Changeset 281615 in webkit

Timestamp:

Aug 26, 2021 12:39:01 AM (11 months ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Polymorphic PutByVal
​https://bugs.webkit.org/show_bug.cgi?id=229229

Reviewed by Saam Barati.

This patch changes PutByVal IC to modern style. This polymorphic PutByVal can handle multiple array types and multiple identifiers.
Also, this removes adhoc IC code in Baseline so that it paves the way to unlinked Baseline JIT by cleaning up IC.

Several interesting points of the design.

1. We need to pass ArrayProfile* via GPRReg to IC since we need to profile mayStoreToHole, which is still important to avoid the slow path.
2. Transition / Replace IC need to record propertyRegs if it exists not to clobber these registers. This is important in DFG / FTL since IC should not clobber these registers unless it is flushed. It also makes Baseline code smaller since we do not reload them in the slow path call.
3. Added a path folding String/Symbol when emitting PutByVal in DFG / FTL. This edge-case is found via a microbenchmark. Let's consider the case: one put_by_val site has one identifier "foo", but it has so many different Structures. Previously, we emit JITPutByIdGenerator adhocly, and still we cache this "foo" identifier in cachedId. In DFG / FTL, while we cannot make it PutByOffset, we can emit PutById since we know that identifier is always "foo". But after this patch's change, such a site becomes slow-path. And then this identifier information is missed, and we were emitting PutByVal for that. For now, we attempt to fold to one identifier in DFGByteCodeParser so that we can still attempt to make it PutById, which can be PutByOffset in constant folding phase. We would like to handle this one identifier slow-path case in PutByStatus / GetByStatus in the future patch.
4. Now, DFG OSR exit does not query to ByValInfo for setter calls since JITPutByValGenerator use StructureStubInfo in Baseline.

Results of Microbenchmarks look good.

ToT Patched

put-by-val-direct-large-index 94.6265+-0.9076 93.4550+-0.7121 might be 1.0125x faster
inlined-put-by-val-with-string-transition

23.7131+-0.3282 ^{22.7679+-0.1137} definitely 1.0415x faster

put-by-val-with-string-slightly-polymorphic

1.9852+-0.0284 1.9580+-0.0224 might be 1.0139x faster

get-and-put-by-val-double-index-dont-fall-off-a-cliff

185.4762+-0.5737 ? 185.6325+-0.5819 ?

polymorphic-put-by-val-with-string 30.9903+-0.1207 30.8097+-0.1285
put-by-val-machine-int 1.8803+-0.0384 1.8707+-0.0440
fold-put-by-val-with-symbol-to-multi-put-by-offset

4.8463+-0.1148 4.7839+-0.0547 might be 1.0130x faster

put-by-val-with-string-replace-and-transition

8.8730+-1.5934 ^{6.2276+-0.0585} definitely 1.4248x faster

fold-put-by-val-with-string-to-multi-put-by-offset

4.8183+-0.0841 ? 4.8233+-0.0892 ?

put-by-val-direct 0.2845+-0.0091 ? 0.2901+-0.0088 ? might be 1.0196x slower
put-by-val-with-symbol-replace-and-transition

6.3527+-0.0686 ? 6.3933+-0.0961 ?

put-by-val-with-symbol 9.3556+-3.1421 7.1509+-0.1019 might be 1.3083x faster
put-by-val-with-symbol-slightly-polymorphic

2.0052+-0.0309 1.9781+-0.0397 might be 1.0137x faster

put-by-val-negative-array-index 14.9572+-0.1221 ^{14.5636+-0.1044} definitely 1.0270x faster
put-by-val-with-string 11.6345+-4.3048 ^{7.0919+-0.0918} definitely 1.6405x faster
put-by-val-large-index-blank-indexing-type

3.1425+-0.1165 3.1236+-0.0378

inlined-put-by-val-with-symbol-transition

23.4932+-0.3186 ^{22.8469+-0.0873} definitely 1.0283x faster

polymorphic-put-by-val-with-symbol 36.6046+-1.6519 ^{30.8597+-0.1474} definitely 1.1862x faster

Speedometer2 showed roughly 0.2-0.3% progression.

---

| subtest | ms | ms | b / a | pValue (significance using False Discovery Rate) |

---

| Elm-TodoMVC |121.916667 |121.958333 |1.000342 | 0.876802 |
| VueJS-TodoMVC |26.263333 |26.006667 |0.990227 | 0.263868 |
| EmberJS-TodoMVC |127.080000 |127.866667 |1.006190 | 0.011497 (significant) |
| BackboneJS-TodoMVC |48.920000 |49.318333 |1.008143 | 0.003395 (significant) |
| Preact-TodoMVC |19.828333 |19.828333 |1.000000 | 1.000000 |
| AngularJS-TodoMVC |134.011667 |132.080000 |0.985586 | 0.000000 (significant) |
| Vanilla-ES2015-TodoMVC |63.726667 |63.838333 |1.001752 | 0.408404 |
| Inferno-TodoMVC |65.153333 |63.753333 |0.978512 | 0.000000 (significant) |
| Flight-TodoMVC |78.133333 |78.780000 |1.008276 | 0.097794 |
| Angular2-TypeScript-TodoMVC |40.415000 |40.100000 |0.992206 | 0.287630 |
| VanillaJS-TodoMVC |51.931667 |52.500000 |1.010944 | 0.004149 (significant) |
| jQuery-TodoMVC |226.056667 |225.073333 |0.995650 | 0.007796 (significant) |
| EmberJS-Debug-TodoMVC |341.210000 |340.978333 |0.999321 | 0.623386 |
| React-TodoMVC |87.198333 |86.893333 |0.996502 | 0.042189 |
| React-Redux-TodoMVC |146.506667 |145.958333 |0.996257 | 0.018801 (significant) |
| Vanilla-ES2015-Babel-Webpack-TodoMVC |61.450000 |61.870000 |1.006835 | 0.000049 (significant) |

---

a mean = 254.85111
b mean = 255.25735
pValue = 0.1856561656
(Bigger means are better.)
1.002 times better
Results ARE NOT significant

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• bytecode/AccessCase.cpp:

(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::needsScratchFPR const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):
(JSC::AccessCase::toTypedArrayType):
(JSC::AccessCase::canBeShared):

• bytecode/AccessCase.h:

(JSC::SharedJITStubSet::Hash::Key::Key):
(JSC::SharedJITStubSet::Hash::Key::operator==):
(JSC::SharedJITStubSet::Searcher::Translator::equal):

• bytecode/ArrayProfile.h:

(JSC::ArrayProfile::offsetOfMayStoreToHole):
(JSC::ArrayProfile::offsetOfLastSeenStructureID):

• bytecode/GetterSetterAccessCase.cpp:

(JSC::GetterSetterAccessCase::emitDOMJITGetter):

• bytecode/ICStatusMap.h:
• bytecode/InlineAccess.cpp:

(JSC::getScratchRegister):

• bytecode/PolymorphicAccess.cpp:

(JSC::PolymorphicAccess::regenerate):
(WTF::printInternal):

• bytecode/PutByStatus.cpp: Renamed from Source/JavaScriptCore/bytecode/PutByIdStatus.cpp.

(JSC::PutByStatus::appendVariant):
(JSC::PutByStatus::shrinkToFit):
(JSC::PutByStatus::computeFromLLInt):
(JSC::PutByStatus::PutByStatus):
(JSC::PutByStatus::computeFor):
(JSC::PutByStatus::computeForStubInfo):
(JSC::PutByStatus::makesCalls const):
(JSC::PutByStatus::slowVersion const):
(JSC::PutByStatus::singleIdentifier const):
(JSC::PutByStatus::visitAggregateImpl):
(JSC::PutByStatus::markIfCheap):
(JSC::PutByStatus::finalize):
(JSC::PutByStatus::merge):
(JSC::PutByStatus::filter):
(JSC::PutByStatus::dump const):

• bytecode/PutByStatus.h: Renamed from Source/JavaScriptCore/bytecode/PutByIdStatus.h.
• bytecode/PutByVariant.cpp: Renamed from Source/JavaScriptCore/bytecode/PutByIdVariant.cpp.

(JSC::PutByVariant::PutByVariant):
(JSC::PutByVariant::operator=):
(JSC::PutByVariant::replace):
(JSC::PutByVariant::transition):
(JSC::PutByVariant::setter):
(JSC::PutByVariant::oldStructureForTransition const):
(JSC::PutByVariant::fixTransitionToReplaceIfNecessary):
(JSC::PutByVariant::writesStructures const):
(JSC::PutByVariant::reallocatesStorage const):
(JSC::PutByVariant::makesCalls const):
(JSC::PutByVariant::attemptToMerge):
(JSC::PutByVariant::attemptToMergeTransitionWithReplace):
(JSC::PutByVariant::visitAggregateImpl):
(JSC::PutByVariant::markIfCheap):
(JSC::PutByVariant::finalize):
(JSC::PutByVariant::dump const):
(JSC::PutByVariant::dumpInContext const):

• bytecode/PutByVariant.h: Renamed from Source/JavaScriptCore/bytecode/PutByIdVariant.h.

(JSC::PutByVariant::PutByVariant):
(JSC::PutByVariant::identifier const):
(JSC::PutByVariant::overlaps):

• bytecode/RecordedStatuses.cpp:

(JSC::RecordedStatuses::addPutByStatus):
(JSC::RecordedStatuses::visitAggregateImpl):
(JSC::RecordedStatuses::addPutByIdStatus): Deleted.

• bytecode/RecordedStatuses.h:
• bytecode/StructureStubInfo.cpp:

(JSC::StructureStubInfo::reset):

• bytecode/StructureStubInfo.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):

• dfg/DFGArgumentsEliminationPhase.cpp:
• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::load):
(JSC::DFG::ByteCodeParser::store):
(JSC::DFG::ByteCodeParser::emitPutById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::handlePutPrivateNameById):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::handlePutByVal):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGClobbersExitState.cpp:

(JSC::DFG::clobbersExitState):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGGraph.h:
• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::link):

• dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::addPutByVal):

• dfg/DFGMayExit.cpp:
• dfg/DFGNode.h:

(JSC::DFG::Node::hasPutByStatus):
(JSC::DFG::Node::putByStatus):
(JSC::DFG::Node::hasPutByIdStatus): Deleted.
(JSC::DFG::Node::putByIdStatus): Deleted.

• dfg/DFGNodeType.h:
• dfg/DFGOSRExitCompilerCommon.cpp:

(JSC::DFG::callerReturnPC):

• dfg/DFGObjectAllocationSinkingPhase.cpp:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStoreBarrierInsertionPhase.cpp:
• dfg/DFGValidate.cpp:
• dfg/DFGVarargsForwardingPhase.cpp:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):

• generator/DSL.rb:
• jit/ICStats.h:
• jit/JIT.cpp:

(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::link):

• jit/JIT.h:
• jit/JITInlineCacheGenerator.cpp:

(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
(JSC::JITPutByValGenerator::JITPutByValGenerator):
(JSC::JITPutByValGenerator::generateFastPath):
(JSC::JITPutByValGenerator::finalize):

• jit/JITInlineCacheGenerator.h:
• jit/JITInlines.h:

(JSC::JIT::emitArrayProfilingSiteWithCell):
(JSC::JIT::chooseArrayMode): Deleted.

• jit/JITOperations.cpp:

(JSC::JSC_DEFINE_JIT_OPERATION):
(JSC::putByVal):
(JSC::directPutByVal):
(JSC::putByValOptimize):
(JSC::directPutByValOptimize):
(JSC::tryPutByValOptimize): Deleted.
(JSC::tryDirectPutByValOptimize): Deleted.

• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::slow_op_put_by_val_prepareCallGenerator):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::emitGenericContiguousPutByVal): Deleted.
(JSC::JIT::emitArrayStoragePutByVal): Deleted.
(JSC::JIT::privateCompilePutByVal): Deleted.
(JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
(JSC::JIT::emitIntTypedArrayPutByVal): Deleted.
(JSC::JIT::emitFloatTypedArrayPutByVal): Deleted.

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emitGenericContiguousPutByVal): Deleted.
(JSC::JIT::emitArrayStoragePutByVal): Deleted.

• jit/Repatch.cpp:

(JSC::appropriateGenericPutByFunction):
(JSC::appropriateOptimizingPutByFunction):
(JSC::tryCachePutBy):
(JSC::repatchPutBy):
(JSC::tryCacheArrayPutByVal):
(JSC::repatchArrayPutByVal):
(JSC::tryCacheInBy):
(JSC::resetPutBy):
(JSC::appropriateGenericPutByIdFunction): Deleted.
(JSC::appropriateOptimizingPutByIdFunction): Deleted.
(JSC::tryCachePutByID): Deleted.
(JSC::repatchPutByID): Deleted.
(JSC::resetPutByID): Deleted.

