id_with_this)

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -642 +642 @@
 }
 
-
-static void setupGetByIdPrototypeCache(ExecState* exec, VM& vm, Instruction* pc, JSCell* baseCell, PropertySlot& slot, const Identifier& ident)
-{
-    CodeBlock* codeBlock = exec->codeBlock();
-    Structure* structure = baseCell->structure();
-
-    if (structure->typeInfo().prohibitsPropertyCaching())
-        return;
-    
-    if (structure->needImpurePropertyWatchpoint())
-        return;
-
-    if (structure->isDictionary()) {
-        if (structure->hasBeenFlattenedBefore())
-            return;
-        structure->flattenDictionaryStructure(vm, jsCast<JSObject*>(baseCell));
-    }
-
-    ObjectPropertyConditionSet conditions;
-    if (slot.isUnset())
-        conditions = generateConditionsForPropertyMiss(vm, codeBlock, exec, structure, ident.impl());
-    else
-        conditions = generateConditionsForPrototypePropertyHit(vm, codeBlock, exec, structure, slot.slotBase(), ident.impl());
-
-    if (!conditions.isValid())
-        return;
-
-    PropertyOffset offset = invalidOffset;
-    CodeBlock::StructureWatchpointMap& watchpointMap = codeBlock->llintGetByIdWatchpointMap();
-    auto result = watchpointMap.add(structure, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>());
-    for (ObjectPropertyCondition condition : conditions) {
-        if (!condition.isWatchable())
-            return;
-        if (condition.condition().kind() == PropertyCondition::Presence)
-            offset = condition.condition().offset();
-        result.iterator->value.add(condition, pc)->install();
-    }
-    ASSERT((offset == invalidOffset) == slot.isUnset());
-
-    ConcurrentJSLocker locker(codeBlock->m_lock);
-
-    if (slot.isUnset()) {
-        pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_unset);
-        pc[4].u.structureID = structure->id();
-        return;
-    }
-    ASSERT(slot.isValue());
-
-    pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_proto_load);
-    pc[4].u.structureID = structure->id();
-    pc[5].u.operand = offset;
-    // We know that this pointer will remain valid because it will be cleared by either a watchpoint fire or
-    // during GC when we clear the LLInt caches.
-    pc[6].u.pointer = slot.slotBase();
-}
-
-
 LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
 {
@@ -719 +662 @@
             if (oldStructureID) {
                 auto opcode = Interpreter::getOpcodeID(pc[0]);
-                if (opcode == op_get_by_id
-                    || opcode == op_get_by_id_unset
-                    || opcode == op_get_by_id_proto_load) {
+                if (opcode == op_get_by_id) {
                     Structure* a = vm.heap.structureIDTable().get(oldStructureID);
                     Structure* b = baseValue.asCell()->structure(vm);
@@ -740 +681 @@
             pc[4].u.pointer = nullptr; // old structure
             pc[5].u.pointer = nullptr; // offset
-
-            // Prevent the prototype cache from ever happening.
-            pc[7].u.operand = 0;
         