• jit/Repatch.h:
• llint/LowLevelInterpreter.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Sources.txt (modified) (1 diff)
• bytecode/AccessCase.cpp (modified) (23 diffs)
• bytecode/AccessCase.h (modified) (7 diffs)
• bytecode/ArrayProfile.h (modified) (1 diff)
• bytecode/GetterSetterAccessCase.cpp (modified) (1 diff)
• bytecode/ICStatusMap.h (modified) (2 diffs)
• bytecode/InlineAccess.cpp (modified) (1 diff)
• bytecode/PolymorphicAccess.cpp (modified) (4 diffs)
• bytecode/PutByStatus.cpp (moved) (moved from trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp) (32 diffs)
• bytecode/PutByStatus.h (moved) (moved from trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.h) (6 diffs)
• bytecode/PutByVariant.cpp (moved) (moved from trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp) (16 diffs)
• bytecode/PutByVariant.h (moved) (moved from trunk/Source/JavaScriptCore/bytecode/PutByIdVariant.h) (5 diffs)
• bytecode/RecordedStatuses.cpp (modified) (2 diffs)
• bytecode/RecordedStatuses.h (modified) (3 diffs)
• bytecode/StructureStubInfo.cpp (modified) (1 diff)
• bytecode/StructureStubInfo.h (modified) (2 diffs)
• dfg/DFGAbstractInterpreterInlines.h (modified) (10 diffs)
• dfg/DFGArgumentsEliminationPhase.cpp (modified) (2 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (23 diffs)
• dfg/DFGClobberize.h (modified) (1 diff)
• dfg/DFGClobbersExitState.cpp (modified) (1 diff)
• dfg/DFGConstantFoldingPhase.cpp (modified) (10 diffs)
• dfg/DFGDoesGC.cpp (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• dfg/DFGGraph.cpp (modified) (1 diff)
• dfg/DFGGraph.h (modified) (1 diff)
• dfg/DFGJITCompiler.cpp (modified) (1 diff)
• dfg/DFGJITCompiler.h (modified) (2 diffs)
• dfg/DFGMayExit.cpp (modified) (1 diff)
• dfg/DFGNode.h (modified) (3 diffs)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGOSRExitCompilerCommon.cpp (modified) (1 diff)
• dfg/DFGObjectAllocationSinkingPhase.cpp (modified) (4 diffs)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• dfg/DFGSafeToExecute.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• dfg/DFGStoreBarrierInsertionPhase.cpp (modified) (1 diff)
• dfg/DFGValidate.cpp (modified) (1 diff)
• dfg/DFGVarargsForwardingPhase.cpp (modified) (2 diffs)
• ftl/FTLCapabilities.cpp (modified) (1 diff)
• ftl/FTLLowerDFGToB3.cpp (modified) (6 diffs)
• generator/DSL.rb (modified) (1 diff)
• jit/ICStats.h (modified) (1 diff)
• jit/JIT.cpp (modified) (3 diffs)
• jit/JIT.h (modified) (5 diffs)
• jit/JITInlineCacheGenerator.cpp (modified) (2 diffs)
• jit/JITInlineCacheGenerator.h (modified) (2 diffs)
• jit/JITInlines.h (modified) (2 diffs)
• jit/JITOperations.cpp (modified) (15 diffs)
• jit/JITOperations.h (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (12 diffs)
• jit/JITPropertyAccess32_64.cpp (modified) (4 diffs)
• jit/Repatch.cpp (modified) (8 diffs)
• jit/Repatch.h (modified) (3 diffs)
• llint/LowLevelInterpreter.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Polymorphic PutByVal
+        https://bugs.webkit.org/show_bug.cgi?id=229229
+
+        Reviewed by Saam Barati.
+
+        This patch changes PutByVal IC to modern style. This polymorphic PutByVal can handle multiple array types and multiple identifiers.
+        Also, this removes adhoc IC code in Baseline so that it paves the way to unlinked Baseline JIT by cleaning up IC.
+
+        Several interesting points of the design.
+
+        1. We need to pass ArrayProfile* via GPRReg to IC since we need to profile mayStoreToHole, which is still important to avoid the slow path.
+        2. Transition / Replace IC need to record propertyRegs if it exists not to clobber these registers. This is important in DFG / FTL since
+           IC should not clobber these registers unless it is flushed. It also makes Baseline code smaller since we do not reload them in the slow path call.
+        3. Added a path folding String/Symbol when emitting PutByVal in DFG / FTL. This edge-case is found via a microbenchmark. Let's consider the case: one
+           put_by_val site has one identifier "foo", but it has so many different Structures. Previously, we emit JITPutByIdGenerator adhocly, and still we
+           cache this "foo" identifier in cachedId. In DFG / FTL, while we cannot make it PutByOffset, we can emit PutById since we know that identifier is
+           always "foo". But after this patch's change, such a site becomes slow-path. And then this identifier information is missed, and we were emitting
+           PutByVal for that. For now, we attempt to fold to one identifier in DFGByteCodeParser so that we can still attempt to make it PutById, which
+           can be PutByOffset in constant folding phase. We would like to handle this one identifier slow-path case in PutByStatus / GetByStatus in the future
+           patch.
+        4. Now, DFG OSR exit does not query to ByValInfo for setter calls since JITPutByValGenerator use StructureStubInfo in Baseline.
+
+        Results of Microbenchmarks look good.
+
+                                                             ToT                     Patched
+
+        put-by-val-direct-large-index                  94.6265+-0.9076           93.4550+-0.7121          might be 1.0125x faster
+        inlined-put-by-val-with-string-transition
+                                                       23.7131+-0.3282     ^     22.7679+-0.1137        ^ definitely 1.0415x faster
+        put-by-val-with-string-slightly-polymorphic
+                                                        1.9852+-0.0284            1.9580+-0.0224          might be 1.0139x faster
+        get-and-put-by-val-double-index-dont-fall-off-a-cliff
+                                                      185.4762+-0.5737     ?    185.6325+-0.5819        ?
+        polymorphic-put-by-val-with-string             30.9903+-0.1207           30.8097+-0.1285
+        put-by-val-machine-int                          1.8803+-0.0384            1.8707+-0.0440
+        fold-put-by-val-with-symbol-to-multi-put-by-offset
+                                                        4.8463+-0.1148            4.7839+-0.0547          might be 1.0130x faster
+        put-by-val-with-string-replace-and-transition
+                                                        8.8730+-1.5934     ^      6.2276+-0.0585        ^ definitely 1.4248x faster
+        fold-put-by-val-with-string-to-multi-put-by-offset
+                                                        4.8183+-0.0841     ?      4.8233+-0.0892        ?
+        put-by-val-direct                               0.2845+-0.0091     ?      0.2901+-0.0088        ? might be 1.0196x slower
+        put-by-val-with-symbol-replace-and-transition
+                                                        6.3527+-0.0686     ?      6.3933+-0.0961        ?
+        put-by-val-with-symbol                          9.3556+-3.1421            7.1509+-0.1019          might be 1.3083x faster
+        put-by-val-with-symbol-slightly-polymorphic
+                                                        2.0052+-0.0309            1.9781+-0.0397          might be 1.0137x faster
+        put-by-val-negative-array-index                14.9572+-0.1221     ^     14.5636+-0.1044        ^ definitely 1.0270x faster
+        put-by-val-with-string                         11.6345+-4.3048     ^      7.0919+-0.0918        ^ definitely 1.6405x faster
+        put-by-val-large-index-blank-indexing-type
+                                                        3.1425+-0.1165            3.1236+-0.0378
+        inlined-put-by-val-with-symbol-transition
+                                                       23.4932+-0.3186     ^     22.8469+-0.0873        ^ definitely 1.0283x faster
+        polymorphic-put-by-val-with-symbol             36.6046+-1.6519     ^     30.8597+-0.1474        ^ definitely 1.1862x faster
+
+        Speedometer2 showed roughly 0.2-0.3% progression.
+
+        ----------------------------------------------------------------------------------------------------------------------------------
+        |               subtest                |     ms      |     ms      |  b / a   | pValue (significance using False Discovery Rate) |
+        ----------------------------------------------------------------------------------------------------------------------------------
+        | Elm-TodoMVC                          |121.916667   |121.958333   |1.000342  | 0.876802                                         |
+        | VueJS-TodoMVC                        |26.263333    |26.006667    |0.990227  | 0.263868                                         |
+        | EmberJS-TodoMVC                      |127.080000   |127.866667   |1.006190  | 0.011497 (significant)                           |
+        | BackboneJS-TodoMVC                   |48.920000    |49.318333    |1.008143  | 0.003395 (significant)                           |
+        | Preact-TodoMVC                       |19.828333    |19.828333    |1.000000  | 1.000000                                         |
+        | AngularJS-TodoMVC                    |134.011667   |132.080000   |0.985586  | 0.000000 (significant)                           |
+        | Vanilla-ES2015-TodoMVC               |63.726667    |63.838333    |1.001752  | 0.408404                                         |
+        | Inferno-TodoMVC                      |65.153333    |63.753333    |0.978512  | 0.000000 (significant)                           |
+        | Flight-TodoMVC                       |78.133333    |78.780000    |1.008276  | 0.097794                                         |
+        | Angular2-TypeScript-TodoMVC          |40.415000    |40.100000    |0.992206  | 0.287630                                         |
+        | VanillaJS-TodoMVC                    |51.931667    |52.500000    |1.010944  | 0.004149 (significant)                           |
+        | jQuery-TodoMVC                       |226.056667   |225.073333   |0.995650  | 0.007796 (significant)                           |
+        | EmberJS-Debug-TodoMVC                |341.210000   |340.978333   |0.999321  | 0.623386                                         |
+        | React-TodoMVC                        |87.198333    |86.893333    |0.996502  | 0.042189                                         |
+        | React-Redux-TodoMVC                  |146.506667   |145.958333   |0.996257  | 0.018801 (significant)                           |
+        | Vanilla-ES2015-Babel-Webpack-TodoMVC |61.450000    |61.870000    |1.006835  | 0.000049 (significant)                           |
+        ----------------------------------------------------------------------------------------------------------------------------------
+        a mean = 254.85111
+        b mean = 255.25735
+        pValue = 0.1856561656
+        (Bigger means are better.)
+        1.002 times better
+        Results ARE NOT significant
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::create):
+        (JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
+        (JSC::AccessCase::requiresIdentifierNameMatch const):
+        (JSC::AccessCase::requiresInt32PropertyCheck const):
+        (JSC::AccessCase::needsScratchFPR const):
+        (JSC::AccessCase::forEachDependentCell const):
+        (JSC::AccessCase::doesCalls const):
+        (JSC::AccessCase::canReplace const):
+        (JSC::AccessCase::generateWithGuard):
+        (JSC::AccessCase::generateImpl):
+        (JSC::AccessCase::toTypedArrayType):
+        (JSC::AccessCase::canBeShared):
+        * bytecode/AccessCase.h:
+        (JSC::SharedJITStubSet::Hash::Key::Key):
+        (JSC::SharedJITStubSet::Hash::Key::operator==):
+        (JSC::SharedJITStubSet::Searcher::Translator::equal):
+        * bytecode/ArrayProfile.h:
+        (JSC::ArrayProfile::offsetOfMayStoreToHole):
+        (JSC::ArrayProfile::offsetOfLastSeenStructureID):
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * bytecode/ICStatusMap.h:
+        * bytecode/InlineAccess.cpp:
+        (JSC::getScratchRegister):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        (WTF::printInternal):
+        * bytecode/PutByStatus.cpp: Renamed from Source/JavaScriptCore/bytecode/PutByIdStatus.cpp.
+        (JSC::PutByStatus::appendVariant):
+        (JSC::PutByStatus::shrinkToFit):
+        (JSC::PutByStatus::computeFromLLInt):
+        (JSC::PutByStatus::PutByStatus):
+        (JSC::PutByStatus::computeFor):
+        (JSC::PutByStatus::computeForStubInfo):
+        (JSC::PutByStatus::makesCalls const):
+        (JSC::PutByStatus::slowVersion const):
+        (JSC::PutByStatus::singleIdentifier const):
+        (JSC::PutByStatus::visitAggregateImpl):
+        (JSC::PutByStatus::markIfCheap):
+        (JSC::PutByStatus::finalize):
+        (JSC::PutByStatus::merge):
+        (JSC::PutByStatus::filter):
+        (JSC::PutByStatus::dump const):
+        * bytecode/PutByStatus.h: Renamed from Source/JavaScriptCore/bytecode/PutByIdStatus.h.
+        * bytecode/PutByVariant.cpp: Renamed from Source/JavaScriptCore/bytecode/PutByIdVariant.cpp.
+        (JSC::PutByVariant::PutByVariant):
+        (JSC::PutByVariant::operator=):
+        (JSC::PutByVariant::replace):
+        (JSC::PutByVariant::transition):
+        (JSC::PutByVariant::setter):
+        (JSC::PutByVariant::oldStructureForTransition const):
+        (JSC::PutByVariant::fixTransitionToReplaceIfNecessary):
+        (JSC::PutByVariant::writesStructures const):
+        (JSC::PutByVariant::reallocatesStorage const):
+        (JSC::PutByVariant::makesCalls const):
+        (JSC::PutByVariant::attemptToMerge):
+        (JSC::PutByVariant::attemptToMergeTransitionWithReplace):
+        (JSC::PutByVariant::visitAggregateImpl):
+        (JSC::PutByVariant::markIfCheap):
+        (JSC::PutByVariant::finalize):
+        (JSC::PutByVariant::dump const):
+        (JSC::PutByVariant::dumpInContext const):
+        * bytecode/PutByVariant.h: Renamed from Source/JavaScriptCore/bytecode/PutByIdVariant.h.
+        (JSC::PutByVariant::PutByVariant):
+        (JSC::PutByVariant::identifier const):
+        (JSC::PutByVariant::overlaps):
+        * bytecode/RecordedStatuses.cpp:
+        (JSC::RecordedStatuses::addPutByStatus):
+        (JSC::RecordedStatuses::visitAggregateImpl):
+        (JSC::RecordedStatuses::addPutByIdStatus): Deleted.
+        * bytecode/RecordedStatuses.h:
+        * bytecode/StructureStubInfo.cpp:
+        (JSC::StructureStubInfo::reset):
+        * bytecode/StructureStubInfo.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::load):
+        (JSC::DFG::ByteCodeParser::store):
+        (JSC::DFG::ByteCodeParser::emitPutById):
+        (JSC::DFG::ByteCodeParser::handlePutById):
+        (JSC::DFG::ByteCodeParser::handlePutPrivateNameById):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::handlePutByVal):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGClobbersExitState.cpp:
+        (JSC::DFG::clobbersExitState):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+        (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGGraph.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::link):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addPutByVal):
+        * dfg/DFGMayExit.cpp:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasPutByStatus):
+        (JSC::DFG::Node::putByStatus):
+        (JSC::DFG::Node::hasPutByIdStatus): Deleted.
+        (JSC::DFG::Node::putByIdStatus): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::callerReturnPC):
+        * dfg/DFGObjectAllocationSinkingPhase.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStoreBarrierInsertionPhase.cpp:
+        * dfg/DFGValidate.cpp:
+        * dfg/DFGVarargsForwardingPhase.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMultiPutByOffset):
+        * generator/DSL.rb:
+        * jit/ICStats.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::link):
+        * jit/JIT.h:
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
+        (JSC::JITPutByValGenerator::JITPutByValGenerator):
+        (JSC::JITPutByValGenerator::generateFastPath):
+        (JSC::JITPutByValGenerator::finalize):
+        * jit/JITInlineCacheGenerator.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::emitArrayProfilingSiteWithCell):
+        (JSC::JIT::chooseArrayMode): Deleted.
+        * jit/JITOperations.cpp:
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        (JSC::putByVal):
+        (JSC::directPutByVal):
+        (JSC::putByValOptimize):
+        (JSC::directPutByValOptimize):
+        (JSC::tryPutByValOptimize): Deleted.
+        (JSC::tryDirectPutByValOptimize): Deleted.
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::slow_op_put_by_val_prepareCallGenerator):
+        (JSC::JIT::emitSlow_op_put_private_name):
+        (JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
+        (JSC::JIT::emitGenericContiguousPutByVal): Deleted.
+        (JSC::JIT::emitArrayStoragePutByVal): Deleted.
+        (JSC::JIT::privateCompilePutByVal): Deleted.
+        (JSC::JIT::privateCompilePutByValWithCachedId): Deleted.
+        (JSC::JIT::emitIntTypedArrayPutByVal): Deleted.
+        (JSC::JIT::emitFloatTypedArrayPutByVal): Deleted.
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emitSlow_op_put_by_val):
+        (JSC::JIT::emitGenericContiguousPutByVal): Deleted.
+        (JSC::JIT::emitArrayStoragePutByVal): Deleted.
+        * jit/Repatch.cpp:
+        (JSC::appropriateGenericPutByFunction):
+        (JSC::appropriateOptimizingPutByFunction):
+        (JSC::tryCachePutBy):
+        (JSC::repatchPutBy):
+        (JSC::tryCacheArrayPutByVal):
+        (JSC::repatchArrayPutByVal):
+        (JSC::tryCacheInBy):
+        (JSC::resetPutBy):
+        (JSC::appropriateGenericPutByIdFunction): Deleted.
+        (JSC::appropriateOptimizingPutByIdFunction): Deleted.
+        (JSC::tryCachePutByID): Deleted.
+        (JSC::repatchPutByID): Deleted.
+        (JSC::resetPutByID): Deleted.
+        * jit/Repatch.h:
+        * llint/LowLevelInterpreter.h:
+
 2021-08-25  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -465 +465 @@
                 0F93329E14CA7DC50085F3C6 /* CallLinkStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93329414CA7DC10085F3C6 /* CallLinkStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F9332A014CA7DCD0085F3C6 /* GetByStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93329614CA7DC10085F3C6 /* GetByStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F9332A414CA7DD90085F3C6 /* PutByIdStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93329A14CA7DC10085F3C6 /* PutByIdStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F9332A414CA7DD90085F3C6 /* PutByStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93329A14CA7DC10085F3C6 /* PutByStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F9332A514CA7DDD0085F3C6 /* StructureSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93329B14CA7DC10085F3C6 /* StructureSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                0F93B4AA18B92C4D00178A3F /* PutByIdVariant.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93B4A818B92C4D00178A3F /* PutByIdVariant.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F93B4AA18B92C4D00178A3F /* PutByVariant.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93B4A818B92C4D00178A3F /* PutByVariant.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F952AA11DF7860900E06FBD /* VisitRaceKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F952AA01DF7860700E06FBD /* VisitRaceKey.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F952ABD1B487A7700C367C5 /* TrackedReferences.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F952ABB1B487A7700C367C5 /* TrackedReferences.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2867 +2867 @@
                 0F93329514CA7DC10085F3C6 /* GetByStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GetByStatus.cpp; sourceTree = "<group>"; };
                 0F93329614CA7DC10085F3C6 /* GetByStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GetByStatus.h; sourceTree = "<group>"; };
-                0F93329914CA7DC10085F3C6 /* PutByIdStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PutByIdStatus.cpp; sourceTree = "<group>"; };
-                0F93329A14CA7DC10085F3C6 /* PutByIdStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PutByIdStatus.h; sourceTree = "<group>"; };
+                0F93329914CA7DC10085F3C6 /* PutByStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PutByStatus.cpp; sourceTree = "<group>"; };
+                0F93329A14CA7DC10085F3C6 /* PutByStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PutByStatus.h; sourceTree = "<group>"; };
                 0F93329B14CA7DC10085F3C6 /* StructureSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureSet.h; sourceTree = "<group>"; };
-                0F93B4A718B92C4D00178A3F /* PutByIdVariant.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PutByIdVariant.cpp; sourceTree = "<group>"; };
-                0F93B4A818B92C4D00178A3F /* PutByIdVariant.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PutByIdVariant.h; sourceTree = "<group>"; };
+                0F93B4A718B92C4D00178A3F /* PutByVariant.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PutByVariant.cpp; sourceTree = "<group>"; };
+                0F93B4A818B92C4D00178A3F /* PutByVariant.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PutByVariant.h; sourceTree = "<group>"; };
                 0F952A9F1DF7860700E06FBD /* VisitRaceKey.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VisitRaceKey.cpp; sourceTree = "<group>"; };
                 0F952AA01DF7860700E06FBD /* VisitRaceKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VisitRaceKey.h; sourceTree = "<group>"; };
@@ -8696 +8696 @@
                                 0F15CD201BA5F9860031FFD3 /* PutByIdFlags.cpp */,
                                 0F15CD211BA5F9860031FFD3 /* PutByIdFlags.h */,
-                                0F93329914CA7DC10085F3C6 /* PutByIdStatus.cpp */,
-                                0F93329A14CA7DC10085F3C6 /* PutByIdStatus.h */,
-                                0F93B4A718B92C4D00178A3F /* PutByIdVariant.cpp */,
-                                0F93B4A818B92C4D00178A3F /* PutByIdVariant.h */,
+                                0F93329914CA7DC10085F3C6 /* PutByStatus.cpp */,
+                                0F93329A14CA7DC10085F3C6 /* PutByStatus.h */,
+                                0F93B4A718B92C4D00178A3F /* PutByVariant.cpp */,
+                                0F93B4A818B92C4D00178A3F /* PutByVariant.h */,
                                 0F9FC8C114E1B5FB00D52AE0 /* PutKind.h */,
                                 0F44A7AD20BF685F0022B171 /* RecordedStatuses.cpp */,
@@ -10507 +10507 @@
                                 0F5780A218FE1E98001E72D9 /* PureNaN.h in Headers */,
                                 0F15CD231BA5F9860031FFD3 /* PutByIdFlags.h in Headers */,
-                                0F9332A414CA7DD90085F3C6 /* PutByIdStatus.h in Headers */,
-                                0F93B4AA18B92C4D00178A3F /* PutByIdVariant.h in Headers */,
+                                0F9332A414CA7DD90085F3C6 /* PutByStatus.h in Headers */,
+                                0F93B4AA18B92C4D00178A3F /* PutByVariant.h in Headers */,
                                 0F0CD4C215F1A6070032F1C0 /* PutDirectIndexMode.h in Headers */,
                                 0F9FC8C514E1B60400D52AE0 /* PutKind.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -270 +270 @@
 bytecode/ProxyableAccessCase.cpp
 bytecode/PutByIdFlags.cpp
-bytecode/PutByIdStatus.cpp
-bytecode/PutByIdVariant.cpp
+bytecode/PutByStatus.cpp
+bytecode/PutByVariant.cpp
 bytecode/RecordedStatuses.cpp
 bytecode/ReduceWhitespace.cpp

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -100 +100 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         RELEASE_ASSERT(!prototypeAccessChain);
         break;
@@ -273 +286 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         return false;
     default:
@@ -327 +353 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         return false;
     }
@@ -379 +418 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         return true;
     }
@@ -426 +478 @@
     case IndexedTypedArrayInt32Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
         return false;
     case IndexedDoubleLoad:
@@ -431 +492 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedTypedArrayUint32Load:
+    case IndexedDoubleStore:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         return true;
     }
@@ -516 +581 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         break;
     }
@@ -570 +648 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         doesCalls = false;
         break;
@@ -651 +742 @@
     case IndexedTypedArrayFloat64Load:
     case IndexedStringLoad:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         return other.type() == type();
 
@@ -962 +1066 @@
         if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
             allocator.lock(stubInfo.m_stubInfoGPR);
+        ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg);
         allocator.lock(scratchGPR);
         
@@ -1061 +1166 @@
         if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
             allocator.lock(stubInfo.m_stubInfoGPR);
+        ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg);
         allocator.lock(scratchGPR);
         GPRReg scratch2GPR = allocator.allocateScratchGPR();
@@ -1146 +1252 @@
         if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
             allocator.lock(stubInfo.m_stubInfoGPR);
+        ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg);
         allocator.lock(scratchGPR);
         GPRReg scratch2GPR = allocator.allocateScratchGPR();
@@ -1200 +1307 @@
         jit.and32(CCallHelpers::TrustedImm32(IndexingShapeMask), scratchGPR);
 
-        CCallHelpers::Jump isOutOfBounds;
-        CCallHelpers::Jump isEmpty;
-
         ScratchRegisterAllocator allocator(stubInfo.usedRegisters);
         allocator.lock(stubInfo.baseRegs());
@@ -1209 +1313 @@
         if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
             allocator.lock(stubInfo.m_stubInfoGPR);
+        ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg);
         allocator.lock(scratchGPR);
         GPRReg scratch2GPR = allocator.allocateScratchGPR();
@@ -1228 +1333 @@
 
             jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-            isOutOfBounds = jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, CCallHelpers::Address(scratchGPR, ArrayStorage::vectorLengthOffset()));
+            failAndIgnore.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, CCallHelpers::Address(scratchGPR, ArrayStorage::vectorLengthOffset())));
 
             jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);
 #if USE(JSVALUE64)
             jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset()), JSValueRegs(scratchGPR));
-            isEmpty = jit.branchIfEmpty(scratchGPR);
+            failAndIgnore.append(jit.branchIfEmpty(scratchGPR));
             jit.move(scratchGPR, valueRegs.payloadGPR());
 #else
             jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset()), JSValueRegs(scratch3GPR, scratchGPR));
-            isEmpty = jit.branchIfEmpty(scratch3GPR);
+            failAndIgnore.append(jit.branchIfEmpty(scratch3GPR));
             jit.move(scratchGPR, valueRegs.payloadGPR());
             jit.move(scratch3GPR, valueRegs.tagGPR());
@@ -1263 +1368 @@
 
             jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-            isOutOfBounds = jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, CCallHelpers::Address(scratchGPR, Butterfly::offsetOfPublicLength()));
+            failAndIgnore.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, CCallHelpers::Address(scratchGPR, Butterfly::offsetOfPublicLength())));
             jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);
             if (m_type == IndexedDoubleLoad) {
                 RELEASE_ASSERT(state.scratchFPR != InvalidFPRReg);
                 jit.loadDouble(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight), state.scratchFPR);
-                isEmpty = jit.branchIfNaN(state.scratchFPR);
+                failAndIgnore.append(jit.branchIfNaN(state.scratchFPR));
                 jit.boxDouble(state.scratchFPR, valueRegs);
             } else {
 #if USE(JSVALUE64)
                 jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs(scratchGPR));
-                isEmpty = jit.branchIfEmpty(scratchGPR);
+                failAndIgnore.append(jit.branchIfEmpty(scratchGPR));
                 jit.move(scratchGPR, valueRegs.payloadGPR());
 #else
                 jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs(scratch3GPR, scratchGPR));
-                isEmpty = jit.branchIfEmpty(scratch3GPR);
+                failAndIgnore.append(jit.branchIfEmpty(scratch3GPR));
                 jit.move(scratchGPR, valueRegs.payloadGPR());
                 jit.move(scratch3GPR, valueRegs.tagGPR());
@@ -1287 +1392 @@
         state.succeed();
 
-        if (allocator.didReuseRegisters()) {
-            isOutOfBounds.link(&jit);
-            isEmpty.link(&jit);
+        if (allocator.didReuseRegisters() && !failAndIgnore.empty()) {
+            failAndIgnore.link(&jit);
             allocator.restoreReusedRegistersByPopping(jit, preservedState);
             state.failAndIgnore.append(jit.jump());
-        } else {
-            state.failAndIgnore.append(isOutOfBounds);
-            state.failAndIgnore.append(isEmpty);
-        }
-
+        } else
+            state.failAndIgnore.append(failAndIgnore);
         return;
     }
 