             if (structure->propertyAccessesAreCacheable()
@@ -753 +691 @@
                 pc[5].u.operand = slot.cachedOffset();
             }
-        } else if (UNLIKELY(pc[7].u.operand && (slot.isValue() || slot.isUnset()))) {
-            ASSERT(slot.slotBase() != baseValue);
-
-            if (!(--pc[7].u.operand))
-                setupGetByIdPrototypeCache(exec, vm, pc, baseCell, slot, ident);
         }
     } else if (!LLINT_ALWAYS_ACCESS_SLOW
@@ -766 +699 @@
         arrayProfile->observeStructure(baseValue.asCell()->structure());
         pc[4].u.arrayProfile = arrayProfile;
-
-        // Prevent the prototype cache from ever happening.
-        pc[7].u.operand = 0;
     }
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1427 +1427 @@
     callSlowPath(_llint_slow_path_get_by_id)
     dispatch(constexpr op_get_by_id_length)
-
-
-_llint_op_get_by_id_proto_load:
-    traceExecution()
-    loadi 8[PC], t0
-    loadi 16[PC], t1
-    loadConstantOrVariablePayload(t0, CellTag, t3, .opGetByIdProtoSlow)
-    loadi 20[PC], t2
-    bineq JSCell::m_structureID[t3], t1, .opGetByIdProtoSlow
-    loadpFromInstruction(6, t3)
-    loadPropertyAtVariableOffset(t2, t3, t0, t1)
-    loadi 4[PC], t2
-    storei t0, TagOffset[cfr, t2, 8]
-    storei t1, PayloadOffset[cfr, t2, 8]
-    valueProfile(t0, t1, 32, t2)
-    dispatch(constexpr op_get_by_id_proto_load_length)
-
-.opGetByIdProtoSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(constexpr op_get_by_id_proto_load_length)
-
-
-_llint_op_get_by_id_unset:
-    traceExecution()
-    loadi 8[PC], t0
-    loadi 16[PC], t1
-    loadConstantOrVariablePayload(t0, CellTag, t3, .opGetByIdUnsetSlow)
-    bineq JSCell::m_structureID[t3], t1, .opGetByIdUnsetSlow
-    loadi 4[PC], t2
-    storei UndefinedTag, TagOffset[cfr, t2, 8]
-    storei 0, PayloadOffset[cfr, t2, 8]
-    valueProfile(UndefinedTag, 0, 32, t2)
-    dispatch(constexpr op_get_by_id_unset_length)
-
-.opGetByIdUnsetSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(constexpr op_get_by_id_unset_length)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1343 +1343 @@
     loadPropertyAtVariableOffset(t1, t3, t0)
     storeq t0, [cfr, t2, 8]
-    valueProfile(t0, 8, t1)
+    valueProfile(t0, constexpr (op_get_by_id_length - 1), t1)
     dispatch(constexpr op_get_by_id_length)
 
@@ -1349 +1349 @@
     callSlowPath(_llint_slow_path_get_by_id)
     dispatch(constexpr op_get_by_id_length)
-
-
-_llint_op_get_by_id_proto_load:
-    traceExecution()
-    loadisFromInstruction(2, t0)
-    loadConstantOrVariableCell(t0, t3, .opGetByIdProtoSlow)
-    loadi JSCell::m_structureID[t3], t1
-    loadisFromInstruction(4, t2)
-    bineq t2, t1, .opGetByIdProtoSlow
-    loadisFromInstruction(5, t1)
-    loadpFromInstruction(6, t3)
-    loadisFromInstruction(1, t2)
-    loadPropertyAtVariableOffset(t1, t3, t0)
-    storeq t0, [cfr, t2, 8]
-    valueProfile(t0, 8, t1)
-    dispatch(constexpr op_get_by_id_proto_load_length)
-
-.opGetByIdProtoSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(constexpr op_get_by_id_proto_load_length)
-
-
-_llint_op_get_by_id_unset:
-    traceExecution()
-    loadisFromInstruction(2, t0)
-    loadConstantOrVariableCell(t0, t3, .opGetByIdUnsetSlow)
-    loadi JSCell::m_structureID[t3], t1
-    loadisFromInstruction(4, t2)
-    bineq t2, t1, .opGetByIdUnsetSlow
-    loadisFromInstruction(1, t2)
-    storeq ValueUndefined, [cfr, t2, 8]
-    valueProfile(ValueUndefined, 8, t1)
-    dispatch(constexpr op_get_by_id_unset_length)
-
-.opGetByIdUnsetSlow:
-    callSlowPath(_llint_slow_path_get_by_id)
-    dispatch(constexpr op_get_by_id_unset_length)
 
 
@@ -1402 +1365 @@
     bilt t0, 0, .opGetArrayLengthSlow
     orq tagTypeNumber, t0
-    valueProfile(t0, 8, t2)
+    valueProfile(t0, constexpr (op_get_array_length_length - 1), t2)
     storeq t0, [cfr, t1, 8]
     dispatch(constexpr op_get_array_length_length)

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -459 +459 @@
     v(bool, useICStats, false, Normal, nullptr) \
     \
-    v(unsigned, prototypeHitCountForLLIntCaching, 2, Normal, "Number of prototype property hits before caching a prototype in the LLInt. A count of 0 means never cache.") \
-    \
     v(bool, dumpCompiledRegExpPatterns, false, Normal, nullptr) \
     \