-    case InstanceOfHit:
-    case InstanceOfMiss:
-        emitDefaultGuard();
-        
-        fallThrough.append(
-            jit.branchPtr(
-                CCallHelpers::NotEqual, state.u.prototypeGPR,
-                CCallHelpers::TrustedImmPtr(as<InstanceOfAccessCase>().prototype())));
-        break;
-        
-    case InstanceOfGeneric: {
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore: {
         ASSERT(!viaProxy());
-        GPRReg prototypeGPR = state.u.prototypeGPR;
-        // Legend: value = `base instanceof prototypeGPR`.
-        
-        GPRReg valueGPR = valueRegs.payloadGPR();
-        
+        GPRReg propertyGPR = state.u.propertyGPR;
+
+        // int32 check done in polymorphic access.
+        jit.load8(CCallHelpers::Address(baseGPR, JSCell::indexingTypeAndMiscOffset()), scratchGPR);
+        fallThrough.append(jit.branchTest32(CCallHelpers::NonZero, scratchGPR, CCallHelpers::TrustedImm32(CopyOnWrite)));
+        jit.and32(CCallHelpers::TrustedImm32(IndexingShapeMask), scratchGPR);
+
+        CCallHelpers::JumpList isOutOfBounds;
+
         ScratchRegisterAllocator allocator(stubInfo.usedRegisters);
         allocator.lock(stubInfo.baseRegs());
@@ -1323 +1421 @@
         if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
             allocator.lock(stubInfo.m_stubInfoGPR);
+        if (stubInfo.m_arrayProfileGPR != InvalidGPRReg)
+            allocator.lock(stubInfo.m_arrayProfileGPR);
+        allocator.lock(scratchGPR);
+        GPRReg scratch2GPR = allocator.allocateScratchGPR();
+        ScratchRegisterAllocator::PreservedState preservedState;
+
+        CCallHelpers::JumpList failAndIgnore;
+        CCallHelpers::JumpList failAndRepatch;
+        auto preserveReusedRegisters = [&] {
+            preservedState = allocator.preserveReusedRegistersByPushing(jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+        };
+
+        CCallHelpers::Label storeResult;
+        if (m_type == IndexedArrayStorageStore) {
+            fallThrough.append(jit.branch32(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::TrustedImm32(ArrayStorageShape)));
+
+            preserveReusedRegisters();
+
+            jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+            failAndIgnore.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, CCallHelpers::Address(scratchGPR, ArrayStorage::vectorLengthOffset())));
+
+            jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);
+
+#if USE(JSVALUE64)
+            isOutOfBounds.append(jit.branchTest64(CCallHelpers::Zero, CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset())));
+#else
+            isOutOfBounds.append(jit.branch32(CCallHelpers::Equal, CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset() + JSValue::offsetOfTag()), CCallHelpers::TrustedImm32(JSValue::EmptyValueTag)));
+#endif
+
+            storeResult = jit.label();
+            jit.storeValue(valueRegs, CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset()));
+        } else {
+            IndexingType expectedShape;
+            switch (m_type) {
+            case IndexedInt32Store:
+                expectedShape = Int32Shape;
+                break;
+            case IndexedDoubleStore:
+                expectedShape = DoubleShape;
+                break;
+            case IndexedContiguousStore:
+                expectedShape = ContiguousShape;
+                break;
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+                break;
+            }
+
+            fallThrough.append(jit.branch32(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::TrustedImm32(expectedShape)));
+
+            preserveReusedRegisters();
+
+            jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+            isOutOfBounds.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, CCallHelpers::Address(scratchGPR, Butterfly::offsetOfPublicLength())));
+            storeResult = jit.label();
+            switch (m_type) {
+            case IndexedDoubleStore: {
+                RELEASE_ASSERT(state.scratchFPR != InvalidFPRReg);
+                auto notInt = jit.branchIfNotInt32(valueRegs);
+                jit.convertInt32ToDouble(valueRegs.payloadGPR(), state.scratchFPR);
+                auto ready = jit.jump();
+                notInt.link(&jit);
+#if USE(JSVALUE64)
+                jit.unboxDoubleWithoutAssertions(valueRegs.payloadGPR(), scratch2GPR, state.scratchFPR);
+                failAndRepatch.append(jit.branchIfNaN(state.scratchFPR));
+#else
+                failAndRepatch.append(jit.branch32(CCallHelpers::Above, valueRegs.tagGPR(), CCallHelpers::TrustedImm32(JSValue::LowestTag)));
+                jit.unboxDouble(valueRegs, state.scratchFPR);
+#endif
+                ready.link(&jit);
+
+                jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);
+                jit.storeDouble(state.scratchFPR, CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight));
+                break;
+            }
+            case IndexedInt32Store:
+                jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);
+                failAndRepatch.append(jit.branchIfNotInt32(valueRegs));
+                jit.storeValue(valueRegs, CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight));
+                break;
+            case IndexedContiguousStore:
+                jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);
+                jit.storeValue(valueRegs, CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight));
+                // WriteBarrier must be emitted in the embedder side.
+                break;
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+                break;
+            }
+        }
+
+        allocator.restoreReusedRegistersByPopping(jit, preservedState);
+        state.succeed();
+
+        if (m_type == IndexedArrayStorageStore) {
+            isOutOfBounds.link(&jit);
+            if (stubInfo.m_arrayProfileGPR != InvalidGPRReg)
+                jit.store8(CCallHelpers::TrustedImm32(1), CCallHelpers::Address(stubInfo.m_arrayProfileGPR, ArrayProfile::offsetOfMayStoreToHole()));
+            jit.add32(CCallHelpers::TrustedImm32(1), CCallHelpers::Address(scratchGPR, ArrayStorage::numValuesInVectorOffset()));
+            jit.branch32(CCallHelpers::Below, scratch2GPR, CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset())).linkTo(storeResult, &jit);
+
+            jit.add32(CCallHelpers::TrustedImm32(1), scratch2GPR);
+            jit.store32(scratch2GPR, CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()));
+            jit.sub32(CCallHelpers::TrustedImm32(1), scratch2GPR);
+            jit.jump().linkTo(storeResult, &jit);
+        } else {
+            isOutOfBounds.link(&jit);
+            failAndIgnore.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, CCallHelpers::Address(scratchGPR, Butterfly::offsetOfVectorLength())));
+            if (stubInfo.m_arrayProfileGPR != InvalidGPRReg)
+                jit.store8(CCallHelpers::TrustedImm32(1), CCallHelpers::Address(stubInfo.m_arrayProfileGPR, ArrayProfile::offsetOfMayStoreToHole()));
+            jit.add32(CCallHelpers::TrustedImm32(1), propertyGPR, scratch2GPR);
+            jit.store32(scratch2GPR, CCallHelpers::Address(scratchGPR, Butterfly::offsetOfPublicLength()));
+            jit.jump().linkTo(storeResult, &jit);
+
+        }
+
+        if (allocator.didReuseRegisters()) {
+            if (!failAndIgnore.empty()) {
+                failAndIgnore.link(&jit);
+                allocator.restoreReusedRegistersByPopping(jit, preservedState);
+                state.failAndIgnore.append(jit.jump());
+            }
+            if (!failAndRepatch.empty()) {
+                failAndRepatch.link(&jit);
+                allocator.restoreReusedRegistersByPopping(jit, preservedState);
+                state.failAndRepatch.append(jit.jump());
+            }
+        } else {
+            state.failAndIgnore.append(failAndIgnore);
+            state.failAndRepatch.append(failAndRepatch);
+        }
+        return;
+    }
+
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store: {
+        ASSERT(!viaProxy());
+        // This code is written such that the result could alias with the base or the property.
+
+        TypedArrayType type = toTypedArrayType(m_type);
+
+        GPRReg propertyGPR = state.u.propertyGPR;
+
+        jit.load8(CCallHelpers::Address(baseGPR, JSCell::typeInfoTypeOffset()), scratchGPR);
+        fallThrough.append(jit.branch32(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::TrustedImm32(typeForTypedArrayType(type))));
+
+        if (isInt(type))
+            state.failAndRepatch.append(jit.branchIfNotInt32(valueRegs));
+        else {
+            ASSERT(isFloat(type));
+            RELEASE_ASSERT(state.scratchFPR != InvalidFPRReg);
+            auto doubleCase = jit.branchIfNotInt32(valueRegs);
+            jit.convertInt32ToDouble(valueRegs.payloadGPR(), state.scratchFPR);
+            auto ready = jit.jump();
+            doubleCase.link(&jit);
+#if USE(JSVALUE64)
+            state.failAndRepatch.append(jit.branchIfNotNumber(valueRegs.payloadGPR()));
+            jit.unboxDoubleWithoutAssertions(valueRegs.payloadGPR(), scratchGPR, state.scratchFPR);
+#else
+            state.failAndRepatch.append(jit.branch32(CCallHelpers::Above, valueRegs.tagGPR(), CCallHelpers::TrustedImm32(JSValue::LowestTag)));
+            jit.unboxDouble(valueRegs, state.scratchFPR);
+#endif
+            ready.link(&jit);
+        }
+
+        jit.load32(CCallHelpers::Address(baseGPR, JSArrayBufferView::offsetOfLength()), scratchGPR);
+        // OutOfBounds bit of ArrayProfile will be set in the operation function.
+        state.failAndRepatch.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, scratchGPR));
+
+        ScratchRegisterAllocator allocator(stubInfo.usedRegisters);
+        allocator.lock(stubInfo.baseRegs());
+        allocator.lock(valueRegs);
+        allocator.lock(stubInfo.propertyRegs());
+        if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
+            allocator.lock(stubInfo.m_stubInfoGPR);
+        if (stubInfo.m_arrayProfileGPR != InvalidGPRReg)
+            allocator.lock(stubInfo.m_arrayProfileGPR);
+        allocator.lock(scratchGPR);
+        GPRReg scratch2GPR = allocator.allocateScratchGPR();
+        GPRReg scratch3GPR = InvalidGPRReg;
+        if (isClamped(type))
+            scratch3GPR = allocator.allocateScratchGPR();
+
+        ScratchRegisterAllocator::PreservedState preservedState = allocator.preserveReusedRegistersByPushing(
+            jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
+
+        jit.loadPtr(CCallHelpers::Address(baseGPR, JSArrayBufferView::offsetOfVector()), scratch2GPR);
+        jit.cageConditionallyAndUntag(Gigacage::Primitive, scratch2GPR, scratchGPR, scratchGPR, false);
+
+        jit.signExtend32ToPtr(propertyGPR, scratchGPR);
+        if (isInt(type)) {
+            if (isClamped(type)) {
+                ASSERT(elementSize(type) == 1);
+                ASSERT(!JSC::isSigned(type));
+                jit.move(valueRegs.payloadGPR(), scratch3GPR);
+                auto inBounds = jit.branch32(CCallHelpers::BelowOrEqual, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
+                auto tooBig = jit.branch32(CCallHelpers::GreaterThan, scratch3GPR, CCallHelpers::TrustedImm32(0xff));
+                jit.xor32(scratch3GPR, scratch3GPR);
+                auto clamped = jit.jump();
+                tooBig.link(&jit);
+                jit.move(CCallHelpers::TrustedImm32(0xff), scratch3GPR);
+                clamped.link(&jit);
+                inBounds.link(&jit);
+                jit.store8(scratch3GPR, CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne));
+            } else {
+                switch (elementSize(type)) {
+                case 1:
+                    jit.store8(valueRegs.payloadGPR(), CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesOne));
+                    break;
+                case 2:
+                    jit.store16(valueRegs.payloadGPR(), CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesTwo));
+                    break;
+                case 4:
+                    jit.store32(valueRegs.payloadGPR(), CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesFour));
+                    break;
+                default:
+                    CRASH();
+                }
+            }
+        } else {
+            ASSERT(isFloat(type));
+            RELEASE_ASSERT(state.scratchFPR != InvalidFPRReg);
+            switch (elementSize(type)) {
+            case 4:
+                jit.convertDoubleToFloat(state.scratchFPR, state.scratchFPR);
+                jit.storeFloat(state.scratchFPR, CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesFour));
+                break;
+            case 8: {
+                jit.storeDouble(state.scratchFPR, CCallHelpers::BaseIndex(scratch2GPR, scratchGPR, CCallHelpers::TimesEight));
+                break;
+            }
+            default:
+                CRASH();
+            }
+        }
+
+        allocator.restoreReusedRegistersByPopping(jit, preservedState);
+        state.succeed();
+        return;
+    }
+
+    case InstanceOfHit:
+    case InstanceOfMiss:
+        emitDefaultGuard();
+        
+        fallThrough.append(
+            jit.branchPtr(
+                CCallHelpers::NotEqual, state.u.prototypeGPR,
+                CCallHelpers::TrustedImmPtr(as<InstanceOfAccessCase>().prototype())));
+        break;
+        
+    case InstanceOfGeneric: {
+        ASSERT(!viaProxy());
+        GPRReg prototypeGPR = state.u.prototypeGPR;
+        // Legend: value = `base instanceof prototypeGPR`.
+        
+        GPRReg valueGPR = valueRegs.payloadGPR();
+        
+        ScratchRegisterAllocator allocator(stubInfo.usedRegisters);
+        allocator.lock(stubInfo.baseRegs());
+        allocator.lock(valueRegs);
+        allocator.lock(stubInfo.propertyRegs());
+        if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
+            allocator.lock(stubInfo.m_stubInfoGPR);
+        ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg);
         allocator.lock(scratchGPR);
         
@@ -1895 +2265 @@
         allocator.lock(stubInfo.baseRegs());
         allocator.lock(valueRegs);
+        if (stubInfo.propertyRegs())
+            allocator.lock(stubInfo.propertyRegs());
         if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
             allocator.lock(stubInfo.m_stubInfoGPR);
+        if (stubInfo.m_arrayProfileGPR != InvalidGPRReg)
+            allocator.lock(stubInfo.m_arrayProfileGPR);
         allocator.lock(scratchGPR);
 
@@ -2059 +2433 @@
         if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
             allocator.lock(stubInfo.m_stubInfoGPR);
+        ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg);
         allocator.lock(scratchGPR);
         ASSERT(structure()->transitionWatchpointSetHasBeenInvalidated());
@@ -2184 +2559 @@
     case IndexedStringLoad:
     case CheckPrivateBrand:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
         // These need to be handled by generateWithGuard(), since the guard is part of the
         // algorithm. We can be sure that nobody will call generate() directly for these since they
@@ -2197 +2585 @@
     switch (accessType) {
     case IndexedTypedArrayInt8Load:
+    case IndexedTypedArrayInt8Store:
         return TypeInt8;
     case IndexedTypedArrayUint8Load:
+    case IndexedTypedArrayUint8Store:
         return TypeUint8;
     case IndexedTypedArrayUint8ClampedLoad:
+    case IndexedTypedArrayUint8ClampedStore:
         return TypeUint8Clamped;
     case IndexedTypedArrayInt16Load:
+    case IndexedTypedArrayInt16Store:
         return TypeInt16;
     case IndexedTypedArrayUint16Load:
+    case IndexedTypedArrayUint16Store:
         return TypeUint16;
     case IndexedTypedArrayInt32Load:
+    case IndexedTypedArrayInt32Store:
         return TypeInt32;
     case IndexedTypedArrayUint32Load:
+    case IndexedTypedArrayUint32Store:
         return TypeUint32;
     case IndexedTypedArrayFloat32Load:
+    case IndexedTypedArrayFloat32Store:
         return TypeFloat32;
     case IndexedTypedArrayFloat64Load:
+    case IndexedTypedArrayFloat64Store:
         return TypeFloat64;
     default:
@@ -2285 +2682 @@
     case IndexedTypedArrayFloat32Load:
     case IndexedTypedArrayFloat64Load:
+    case IndexedInt32Store:
+    case IndexedDoubleStore:
+    case IndexedContiguousStore:
+    case IndexedArrayStorageStore:
+    case IndexedTypedArrayInt8Store:
+    case IndexedTypedArrayUint8Store:
+    case IndexedTypedArrayUint8ClampedStore:
+    case IndexedTypedArrayInt16Store:
+    case IndexedTypedArrayUint16Store:
+    case IndexedTypedArrayInt32Store:
+    case IndexedTypedArrayUint32Store:
+    case IndexedTypedArrayFloat32Store:
+    case IndexedTypedArrayFloat64Store:
     case IndexedStringLoad:
     case InstanceOfGeneric:

trunk/Source/JavaScriptCore/bytecode/AccessCase.h

@@ -129 +129 @@
         IndexedTypedArrayFloat32Load,
         IndexedTypedArrayFloat64Load,
-        IndexedStringLoad
+        IndexedStringLoad,
+        IndexedInt32Store,
+        IndexedDoubleStore,
+        IndexedContiguousStore,
+        IndexedArrayStorageStore,
+        IndexedTypedArrayInt8Store,
+        IndexedTypedArrayUint8Store,
+        IndexedTypedArrayUint8ClampedStore,
+        IndexedTypedArrayInt16Store,
+        IndexedTypedArrayUint16Store,
+        IndexedTypedArrayInt32Store,
+        IndexedTypedArrayUint32Store,
+        IndexedTypedArrayFloat32Store,
+        IndexedTypedArrayFloat64Store,
     };
 
@@ -354 +367 @@
             Key() = default;
 
-            Key(GPRReg baseGPR, GPRReg valueGPR, GPRReg extraGPR, GPRReg stubInfoGPR, RegisterSet usedRegisters, PolymorphicAccessJITStubRoutine* wrapped)
+            Key(GPRReg baseGPR, GPRReg valueGPR, GPRReg extraGPR, GPRReg stubInfoGPR, GPRReg arrayProfileGPR, RegisterSet usedRegisters, PolymorphicAccessJITStubRoutine* wrapped)
                 : m_wrapped(wrapped)
                 , m_baseGPR(baseGPR)
@@ -360 +373 @@
                 , m_extraGPR(extraGPR)
                 , m_stubInfoGPR(stubInfoGPR)
+                , m_arrayProfileGPR(arrayProfileGPR)
                 , m_usedRegisters(usedRegisters)
             { }
@@ -376 +390 @@
                     && a.m_extraGPR == b.m_extraGPR
                     && a.m_stubInfoGPR == b.m_stubInfoGPR
+                    && a.m_arrayProfileGPR == b.m_arrayProfileGPR
                     && a.m_usedRegisters == b.m_usedRegisters;
             }
@@ -384 +399 @@
             GPRReg m_extraGPR;
             GPRReg m_stubInfoGPR;
+            GPRReg m_arrayProfileGPR;
             RegisterSet m_usedRegisters;
         };
@@ -417 +433 @@
                     && a.m_extraGPR == b.m_extraGPR
                     && a.m_stubInfoGPR == b.m_stubInfoGPR
+                    && a.m_arrayProfileGPR == b.m_arrayProfileGPR
                     && a.m_usedRegisters == b.m_usedRegisters) {
                     // FIXME: The ordering of cases does not matter for sharing capabilities.
@@ -446 +463 @@
         GPRReg m_extraGPR;
         GPRReg m_stubInfoGPR;
+        GPRReg m_arrayProfileGPR;
         RegisterSet m_usedRegisters;
         const FixedVector<RefPtr<AccessCase>>& m_cases;

trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h

@@ -209 +209 @@
     bool* addressOfMayStoreToHole() { return &m_mayStoreToHole; }
 
+    static ptrdiff_t offsetOfMayStoreToHole() { return OBJECT_OFFSETOF(ArrayProfile, m_mayStoreToHole); }
+    static ptrdiff_t offsetOfLastSeenStructureID() { return OBJECT_OFFSETOF(ArrayProfile, m_lastSeenStructureID); }
+
     void setOutOfBounds() { m_outOfBounds = true; }
     bool* addressOfOutOfBounds() { return &m_outOfBounds; }

trunk/Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp

@@ -142 +142 @@
     if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
         allocator.lock(stubInfo.m_stubInfoGPR);
+    ASSERT(stubInfo.m_arrayProfileGPR == InvalidGPRReg);
     allocator.lock(scratchGPR);
 

trunk/Source/JavaScriptCore/bytecode/ICStatusMap.h

@@ -37 +37 @@
 class GetByStatus;
 class InByStatus;
-class PutByIdStatus;
+class PutByStatus;
 class DeleteByStatus;
 class StructureStubInfo;
@@ -49 +49 @@
     GetByStatus* getStatus { nullptr };
     InByStatus* inStatus { nullptr };
-    PutByIdStatus* putStatus { nullptr };
+    PutByStatus* putStatus { nullptr };
     DeleteByStatus* deleteStatus { nullptr };
 };

trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

@@ -217 +217 @@
     allocator.lock(stubInfo.valueTagGPR);
 #endif
+    if (stubInfo.propertyRegs())
+        allocator.lock(stubInfo.propertyRegs());
     if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
         allocator.lock(stubInfo.m_stubInfoGPR);
+    if (stubInfo.m_arrayProfileGPR != InvalidGPRReg)
+        allocator.lock(stubInfo.m_arrayProfileGPR);
     GPRReg scratch = allocator.allocateScratchGPR();
     if (allocator.didReuseRegisters())

trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

@@ -495 +495 @@
     if (stubInfo.m_stubInfoGPR != InvalidGPRReg)
         allocator.lock(stubInfo.m_stubInfoGPR);
+    if (stubInfo.m_arrayProfileGPR != InvalidGPRReg)
+        allocator.lock(stubInfo.m_arrayProfileGPR);
 
     state.scratchGPR = allocator.allocateScratchGPR();
@@ -811 +813 @@
             stubInfo.regs.thisGPR,
             stubInfo.m_stubInfoGPR,
+            stubInfo.m_arrayProfileGPR,
             stubInfo.usedRegisters,
             keys,
@@ -847 +850 @@
     if (codeBlock->useDataIC()) {
         if (canBeShared)
-            vm.m_sharedJITStubs->add(SharedJITStubSet::Hash::Key(stubInfo.baseGPR, stubInfo.valueGPR, stubInfo.regs.thisGPR, stubInfo.m_stubInfoGPR, stubInfo.usedRegisters, stub.get()));
+            vm.m_sharedJITStubs->add(SharedJITStubSet::Hash::Key(stubInfo.baseGPR, stubInfo.valueGPR, stubInfo.regs.thisGPR, stubInfo.m_stubInfoGPR, stubInfo.m_arrayProfileGPR, stubInfo.usedRegisters, stub.get()));
     }
 
@@ -1023 +1026 @@
         out.print("IndexedStringLoad");
         return;
+    case AccessCase::IndexedInt32Store:
+        out.print("IndexedInt32Store");
+        return;
+    case AccessCase::IndexedDoubleStore:
+        out.print("IndexedDoubleStore");
+        return;
+    case AccessCase::IndexedContiguousStore:
+        out.print("IndexedContiguousStore");
+        return;
+    case AccessCase::IndexedArrayStorageStore:
+        out.print("IndexedArrayStorageStore");
+        return;
+    case AccessCase::IndexedTypedArrayInt8Store:
+        out.print("IndexedTypedArrayInt8Store");
+        return;
+    case AccessCase::IndexedTypedArrayUint8Store:
+        out.print("IndexedTypedArrayUint8Store");
+        return;
+    case AccessCase::IndexedTypedArrayUint8ClampedStore:
+        out.print("IndexedTypedArrayUint8ClampedStore");
+        return;
+    case AccessCase::IndexedTypedArrayInt16Store:
+        out.print("IndexedTypedArrayInt16Store");
+        return;
+    case AccessCase::IndexedTypedArrayUint16Store:
+        out.print("IndexedTypedArrayUint16Store");
+        return;
+    case AccessCase::IndexedTypedArrayInt32Store:
+        out.print("IndexedTypedArrayInt32Store");
+        return;
+    case AccessCase::IndexedTypedArrayUint32Store:
+        out.print("IndexedTypedArrayUint32Store");
+        return;
+    case AccessCase::IndexedTypedArrayFloat32Store:
+        out.print("IndexedTypedArrayFloat32Store");
+        return;
+    case AccessCase::IndexedTypedArrayFloat64Store:
+        out.print("IndexedTypedArrayFloat64Store");
+        return;
     }
 

trunk/Source/JavaScriptCore/bytecode/PutByStatus.cpp

@@ -25 +25 @@
 
 #include "config.h"
-#include "PutByIdStatus.h"
+#include "PutByStatus.h"
 
 #include "BytecodeStructs.h"
@@ -39 +39 @@
 namespace JSC {
 
-bool PutByIdStatus::appendVariant(const PutByIdVariant& variant)
+bool PutByStatus::appendVariant(const PutByVariant& variant)
 {
     return appendICStatusVariant(m_variants, variant);
 }
 
-void PutByIdStatus::shrinkToFit()
+void PutByStatus::shrinkToFit()
 {
     m_variants.shrinkToFit();
 }
 
-PutByIdStatus PutByIdStatus::computeFromLLInt(CodeBlock* profiledBlock, BytecodeIndex bytecodeIndex, UniquedStringImpl* uid)
+PutByStatus PutByStatus::computeFromLLInt(CodeBlock* profiledBlock, BytecodeIndex bytecodeIndex)
 {
     VM& vm = profiledBlock->vm();
@@ -55 +55 @@
     auto instruction = profiledBlock->instructions().at(bytecodeIndex.offset());
 
-    // We are not yet using `computeFromLLInt` in any place for `put_private_name`.
-    // We can add support for it if this is required in future changes, since we have
-    // IC implemented for this operation on LLInt.
-    ASSERT(!instruction->is<OpPutPrivateName>());
+    switch (instruction->opcodeID()) {
+    case op_put_by_id:
+        break;
+    case op_put_by_val:
+    case op_put_by_val_direct:
+        return PutByStatus(NoInformation);
+    case op_put_private_name:
+        // We do no have a code retrieving LLInt information for `op_put_private_name`.
+        // We can add support for it if this is required in future changes, since we have
+        // IC implemented for this operation on LLInt.
+        return PutByStatus(NoInformation);
+    default: {
+        RELEASE_ASSERT_NOT_REACHED();
+        break;
+    }
+    }
 
     auto bytecode = instruction->as<OpPutById>();
     auto& metadata = bytecode.metadata(profiledBlock);
+    const Identifier* identifier = &(profiledBlock->identifier(bytecode.m_property));
+    UniquedStringImpl* uid = identifier->impl();
 
     StructureID structureID = metadata.m_oldStructureID;
     if (!structureID)
-        return PutByIdStatus(NoInformation);
+        return PutByStatus(NoInformation);
     
     Structure* structure = vm.heap.structureIDTable().get(structureID);
@@ -73 +87 @@
         PropertyOffset offset = structure->getConcurrently(uid);
         if (!isValidOffset(offset))
-            return PutByIdStatus(NoInformation);
-        
-        return PutByIdVariant::replace(structure, offset);
+            return PutByStatus(NoInformation);
+        
+        return PutByVariant::replace(nullptr, structure, offset);
     }
 
@@ -84 +98 @@
     PropertyOffset offset = newStructure->getConcurrently(uid);
     if (!isValidOffset(offset))
-        return PutByIdStatus(NoInformation);
+        return PutByStatus(NoInformation);
     
     ObjectPropertyConditionSet conditionSet;
@@ -92 +106 @@
                 vm, profiledBlock->globalObject(), structure, uid);
         if (!conditionSet.isValid())
-            return PutByIdStatus(NoInformation);
-    }
-    
-    return PutByIdVariant::transition(
-        structure, newStructure, conditionSet, offset);
+            return PutByStatus(NoInformation);
+    }
+    
+    return PutByVariant::transition(nullptr, structure, newStructure, conditionSet, offset);
 }
 
 #if ENABLE(JIT)
-PutByIdStatus PutByIdStatus::computeFor(CodeBlock* profiledBlock, ICStatusMap& map, BytecodeIndex bytecodeIndex, UniquedStringImpl* uid, ExitFlag didExit, CallLinkStatus::ExitSiteData callExitSiteData)
+PutByStatus::PutByStatus(StubInfoSummary summary, StructureStubInfo& stubInfo)
+{
+    switch (summary) {
+    case StubInfoSummary::NoInformation:
+        m_state = NoInformation;
+        return;
+    case StubInfoSummary::Simple:
+    case StubInfoSummary::MakesCalls:
+        RELEASE_ASSERT_NOT_REACHED();
+        return;
+    case StubInfoSummary::TakesSlowPath:
+        m_state = stubInfo.tookSlowPath ? ObservedTakesSlowPath : LikelyTakesSlowPath;
+        return;
+    case StubInfoSummary::TakesSlowPathAndMakesCalls:
+        m_state = stubInfo.tookSlowPath ? ObservedSlowPathAndMakesCalls : MakesCalls;
+        return;
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
+PutByStatus PutByStatus::computeFor(CodeBlock* profiledBlock, ICStatusMap& map, BytecodeIndex bytecodeIndex, ExitFlag didExit, CallLinkStatus::ExitSiteData callExitSiteData)
 {
     ConcurrentJSLocker locker(profiledBlock->m_lock);
@@ -106 +139 @@
     UNUSED_PARAM(profiledBlock);
     UNUSED_PARAM(bytecodeIndex);
-    UNUSED_PARAM(uid);
 #if ENABLE(DFG_JIT)
     if (didExit)
-        return PutByIdStatus(TakesSlowPath);
+        return PutByStatus(LikelyTakesSlowPath);
     
     StructureStubInfo* stubInfo = map.get(CodeOrigin(bytecodeIndex)).stubInfo;
-    PutByIdStatus result = computeForStubInfo(
-        locker, profiledBlock, stubInfo, uid, callExitSiteData);
+    PutByStatus result = computeForStubInfo(
+        locker, profiledBlock, stubInfo, callExitSiteData);
     if (!result)
-        return computeFromLLInt(profiledBlock, bytecodeIndex, uid);
+        return computeFromLLInt(profiledBlock, bytecodeIndex);
     
     return result;
@@ -122 +154 @@
     UNUSED_PARAM(didExit);
     UNUSED_PARAM(callExitSiteData);
-    return PutByIdStatus(NoInformation);
+    return PutByStatus(NoInformation);
 #endif // ENABLE(JIT)
 }
 
-PutByIdStatus PutByIdStatus::computeForStubInfo(const ConcurrentJSLocker& locker, CodeBlock* baselineBlock, StructureStubInfo* stubInfo, CodeOrigin codeOrigin, UniquedStringImpl* uid)
+PutByStatus PutByStatus::computeForStubInfo(const ConcurrentJSLocker& locker, CodeBlock* baselineBlock, StructureStubInfo* stubInfo, CodeOrigin codeOrigin)
 {
     return computeForStubInfo(
-        locker, baselineBlock, stubInfo, uid,
+        locker, baselineBlock, stubInfo,
         CallLinkStatus::computeExitSiteData(baselineBlock, codeOrigin.bytecodeIndex()));
 }
 
-PutByIdStatus PutByIdStatus::computeForStubInfo(
-    const ConcurrentJSLocker& locker, CodeBlock* profiledBlock, StructureStubInfo* stubInfo,
-    UniquedStringImpl* uid, CallLinkStatus::ExitSiteData callExitSiteData)
+PutByStatus PutByStatus::computeForStubInfo(const ConcurrentJSLocker& locker, CodeBlock* profiledBlock, StructureStubInfo* stubInfo, CallLinkStatus::ExitSiteData callExitSiteData)
 {
     StubInfoSummary summary = StructureStubInfo::summary(profiledBlock->vm(), stubInfo);
     if (!isInlineable(summary))
-        return PutByIdStatus(summary);
+        return PutByStatus(summary, *stubInfo);
     
     switch (stubInfo->cacheType()) {
     case CacheType::Unset:
         // This means that we attempted to cache but failed for some reason.
-        return PutByIdStatus(JSC::slowVersion(summary));
+        return PutByStatus(JSC::slowVersion(summary), *stubInfo);
         
     case CacheType::PutByIdReplace: {
+        CacheableIdentifier identifier = stubInfo->identifier();
+        UniquedStringImpl* uid = identifier.uid();
+        RELEASE_ASSERT(uid);
         PropertyOffset offset =
             stubInfo->m_inlineAccessBaseStructure->getConcurrently(uid);
-        if (isValidOffset(offset)) {
-            return PutByIdVariant::replace(
-                stubInfo->m_inlineAccessBaseStructure.get(), offset);
-        }
-        return PutByIdStatus(JSC::slowVersion(summary));
+        if (isValidOffset(offset))
+            return PutByVariant::replace(WTFMove(identifier), stubInfo->m_inlineAccessBaseStructure.get(), offset);
+        return PutByStatus(JSC::slowVersion(summary), *stubInfo);
     }
         
@@ -159 +190 @@
         PolymorphicAccess* list = stubInfo->u.stub;
         
-        PutByIdStatus result;
+        PutByStatus result;
         result.m_state = Simple;
         
@@ -165 +196 @@
             const AccessCase& access = list->at(i);
             if (access.viaProxy())
-                return PutByIdStatus(JSC::slowVersion(summary));
+                return PutByStatus(JSC::slowVersion(summary), *stubInfo);
             if (access.usesPolyProto())
-                return PutByIdStatus(JSC::slowVersion(summary));
-            
-            PutByIdVariant variant;
+                return PutByStatus(JSC::slowVersion(summary), *stubInfo);
             
             switch (access.type()) {
             case AccessCase::Replace: {
                 Structure* structure = access.structure();
-                PropertyOffset offset = structure->getConcurrently(uid);
+                PropertyOffset offset = structure->getConcurrently(access.uid());
                 if (!isValidOffset(offset))
-                    return PutByIdStatus(JSC::slowVersion(summary));
-                variant = PutByIdVariant::replace(
-                    structure, offset);
+                    return PutByStatus(JSC::slowVersion(summary), *stubInfo);
+                auto variant = PutByVariant::replace(access.identifier(), structure, offset);
+                if (!result.appendVariant(variant))
+                    return PutByStatus(JSC::slowVersion(summary), *stubInfo);
                 break;
             }
                 
             case AccessCase::Transition: {
-                PropertyOffset offset =
-                    access.newStructure()->getConcurrently(uid);
+                PropertyOffset offset = access.newStructure()->getConcurrently(access.uid());
                 if (!isValidOffset(offset))
-                    return PutByIdStatus(JSC::slowVersion(summary));
+                    return PutByStatus(JSC::slowVersion(summary), *stubInfo);
                 ObjectPropertyConditionSet conditionSet = access.conditionSet();
                 if (!conditionSet.structuresEnsureValidity())
-                    return PutByIdStatus(JSC::slowVersion(summary));
-                variant = PutByIdVariant::transition(
-                    access.structure(), access.newStructure(), conditionSet, offset);
+                    return PutByStatus(JSC::slowVersion(summary), *stubInfo);
+                auto variant = PutByVariant::transition(access.identifier(), access.structure(), access.newStructure(), conditionSet, offset);
+                if (!result.appendVariant(variant))
+                    return PutByStatus(JSC::slowVersion(summary), *stubInfo);
                 break;
             }
@@ -198 +228 @@
                 Structure* structure = access.structure();
                 
-                ComplexGetStatus complexGetStatus = ComplexGetStatus::computeFor(
-                    structure, access.conditionSet(), uid);
+                ComplexGetStatus complexGetStatus = ComplexGetStatus::computeFor(structure, access.conditionSet(), access.uid());
                 
                 switch (complexGetStatus.kind()) {
@@ -206 +235 @@
                     
                 case ComplexGetStatus::TakesSlowPath:
-                    return PutByIdStatus(JSC::slowVersion(summary));
+                    return PutByStatus(JSC::slowVersion(summary), *stubInfo);
                     
                 case ComplexGetStatus::Inlineable: {
@@ -216 +245 @@
                     }
                     
-                    variant = PutByIdVariant::setter(
-                        structure, complexGetStatus.offset(), complexGetStatus.conditionSet(),
-                        WTFMove(callLinkStatus));
-                } }
+                    auto variant = PutByVariant::setter(access.identifier(), structure, complexGetStatus.offset(), complexGetStatus.conditionSet(), WTFMove(callLinkStatus));
+                    if (!result.appendVariant(variant))
+                        return PutByStatus(JSC::slowVersion(summary), *stubInfo);
+                }
+                }
                 break;
             }
@@ -225 +255 @@
             case AccessCase::CustomValueSetter:
             case AccessCase::CustomAccessorSetter:
-                return PutByIdStatus(MakesCalls);
+                return PutByStatus(MakesCalls);
 
             default:
-                return PutByIdStatus(JSC::slowVersion(summary));
-            }
-            
-            if (!result.appendVariant(variant))
-                return PutByIdStatus(JSC::slowVersion(summary));
+                return PutByStatus(JSC::slowVersion(summary), *stubInfo);
+            }
         }
         
@@ -240 +267 @@
         
     default:
-        return PutByIdStatus(JSC::slowVersion(summary));
-    }
-}
-
-PutByIdStatus PutByIdStatus::computeFor(CodeBlock* baselineBlock, ICStatusMap& baselineMap, ICStatusContextStack& contextStack, CodeOrigin codeOrigin, UniquedStringImpl* uid)
+        return PutByStatus(JSC::slowVersion(summary), *stubInfo);
+    }
+}
+
+PutByStatus PutByStatus::computeFor(CodeBlock* baselineBlock, ICStatusMap& baselineMap, ICStatusContextStack& contextStack, CodeOrigin codeOrigin)
 {
     BytecodeIndex bytecodeIndex = codeOrigin.bytecodeIndex();
@@ -253 +280 @@
         ICStatus status = context->get(codeOrigin);
         
-        auto bless = [&] (const PutByIdStatus& result) -> PutByIdStatus {
+        auto bless = [&] (const PutByStatus& result) -> PutByStatus {
             if (!context->isInlined(codeOrigin)) {
-                PutByIdStatus baselineResult = computeFor(
-                    baselineBlock, baselineMap, bytecodeIndex, uid, didExit,
+                PutByStatus baselineResult = computeFor(
+                    baselineBlock, baselineMap, bytecodeIndex, didExit,
                     callExitSiteData);
                 baselineResult.merge(result);
@@ -267 +294 @@
         
         if (status.stubInfo) {
-            PutByIdStatus result;
+            PutByStatus result;
             {
                 ConcurrentJSLocker locker(context->optimizedCodeBlock->m_lock);
                 result = computeForStubInfo(
-                    locker, context->optimizedCodeBlock, status.stubInfo, uid, callExitSiteData);
+                    locker, context->optimizedCodeBlock, status.stubInfo, callExitSiteData);
             }
             if (result.isSet())
@@ -281 +308 @@
     }
     
-    return computeFor(baselineBlock, baselineMap, bytecodeIndex, uid, didExit, callExitSiteData);
-}
-
-PutByIdStatus PutByIdStatus::computeFor(JSGlobalObject* globalObject, const StructureSet& set, UniquedStringImpl* uid, bool isDirect, PrivateFieldPutKind privateFieldPutKind)
-{
+    return computeFor(baselineBlock, baselineMap, bytecodeIndex, didExit, callExitSiteData);
+}
+
+PutByStatus PutByStatus::computeFor(JSGlobalObject* globalObject, const StructureSet& set, CacheableIdentifier identifier, bool isDirect, PrivateFieldPutKind privateFieldPutKind)
+{
+    UniquedStringImpl* uid = identifier.uid();
     if (parseIndex(*uid))
-        return PutByIdStatus(TakesSlowPath);
+        return PutByStatus(LikelyTakesSlowPath);
 
     if (set.isEmpty())
-        return PutByIdStatus();
+        return PutByStatus();
     
     VM& vm = globalObject->vm();
-    PutByIdStatus result;
+    PutByStatus result;
     result.m_state = Simple;
     for (unsigned i = 0; i < set.size(); ++i) {
@@ -299 +327 @@
         
         if (structure->typeInfo().overridesGetOwnPropertySlot() && structure->typeInfo().type() != GlobalObjectType)
-            return PutByIdStatus(TakesSlowPath);
+            return PutByStatus(LikelyTakesSlowPath);
 
         if (!structure->propertyAccessesAreCacheable())
-            return PutByIdStatus(TakesSlowPath);
+            return PutByStatus(LikelyTakesSlowPath);
     
         unsigned attributes;
@@ -311 +339 @@
             // slow path to throw exception.
             if (privateFieldPutKind.isDefine())
-                return PutByIdStatus(TakesSlowPath);
+                return PutByStatus(LikelyTakesSlowPath);
 
             if (attributes & PropertyAttribute::CustomAccessorOrValue)
-                return PutByIdStatus(MakesCalls);
+                return PutByStatus(MakesCalls);
 
             if (attributes & (PropertyAttribute::Accessor | PropertyAttribute::ReadOnly))
-                return PutByIdStatus(TakesSlowPath);
+                return PutByStatus(LikelyTakesSlowPath);
             
             WatchpointSet* replaceSet = structure->propertyReplacementWatchpointSet(offset);
@@ -326 +354 @@
                 // JIT thread, so even if we wanted to do this, we'd need to have a lazy thingy.
                 // So, better leave this alone and take slow path.
-                return PutByIdStatus(TakesSlowPath);
-            }
-
-            PutByIdVariant variant =
-                PutByIdVariant::replace(structure, offset);
+                return PutByStatus(LikelyTakesSlowPath);
+            }
+
+            PutByVariant variant = PutByVariant::replace(identifier, structure, offset);
             if (!result.appendVariant(variant))
-                return PutByIdStatus(TakesSlowPath);
+                return PutByStatus(LikelyTakesSlowPath);
             continue;
         }
@@ -341 +368 @@
         // slow path to throw excpetion if it ever gets executed.
         if (privateFieldPutKind.isSet())
-            return PutByIdStatus(TakesSlowPath);
+            return PutByStatus(LikelyTakesSlowPath);
 
         // Our hypothesis is that we're doing a transition. Before we prove that this is really
@@ -348 +375 @@
         // Don't cache put transitions on dictionaries.
         if (structure->isDictionary())
-            return PutByIdStatus(TakesSlowPath);
+            return PutByStatus(LikelyTakesSlowPath);
 
         // If the structure corresponds to something that isn't an object, then give up, since
         // we don't want to be adding properties to strings.
         if (!structure->typeInfo().isObject())
-            return PutByIdStatus(TakesSlowPath);
+            return PutByStatus(LikelyTakesSlowPath);
     
         ObjectPropertyConditionSet conditionSet;
@@ -361 +388 @@
                 vm, globalObject, structure, uid);
             if (!conditionSet.isValid())
-                return PutByIdStatus(TakesSlowPath);
+                return PutByStatus(LikelyTakesSlowPath);
         }
     
@@ -368 +395 @@
             Structure::addPropertyTransitionToExistingStructureConcurrently(structure, uid, 0, offset);
         if (!transition)
-            return PutByIdStatus(TakesSlowPath);
+            return PutByStatus(LikelyTakesSlowPath);
         ASSERT(isValidOffset(offset));
     
-        bool didAppend = result.appendVariant(
-            PutByIdVariant::transition(
-                structure, transition, conditionSet, offset));
+        bool didAppend = result.appendVariant(PutByVariant::transition(identifier, structure, transition, conditionSet, offset));
         if (!didAppend)
-            return PutByIdStatus(TakesSlowPath);
+            return PutByStatus(LikelyTakesSlowPath);
     }
     
@@ -383 +408 @@
 #endif
 
-bool PutByIdStatus::makesCalls() const
-{
-    if (m_state == MakesCalls)
+bool PutByStatus::makesCalls() const
+{
+    switch (m_state) {
+    case NoInformation:
+    case LikelyTakesSlowPath:
+    case ObservedTakesSlowPath:
+        return false;
+    case MakesCalls:
+    case ObservedSlowPathAndMakesCalls:
         return true;
-    
-    if (m_state != Simple)
+    case Simple: {
+        for (unsigned i = m_variants.size(); i--;) {
+            if (m_variants[i].makesCalls())
+                return true;
+        }
         return false;
-    
-    for (unsigned i = m_variants.size(); i--;) {
-        if (m_variants[i].makesCalls())
-            return true;
-    }
-    
-    return false;
-}
-
-PutByIdStatus PutByIdStatus::slowVersion() const
-{
-    return PutByIdStatus(makesCalls() ? MakesCalls : TakesSlowPath);
+    }
+    }
+}
+
+PutByStatus PutByStatus::slowVersion() const
+{
+    if (observedStructureStubInfoSlowPath())
+        return PutByStatus(makesCalls() ? ObservedSlowPathAndMakesCalls : ObservedTakesSlowPath);
+    return PutByStatus(makesCalls() ? MakesCalls : LikelyTakesSlowPath);
+}
+
+CacheableIdentifier PutByStatus::singleIdentifier() const
+{
+    return singleIdentifierForICStatus(m_variants);
 }
 
 template<typename Visitor>
-void PutByIdStatus::markIfCheap(Visitor& visitor)
-{
-    for (PutByIdVariant& variant : m_variants)
+void PutByStatus::visitAggregateImpl(Visitor& visitor)
+{
+    for (PutByVariant& variant : m_variants)
+        variant.visitAggregate(visitor);
+}
+
+DEFINE_VISIT_AGGREGATE(PutByStatus);
+
+template<typename Visitor>
+void PutByStatus::markIfCheap(Visitor& visitor)
+{
+    for (PutByVariant& variant : m_variants)
         variant.markIfCheap(visitor);
 }
 
-template void PutByIdStatus::markIfCheap(AbstractSlotVisitor&);
-template void PutByIdStatus::markIfCheap(SlotVisitor&);
-
-bool PutByIdStatus::finalize(VM& vm)
-{
-    for (PutByIdVariant& variant : m_variants) {
+template void PutByStatus::markIfCheap(AbstractSlotVisitor&);
+template void PutByStatus::markIfCheap(SlotVisitor&);
+
+bool PutByStatus::finalize(VM& vm)
+{
+    for (PutByVariant& variant : m_variants) {
         if (!variant.finalize(vm))
             return false;
@@ -423 +468 @@
 }
 
-void PutByIdStatus::merge(const PutByIdStatus& other)
+void PutByStatus::merge(const PutByStatus& other)
 {
     if (other.m_state == NoInformation)
         return;
-    
+
     auto mergeSlow = [&] () {
-        *this = PutByIdStatus((makesCalls() || other.makesCalls()) ? MakesCalls : TakesSlowPath);
+        if (observedStructureStubInfoSlowPath() || other.observedStructureStubInfoSlowPath())
+            *this = PutByStatus((makesCalls() || other.makesCalls()) ? ObservedSlowPathAndMakesCalls : ObservedTakesSlowPath);
+        else
+            *this = PutByStatus((makesCalls() || other.makesCalls()) ? MakesCalls : LikelyTakesSlowPath);
     };
-    
+
     switch (m_state) {
     case NoInformation:
@@ -441 +489 @@
             return mergeSlow();
         
-        for (const PutByIdVariant& other : other.m_variants) {
+        for (const PutByVariant& other : other.m_variants) {
             if (!appendVariant(other))
                 return mergeSlow();
@@ -448 +496 @@
         return;
         
-    case TakesSlowPath:
+    case LikelyTakesSlowPath:
+    case ObservedTakesSlowPath:
     case MakesCalls:
+    case ObservedSlowPathAndMakesCalls:
         return mergeSlow();
     }
@@ -456 +506 @@
 }
 
-void PutByIdStatus::filter(const StructureSet& set)
+void PutByStatus::filter(const StructureSet& set)
 {
     if (m_state != Simple)
         return;
     filterICStatusVariants(m_variants, set);
-    for (PutByIdVariant& variant : m_variants)
+    for (PutByVariant& variant : m_variants)
         variant.fixTransitionToReplaceIfNecessary();
     if (m_variants.isEmpty())
@@ -467 +517 @@
 }
 
-void PutByIdStatus::dump(PrintStream& out) const
+void PutByStatus::dump(PrintStream& out) const
 {
     switch (m_state) {
@@ -473 +523 @@
         out.print("(NoInformation)");
         return;
-        
     case Simple:
         out.print("(", listDump(m_variants), ")");
         return;
-        
-    case TakesSlowPath:
-        out.print("(TakesSlowPath)");
+    case LikelyTakesSlowPath:
+        out.print("LikelyTakesSlowPath");
+        return;
+    case ObservedTakesSlowPath:
+        out.print("ObservedTakesSlowPath");
         return;
     case MakesCalls:
-        out.print("(MakesCalls)");
+        out.print("MakesCalls");
+        return;
+    case ObservedSlowPathAndMakesCalls:
+        out.print("ObservedSlowPathAndMakesCalls");
         return;
     }

trunk/Source/JavaScriptCore/bytecode/PutByStatus.h

@@ -30 +30 @@
 #include "ICStatusMap.h"
 #include "PrivateFieldPutKind.h"
-#include "PutByIdVariant.h"
+#include "PutByVariant.h"
 #include "StubInfoSummary.h"
 
@@ -44 +44 @@
 typedef HashMap<CodeOrigin, StructureStubInfo*, CodeOriginApproximateHash> StubInfoMap;
 
-class PutByIdStatus final {
+class PutByStatus final {
     WTF_MAKE_FAST_ALLOCATED;
 public:
@@ -52 +52 @@
         // It's cached as a simple store of some kind.
         Simple,
-        // It's known to often take slow path.
-        TakesSlowPath,
-        // It's known to take paths that make calls.
-        MakesCalls
+        // It will likely take the slow path.
+        LikelyTakesSlowPath,
+        // It's known to take slow path. We also observed that the slow path was taken on StructureStubInfo.
+        ObservedTakesSlowPath,
+        // It will likely take the slow path and will make calls.
+        MakesCalls,
+        // It known to take paths that make calls. We also observed that the slow path was taken on StructureStubInfo.
+        ObservedSlowPathAndMakesCalls,
     };
     
-    PutByIdStatus()
+    PutByStatus()
         : m_state(NoInformation)
     {
     }
     
-    explicit PutByIdStatus(State state)
+    explicit PutByStatus(State state)
         : m_state(state)
     {
-        ASSERT(m_state == NoInformation || m_state == TakesSlowPath || m_state == MakesCalls);
+#if ASSERT_ENABLED
+        switch (m_state) {
+        case NoInformation:
+        case LikelyTakesSlowPath:
+        case ObservedTakesSlowPath:
+        case MakesCalls:
+        case ObservedSlowPathAndMakesCalls:
+            break;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+#endif
     }
     
-    explicit PutByIdStatus(StubInfoSummary summary)
-    {
-        switch (summary) {
-        case StubInfoSummary::NoInformation:
-            m_state = NoInformation;
-            return;
-        case StubInfoSummary::Simple:
-        case StubInfoSummary::MakesCalls:
-            RELEASE_ASSERT_NOT_REACHED();
-            return;
-        case StubInfoSummary::TakesSlowPath:
-            m_state = TakesSlowPath;
-            return;
-        case StubInfoSummary::TakesSlowPathAndMakesCalls:
-            m_state = MakesCalls;
-            return;
-        }
-        RELEASE_ASSERT_NOT_REACHED();
-    }
+    explicit PutByStatus(StubInfoSummary, StructureStubInfo&);
     
-    PutByIdStatus(const PutByIdVariant& variant)
+    PutByStatus(const PutByVariant& variant)
         : m_state(Simple)
     {
@@ -95 +93 @@
     }
     
-    static PutByIdStatus computeFor(CodeBlock*, ICStatusMap&, BytecodeIndex, UniquedStringImpl* uid, ExitFlag, CallLinkStatus::ExitSiteData);
-    static PutByIdStatus computeFor(JSGlobalObject*, const StructureSet&, UniquedStringImpl* uid, bool isDirect, PrivateFieldPutKind);
+    static PutByStatus computeFor(CodeBlock*, ICStatusMap&, BytecodeIndex, ExitFlag, CallLinkStatus::ExitSiteData);
+    static PutByStatus computeFor(JSGlobalObject*, const StructureSet&, CacheableIdentifier, bool isDirect, PrivateFieldPutKind);
     
-    static PutByIdStatus computeFor(CodeBlock* baselineBlock, ICStatusMap& baselineMap, ICStatusContextStack& contextStack, CodeOrigin, UniquedStringImpl* uid);
+    static PutByStatus computeFor(CodeBlock* baselineBlock, ICStatusMap& baselineMap, ICStatusContextStack&, CodeOrigin);
 
 #if ENABLE(JIT)
-    static PutByIdStatus computeForStubInfo(const ConcurrentJSLocker&, CodeBlock* baselineBlock, StructureStubInfo*, CodeOrigin, UniquedStringImpl* uid);
+    static PutByStatus computeForStubInfo(const ConcurrentJSLocker&, CodeBlock* baselineBlock, StructureStubInfo*, CodeOrigin);
 #endif
     
@@ -109 +107 @@
     bool operator!() const { return m_state == NoInformation; }
     bool isSimple() const { return m_state == Simple; }
-    bool takesSlowPath() const { return m_state == TakesSlowPath || m_state == MakesCalls; }
+    bool takesSlowPath() const
+    {
+        switch (m_state) {
+        case LikelyTakesSlowPath:
+        case ObservedTakesSlowPath:
+            return true;
+        default:
+            return false;
+        }
+    }
     bool makesCalls() const;
-    PutByIdStatus slowVersion() const;
+    PutByStatus slowVersion() const;
+    bool observedStructureStubInfoSlowPath() const { return m_state == ObservedTakesSlowPath || m_state == ObservedSlowPathAndMakesCalls; }
     
     size_t numVariants() const { return m_variants.size(); }
-    const Vector<PutByIdVariant, 1>& variants() const { return m_variants; }
-    const PutByIdVariant& at(size_t index) const { return m_variants[index]; }
-    const PutByIdVariant& operator[](size_t index) const { return at(index); }
+    const Vector<PutByVariant, 1>& variants() const { return m_variants; }
+    const PutByVariant& at(size_t index) const { return m_variants[index]; }
+    const PutByVariant& operator[](size_t index) const { return at(index); }
+    CacheableIdentifier singleIdentifier() const;
     
+    DECLARE_VISIT_AGGREGATE;
     template<typename Visitor> void markIfCheap(Visitor&);
     bool finalize(VM&);
     
-    void merge(const PutByIdStatus&);
+    void merge(const PutByStatus&);
     
     void filter(const StructureSet&);
@@ -129 +139 @@
 private:
 #if ENABLE(JIT)
-    static PutByIdStatus computeForStubInfo(
-        const ConcurrentJSLocker&, CodeBlock*, StructureStubInfo*, UniquedStringImpl* uid,
-        CallLinkStatus::ExitSiteData);
+    static PutByStatus computeForStubInfo(const ConcurrentJSLocker&, CodeBlock*, StructureStubInfo*, CallLinkStatus::ExitSiteData);
 #endif
-    static PutByIdStatus computeFromLLInt(CodeBlock*, BytecodeIndex, UniquedStringImpl* uid);
+    static PutByStatus computeFromLLInt(CodeBlock*, BytecodeIndex);
     
-    bool appendVariant(const PutByIdVariant&);
+    bool appendVariant(const PutByVariant&);
     void shrinkToFit();
     
     State m_state;
-    Vector<PutByIdVariant, 1> m_variants;
+    Vector<PutByVariant, 1> m_variants;
 };
 

trunk/Source/JavaScriptCore/bytecode/PutByVariant.cpp

@@ -25 +25 @@
 
 #include "config.h"
-#include "PutByIdVariant.h"
-
+#include "PutByVariant.h"
+
+#include "CacheableIdentifierInlines.h"
 #include "CallLinkStatus.h"
 #include "HeapInlines.h"
@@ -32 +33 @@
 namespace JSC {
 
-PutByIdVariant::PutByIdVariant(const PutByIdVariant& other)
-    : PutByIdVariant()
+PutByVariant::PutByVariant(const PutByVariant& other)
+    : PutByVariant(other.m_identifier)
 {
     *this = other;
 }
 
-PutByIdVariant& PutByIdVariant::operator=(const PutByIdVariant& other)
+PutByVariant& PutByVariant::operator=(const PutByVariant& other)
 {
     m_kind = other.m_kind;
@@ -49 +50 @@
     else
         m_callLinkStatus = nullptr;
+    m_identifier = other.m_identifier;
     return *this;
 }
 
-PutByIdVariant PutByIdVariant::replace(
-    const StructureSet& structure, PropertyOffset offset)
-{
-    PutByIdVariant result;
+PutByVariant PutByVariant::replace(CacheableIdentifier identifier, const StructureSet& structure, PropertyOffset offset)
+{
+    PutByVariant result(WTFMove(identifier));
     result.m_kind = Replace;
     result.m_oldStructure = structure;
@@ -62 +63 @@
 }
 
-PutByIdVariant PutByIdVariant::transition(
-    const StructureSet& oldStructure, Structure* newStructure,
-    const ObjectPropertyConditionSet& conditionSet, PropertyOffset offset)
-{
-    PutByIdVariant result;
+PutByVariant PutByVariant::transition(CacheableIdentifier identifier, const StructureSet& oldStructure, Structure* newStructure, const ObjectPropertyConditionSet& conditionSet, PropertyOffset offset)
+{
+    PutByVariant result(WTFMove(identifier));
     result.m_kind = Transition;
     result.m_oldStructure = oldStructure;
@@ -75 +74 @@
 }
 
-PutByIdVariant PutByIdVariant::setter(
-    const StructureSet& structure, PropertyOffset offset,
-    const ObjectPropertyConditionSet& conditionSet,
-    std::unique_ptr<CallLinkStatus> callLinkStatus)
-{
-    PutByIdVariant result;
+PutByVariant PutByVariant::setter(CacheableIdentifier identifier, const StructureSet& structure, PropertyOffset offset, const ObjectPropertyConditionSet& conditionSet, std::unique_ptr<CallLinkStatus> callLinkStatus)
+{
+    PutByVariant result(WTFMove(identifier));
     result.m_kind = Setter;
     result.m_oldStructure = structure;
@@ -89 +85 @@
 }
 
-Structure* PutByIdVariant::oldStructureForTransition() const
+Structure* PutByVariant::oldStructureForTransition() const
 {
     RELEASE_ASSERT(kind() == Transition);
@@ -103 +99 @@
 }
 
-void PutByIdVariant::fixTransitionToReplaceIfNecessary()
+void PutByVariant::fixTransitionToReplaceIfNecessary()
 {
     if (kind() != Transition)
@@ -121 +117 @@
 }
 
-bool PutByIdVariant::writesStructures() const
+bool PutByVariant::writesStructures() const
 {
     switch (kind()) {
@@ -132 +128 @@
 }
 
-bool PutByIdVariant::reallocatesStorage() const
+bool PutByVariant::reallocatesStorage() const
 {
     switch (kind()) {
@@ -144 +140 @@
 }
 
-bool PutByIdVariant::makesCalls() const
+bool PutByVariant::makesCalls() const
 {
     return kind() == Setter;
 }
 
-bool PutByIdVariant::attemptToMerge(const PutByIdVariant& other)
-{
+bool PutByVariant::attemptToMerge(const PutByVariant& other)
+{
+    if (!!m_identifier != !!other.m_identifier)
+        return false;
+
+    if (m_identifier && (m_identifier != other.m_identifier))
+        return false;
+
     if (m_offset != other.m_offset)
         return false;
@@ -170 +172 @@
             
         case Transition: {
-            PutByIdVariant newVariant = other;
+            PutByVariant newVariant = other;
             if (newVariant.attemptToMergeTransitionWithReplace(*this)) {
                 *this = newVariant;
@@ -240 +242 @@
 }
 
-bool PutByIdVariant::attemptToMergeTransitionWithReplace(const PutByIdVariant& replace)
+bool PutByVariant::attemptToMergeTransitionWithReplace(const PutByVariant& replace)
 {
     ASSERT(m_kind == Transition);
@@ -264 +266 @@
 
 template<typename Visitor>
-void PutByIdVariant::markIfCheap(Visitor& visitor)
+void PutByVariant::visitAggregateImpl(Visitor& visitor)
+{
+    m_identifier.visitAggregate(visitor);
+}
+
+DEFINE_VISIT_AGGREGATE(PutByVariant);
+
+template<typename Visitor>
+void PutByVariant::markIfCheap(Visitor& visitor)
 {
     m_oldStructure.markIfCheap(visitor);
@@ -271 +281 @@
 }
 
-template void PutByIdVariant::markIfCheap(AbstractSlotVisitor&);
-template void PutByIdVariant::markIfCheap(SlotVisitor&);
-
-bool PutByIdVariant::finalize(VM& vm)
+template void PutByVariant::markIfCheap(AbstractSlotVisitor&);
+template void PutByVariant::markIfCheap(SlotVisitor&);
+
+bool PutByVariant::finalize(VM& vm)
 {
     if (!m_oldStructure.isStillAlive(vm))
@@ -287 +297 @@
 }
 
-void PutByIdVariant::dump(PrintStream& out) const
+void PutByVariant::dump(PrintStream& out) const
 {
     dumpInContext(out, nullptr);
 }
 
-void PutByIdVariant::dumpInContext(PrintStream& out, DumpContext* context) const
-{
+void PutByVariant::dumpInContext(PrintStream& out, DumpContext* context) const
+{
+    out.print("<");
+    out.print("id='", m_identifier, "', ");
     switch (kind()) {
     case NotSet:
-        out.print("<empty>");
+        out.print("empty>");
         return;
         
     case Replace:
         out.print(
-            "<Replace: ", inContext(structure(), context), ", offset = ", offset(), ", ", ">");
+            "Replace: ", inContext(structure(), context), ", offset = ", offset(), ", ", ">");
         return;
         
     case Transition:
         out.print(
-            "<Transition: ", inContext(oldStructure(), context), " to ",
+            "Transition: ", inContext(oldStructure(), context), " to ",
             pointerDumpInContext(newStructure(), context), ", [",
             inContext(m_conditionSet, context), "], offset = ", offset(), ", ", ">");
@@ -313 +325 @@
     case Setter:
         out.print(
-            "<Setter: ", inContext(structure(), context), ", [",
+            "Setter: ", inContext(structure(), context), ", [",
             inContext(m_conditionSet, context), "]");
         out.print(", offset = ", m_offset);

trunk/Source/JavaScriptCore/bytecode/PutByVariant.h

@@ -34 +34 @@
 class CallLinkStatus;
 
-class PutByIdVariant {
+class PutByVariant {
     WTF_MAKE_FAST_ALLOCATED;
 public:
@@ -44 +44 @@
     };
     
-    PutByIdVariant()
+    PutByVariant(CacheableIdentifier identifier)
         : m_kind(NotSet)
         , m_offset(invalidOffset)
         , m_newStructure(nullptr)
+        , m_identifier(WTFMove(identifier))
     {
     }
     
-    PutByIdVariant(const PutByIdVariant&);
-    PutByIdVariant& operator=(const PutByIdVariant&);
+    PutByVariant(const PutByVariant&);
+    PutByVariant& operator=(const PutByVariant&);
 
-    static PutByIdVariant replace(const StructureSet&, PropertyOffset);
+    static PutByVariant replace(CacheableIdentifier, const StructureSet&, PropertyOffset);
     
-    static PutByIdVariant transition(
-        const StructureSet& oldStructure, Structure* newStructure,
-        const ObjectPropertyConditionSet&, PropertyOffset);
+    static PutByVariant transition(CacheableIdentifier, const StructureSet& oldStructure, Structure* newStructure, const ObjectPropertyConditionSet&, PropertyOffset);
     
-    static PutByIdVariant setter(
-        const StructureSet&, PropertyOffset, const ObjectPropertyConditionSet&,
-        std::unique_ptr<CallLinkStatus>);
+    static PutByVariant setter(CacheableIdentifier, const StructureSet&, PropertyOffset, const ObjectPropertyConditionSet&, std::unique_ptr<CallLinkStatus>);
     
     Kind kind() const { return m_kind; }
@@ -131 +128 @@
     }
 
-    bool attemptToMerge(const PutByIdVariant& other);
+    bool attemptToMerge(const PutByVariant& other);
     
+    DECLARE_VISIT_AGGREGATE;
     template<typename Visitor> void markIfCheap(Visitor&);
     bool finalize(VM&);
@@ -139 +137 @@
     void dumpInContext(PrintStream&, DumpContext*) const;
 
-    bool overlaps(const PutByIdVariant& other)
+    CacheableIdentifier identifier() const { return m_identifier; }
+
+    bool overlaps(const PutByVariant& other)
     {
+        if (!!m_identifier != !!other.m_identifier)
+            return true;
+        if (m_identifier) {
+            if (m_identifier != other.m_identifier)
+                return false;
+        }
         return structureSet().overlaps(other.structureSet());
     }
 
 private:
-    bool attemptToMergeTransitionWithReplace(const PutByIdVariant& replace);
+    bool attemptToMergeTransitionWithReplace(const PutByVariant& replace);
     
     Kind m_kind;
@@ -153 +159 @@
     ObjectPropertyConditionSet m_conditionSet;
     std::unique_ptr<CallLinkStatus> m_callLinkStatus;
+    CacheableIdentifier m_identifier;
 };
 

trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.cpp

@@ -63 +63 @@
 }
     
-PutByIdStatus* RecordedStatuses::addPutByIdStatus(const CodeOrigin& codeOrigin, const PutByIdStatus& status)
+PutByStatus* RecordedStatuses::addPutByStatus(const CodeOrigin& codeOrigin, const PutByStatus& status)
 {
-    auto statusPtr = makeUnique<PutByIdStatus>(status);
-    PutByIdStatus* result = statusPtr.get();
+    auto statusPtr = makeUnique<PutByStatus>(status);
+    PutByStatus* result = statusPtr.get();
     puts.append(std::make_pair(codeOrigin, WTFMove(statusPtr)));
     return result;
@@ -107 +107 @@
 {
     for (auto& pair : gets)
+        pair.second->visitAggregate(visitor);
+    for (auto& pair : puts)
         pair.second->visitAggregate(visitor);
     for (auto& pair : ins)

trunk/Source/JavaScriptCore/bytecode/RecordedStatuses.h

@@ -31 +31 @@
 #include "GetByStatus.h"
 #include "InByStatus.h"
-#include "PutByIdStatus.h"
+#include "PutByStatus.h"
 #include "SetPrivateBrandStatus.h"
 
@@ -49 +49 @@
     CallLinkStatus* addCallLinkStatus(const CodeOrigin&, const CallLinkStatus&);
     GetByStatus* addGetByStatus(const CodeOrigin&, const GetByStatus&);
-    PutByIdStatus* addPutByIdStatus(const CodeOrigin&, const PutByIdStatus&);
+    PutByStatus* addPutByStatus(const CodeOrigin&, const PutByStatus&);
     InByStatus* addInByStatus(const CodeOrigin&, const InByStatus&);
     DeleteByStatus* addDeleteByStatus(const CodeOrigin&, const DeleteByStatus&);
@@ -77 +77 @@
     Vector<std::pair<CodeOrigin, std::unique_ptr<CallLinkStatus>>> calls;
     Vector<std::pair<CodeOrigin, std::unique_ptr<GetByStatus>>> gets;
-    Vector<std::pair<CodeOrigin, std::unique_ptr<PutByIdStatus>>> puts;
+    Vector<std::pair<CodeOrigin, std::unique_ptr<PutByStatus>>> puts;
     Vector<std::pair<CodeOrigin, std::unique_ptr<InByStatus>>> ins;
     Vector<std::pair<CodeOrigin, std::unique_ptr<DeleteByStatus>>> deletes;

trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp

@@ -282 +282 @@
         resetGetBy(codeBlock, *this, GetByKind::PrivateName);
         break;
-    case AccessType::Put:
-        resetPutByID(codeBlock, *this);
+    case AccessType::PutById:
+        resetPutBy(codeBlock, *this, PutByKind::ById);
+        break;
+    case AccessType::PutByVal:
+        resetPutBy(codeBlock, *this, PutByKind::ByVal);
         break;
     case AccessType::InById:

trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h

@@ -55 +55 @@
     TryGetById,
     GetByVal,
-    Put,
+    PutById,
+    PutByVal,
     InById,
     InByVal,
@@ -366 +367 @@
     } regs;
     GPRReg m_stubInfoGPR { InvalidGPRReg };
+    GPRReg m_arrayProfileGPR { InvalidGPRReg };
 #if USE(JSVALUE32_64)
     GPRReg valueTagGPR;

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -48 +48 @@
 #include "MathCommon.h"
 #include "NumberConstructor.h"
-#include "PutByIdStatus.h"
+#include "PutByStatus.h"
 #include "RegExpObject.h"
 #include "SetPrivateBrandStatus.h"
@@ -3974 +3974 @@
             
         for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
-            const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
+            const PutByVariant& variant = node->multiPutByOffsetData().variants[i];
             RegisteredStructureSet thisSet = *m_graph.addStructureSet(variant.oldStructure());
             thisSet.filter(base);
@@ -3983 +3983 @@
             resultingValue.merge(thisValue);
             
-            if (variant.kind() == PutByIdVariant::Transition) {
+            if (variant.kind() == PutByVariant::Transition) {
                 RegisteredStructure newStructure = m_graph.registerStructure(variant.newStructure());
                 if (thisSet.onlyStructure() != newStructure) {
@@ -3991 +3991 @@
                 newSet.add(newStructure);
             } else {
-                ASSERT(variant.kind() == PutByIdVariant::Replace);
+                ASSERT(variant.kind() == PutByVariant::Replace);
                 newSet.merge(thisSet);
             }
@@ -4141 +4141 @@
             bool isDirect = node->op() == PutByIdDirect || node->op() == PutPrivateNameById;
             auto privateFieldPutKind = node->op() == PutPrivateNameById ? node->privateFieldPutKind() : PrivateFieldPutKind::none();
-            PutByIdStatus status = PutByIdStatus::computeFor(
+            PutByStatus status = PutByStatus::computeFor(
                 m_graph.globalObjectFor(node->origin.semantic),
                 value.m_structure.toStructureSet(),
-                node->cacheableIdentifier().uid(),
+                node->cacheableIdentifier(),
                 isDirect, privateFieldPutKind);
 
@@ -4152 +4152 @@
                 TransitionVector transitions;
                 
-                for (const PutByIdVariant& variant : status.variants()) {
+                for (const PutByVariant& variant : status.variants()) {
                     for (const ObjectPropertyCondition& condition : variant.conditionSet()) {
                         if (!m_graph.watchCondition(condition)) {
@@ -4163 +4163 @@
                         break;
 
-                    if (variant.kind() == PutByIdVariant::Transition) {
+                    if (variant.kind() == PutByVariant::Transition) {
                         RegisteredStructure newStructure = m_graph.registerStructure(variant.newStructure());
                         transitions.append(
@@ -4170 +4170 @@
                         newSet.add(newStructure);
                     } else {
-                        ASSERT(variant.kind() == PutByIdVariant::Replace);
+                        ASSERT(variant.kind() == PutByVariant::Replace);
                         newSet.merge(*m_graph.addStructureSet(variant.oldStructure()));
                     }
@@ -4474 +4474 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:
@@ -4653 +4653 @@
     }
         
-    case FilterPutByIdStatus: {
+    case FilterPutByStatus: {
         AbstractValue& value = forNode(node->child1());
         if (value.m_structure.isFinite())
-            node->putByIdStatus()->filter(value.m_structure.toStructureSet());
+            node->putByStatus()->filter(value.m_structure.toStructureSet());
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp

@@ -403 +403 @@
                     
                 case FilterGetByStatus:
-                case FilterPutByIdStatus:
+                case FilterPutByStatus:
                 case FilterCallLinkStatus:
                 case FilterInByStatus:
@@ -1266 +1266 @@
                 case GetButterfly:
                 case FilterGetByStatus:
-                case FilterPutByIdStatus:
+                case FilterPutByStatus:
                 case FilterCallLinkStatus:
                 case FilterInByStatus:

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -34 +34 @@
 #include "BooleanConstructor.h"
 #include "BuiltinNames.h"
-#include "ByValInfo.h"
 #include "BytecodeGenerator.h"
 #include "BytecodeOperandsForCheckpoint.h"
@@ -75 +74 @@
 #include "PrivateFieldPutKind.h"
 #include "PutByIdFlags.h"
-#include "PutByIdStatus.h"
+#include "PutByStatus.h"
 #include "RegExpPrototype.h"
 #include "SetPrivateBrandStatus.h"
@@ -240 +239 @@
     void checkPresenceForReplace(Node* base, UniquedStringImpl*, PropertyOffset, const StructureSet&);
     
-    // Works with both GetByVariant and the setter form of PutByIdVariant.
+    // Works with both GetByVariant and the setter form of PutByVariant.
     template<typename VariantType>
     Node* load(SpeculatedType, Node* base, unsigned identifierNumber, const VariantType&);
 
-    Node* store(Node* base, unsigned identifier, const PutByIdVariant&, Node* value);
+    Node* store(Node* base, unsigned identifier, const PutByVariant&, Node* value);
 
     template<typename Op>
@@ -254 +253 @@
         VirtualRegister destination, SpeculatedType prediction, Node* base, CacheableIdentifier, unsigned identifierNumber, GetByStatus);
     void emitPutById(
-        Node* base, CacheableIdentifier, Node* value,  const PutByIdStatus&, bool isDirect, ECMAMode);
+        Node* base, CacheableIdentifier, Node* value,  const PutByStatus&, bool isDirect, ECMAMode);
     void handlePutById(
-        Node* base, CacheableIdentifier, unsigned identifierNumber, Node* value, const PutByIdStatus&,
+        Node* base, CacheableIdentifier, unsigned identifierNumber, Node* value, const PutByStatus&,
         bool isDirect, BytecodeIndex osrExitIndex, ECMAMode);
 
     void handlePutPrivateNameById(
-        Node* base, CacheableIdentifier, unsigned identifierNumber, Node* value, const PutByIdStatus&, PrivateFieldPutKind);
+        Node* base, CacheableIdentifier, unsigned identifierNumber, Node* value, const PutByStatus&, PrivateFieldPutKind);
 
     void handleDeleteById(
@@ -4515 +4514 @@
                 // the structures in the variant.structureSet() agree on the prototype (it would be
                 // hilariously rare if they didn't). Note that we are relying on structureSet() having
-                // at least one element. That will always be true here because of how GetByStatus/PutByIdStatus work.
+                // at least one element. That will always be true here because of how GetByStatus/PutByStatus work.
 
                 // FIXME: right now, if we have an OPCS, we have mono proto. However, this will
@@ -4594 +4593 @@
 }
 
-Node* ByteCodeParser::store(Node* base, unsigned identifier, const PutByIdVariant& variant, Node* value)
+Node* ByteCodeParser::store(Node* base, unsigned identifier, const PutByVariant& variant, Node* value)
 {
-    RELEASE_ASSERT(variant.kind() == PutByIdVariant::Replace);
+    RELEASE_ASSERT(variant.kind() == PutByVariant::Replace);
 
     checkPresenceForReplace(base, m_graph.identifiers()[identifier], variant.offset(), variant.structure());
@@ -4999 +4998 @@
 
 void ByteCodeParser::emitPutById(
-    Node* base, CacheableIdentifier identifier, Node* value, const PutByIdStatus& putByIdStatus, bool isDirect, ECMAMode ecmaMode)
+    Node* base, CacheableIdentifier identifier, Node* value, const PutByStatus& putByStatus, bool isDirect, ECMAMode ecmaMode)
 {
     if (isDirect)
         addToGraph(PutByIdDirect, OpInfo(identifier), OpInfo(ecmaMode), base, value);
     else
-        addToGraph(putByIdStatus.makesCalls() ? PutByIdFlush : PutById, OpInfo(identifier), OpInfo(ecmaMode), base, value);
+        addToGraph(putByStatus.makesCalls() ? PutByIdFlush : PutById, OpInfo(identifier), OpInfo(ecmaMode), base, value);
 }
 
 void ByteCodeParser::handlePutById(
     Node* base, CacheableIdentifier identifier, unsigned identifierNumber, Node* value,
-    const PutByIdStatus& putByIdStatus, bool isDirect, BytecodeIndex osrExitIndex, ECMAMode ecmaMode)
+    const PutByStatus& putByStatus, bool isDirect, BytecodeIndex osrExitIndex, ECMAMode ecmaMode)
 {
-    if (!putByIdStatus.isSimple() || !putByIdStatus.numVariants() || !Options::useAccessInlining()) {
-        if (!putByIdStatus.isSet())
+    if (!putByStatus.isSimple() || !putByStatus.numVariants() || !Options::useAccessInlining()) {
+        if (!putByStatus.isSet())
             addToGraph(ForceOSRExit);
-        emitPutById(base, identifier, value, putByIdStatus, isDirect, ecmaMode);
+        emitPutById(base, identifier, value, putByStatus, isDirect, ecmaMode);
         return;
     }
     
-    if (putByIdStatus.numVariants() > 1) {
-        if (!m_graph.m_plan.isFTL() || putByIdStatus.makesCalls()
+    if (putByStatus.numVariants() > 1) {
+        if (!m_graph.m_plan.isFTL() || putByStatus.makesCalls()
             || !Options::usePolymorphicAccessInlining()
-            || putByIdStatus.numVariants() > Options::maxPolymorphicAccessInliningListSize()) {
-            emitPutById(base, identifier, value, putByIdStatus, isDirect, ecmaMode);
+            || putByStatus.numVariants() > Options::maxPolymorphicAccessInliningListSize()) {
+            emitPutById(base, identifier, value, putByStatus, isDirect, ecmaMode);
             return;
         }
         
         if (!isDirect) {
-            for (unsigned variantIndex = putByIdStatus.numVariants(); variantIndex--;) {
-                if (putByIdStatus[variantIndex].kind() != PutByIdVariant::Transition)
+            for (unsigned variantIndex = putByStatus.numVariants(); variantIndex--;) {
+                if (putByStatus[variantIndex].kind() != PutByVariant::Transition)
                     continue;
-                if (!check(putByIdStatus[variantIndex].conditionSet())) {
-                    emitPutById(base, identifier, value, putByIdStatus, isDirect, ecmaMode);
+                if (!check(putByStatus[variantIndex].conditionSet())) {
+                    emitPutById(base, identifier, value, putByStatus, isDirect, ecmaMode);
                     return;
                 }
@@ -5040 +5039 @@
             m_graph.compilation()->noticeInlinedPutById();
 
-        addToGraph(FilterPutByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(currentCodeOrigin(), putByIdStatus)), base);
-
-        for (const PutByIdVariant& variant : putByIdStatus.variants()) {
+        addToGraph(FilterPutByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(currentCodeOrigin(), putByStatus)), base);
+
+        for (const PutByVariant& variant : putByStatus.variants()) {
             for (Structure* structure : variant.oldStructure())
                 m_graph.registerStructure(structure);
-            if (variant.kind() == PutByIdVariant::Transition)
+            if (variant.kind() == PutByVariant::Transition)
                 m_graph.registerStructure(variant.newStructure());
         }
         
         MultiPutByOffsetData* data = m_graph.m_multiPutByOffsetData.add();
-        data->variants = putByIdStatus.variants();
+        data->variants = putByStatus.variants();
         data->identifierNumber = identifierNumber;
         addToGraph(MultiPutByOffset, OpInfo(data), base, value);
@@ -5056 +5055 @@
     }
     
-    ASSERT(putByIdStatus.numVariants() == 1);
-    const PutByIdVariant& variant = putByIdStatus[0];
+    ASSERT(putByStatus.numVariants() == 1);
+    const PutByVariant& variant = putByStatus[0];
     
     switch (variant.kind()) {
-    case PutByIdVariant::Replace: {
-        addToGraph(FilterPutByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(currentCodeOrigin(), putByIdStatus)), base);
+    case PutByVariant::Replace: {
+        addToGraph(FilterPutByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(currentCodeOrigin(), putByStatus)), base);
 
         store(base, identifierNumber, variant, value);
@@ -5069 +5068 @@
     }
     
-    case PutByIdVariant::Transition: {
-        addToGraph(FilterPutByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(currentCodeOrigin(), putByIdStatus)), base);
+    case PutByVariant::Transition: {
+        addToGraph(FilterPutByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(currentCodeOrigin(), putByStatus)), base);
 
         addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.oldStructure())), base);
         if (!check(variant.conditionSet())) {
-            emitPutById(base, identifier, value, putByIdStatus, isDirect, ecmaMode);
+            emitPutById(base, identifier, value, putByStatus, isDirect, ecmaMode);
             return;
         }
@@ -5136 +5135 @@
     }
         
-    case PutByIdVariant::Setter: {
-        addToGraph(FilterPutByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(currentCodeOrigin(), putByIdStatus)), base);
+    case PutByVariant::Setter: {
+        addToGraph(FilterPutByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(currentCodeOrigin(), putByStatus)), base);
 
         Node* loadedValue = load(SpecCellOther, base, identifierNumber, variant);
         if (!loadedValue) {
-            emitPutById(base, identifier, value, putByIdStatus, isDirect, ecmaMode);
+            emitPutById(base, identifier, value, putByStatus, isDirect, ecmaMode);
             return;
         }
@@ -5185 +5184 @@
     
     default: {
-        emitPutById(base, identifier, value, putByIdStatus, isDirect, ecmaMode);
+        emitPutById(base, identifier, value, putByStatus, isDirect, ecmaMode);
         return;
     } }
@@ -5192 +5191 @@
 void ByteCodeParser::handlePutPrivateNameById(
     Node* base, CacheableIdentifier identifier, unsigned identifierNumber, Node* value,
-    const PutByIdStatus& putByIdStatus, PrivateFieldPutKind privateFieldPutKind)
+    const PutByStatus& putByStatus, PrivateFieldPutKind privateFieldPutKind)
 {
-    if (!putByIdStatus.isSimple() || !putByIdStatus.numVariants() || !Options::useAccessInlining()) {
-        if (!putByIdStatus.isSet())
+    if (!putByStatus.isSimple() || !putByStatus.numVariants() || !Options::useAccessInlining()) {
+        if (!putByStatus.isSet())
             addToGraph(ForceOSRExit);
         addToGraph(PutPrivateNameById, OpInfo(identifier), OpInfo(privateFieldPutKind), base, value);
@@ -5201 +5200 @@
     }
     
-    if (putByIdStatus.numVariants() > 1) {
-        if (!m_graph.m_plan.isFTL() || putByIdStatus.makesCalls()
+    if (putByStatus.numVariants() > 1) {
+        if (!m_graph.m_plan.isFTL() || putByStatus.makesCalls()
             || !Options::usePolymorphicAccessInlining()
-            || putByIdStatus.numVariants() > Options::maxPolymorphicAccessInliningListSize()) {
+            || putByStatus.numVariants() > Options::maxPolymorphicAccessInliningListSize()) {
             addToGraph(PutPrivateNameById, OpInfo(identifier), OpInfo(privateFieldPutKind), base, value);
             return;
@@ -5212 +5211 @@
             m_graph.compilation()->noticeInlinedPutById();
     
-        addToGraph(FilterPutByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(currentCodeOrigin(), putByIdStatus)), base);
-    
-        for (const PutByIdVariant& variant : putByIdStatus.variants()) {
+        addToGraph(FilterPutByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(currentCodeOrigin(), putByStatus)), base);
+    
+        for (const PutByVariant& variant : putByStatus.variants()) {
             for (Structure* structure : variant.oldStructure())
                 m_graph.registerStructure(structure);
-            if (variant.kind() == PutByIdVariant::Transition)
+            if (variant.kind() == PutByVariant::Transition)
                 m_graph.registerStructure(variant.newStructure());
         }
         
         MultiPutByOffsetData* data = m_graph.m_multiPutByOffsetData.add();
-        data->variants = putByIdStatus.variants();
+        data->variants = putByStatus.variants();
         data->identifierNumber = identifierNumber;
         addToGraph(MultiPutByOffset, OpInfo(data), base, value);
@@ -5228 +5227 @@
     }
     
-    ASSERT(putByIdStatus.numVariants() == 1);
-    const PutByIdVariant& variant = putByIdStatus[0];
+    ASSERT(putByStatus.numVariants() == 1);
+    const PutByVariant& variant = putByStatus[0];
     
     switch (variant.kind()) {
-    case PutByIdVariant::Replace: {
+    case PutByVariant::Replace: {
         ASSERT(privateFieldPutKind.isSet());
-        addToGraph(FilterPutByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(currentCodeOrigin(), putByIdStatus)), base);
+        addToGraph(FilterPutByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(currentCodeOrigin(), putByStatus)), base);
     
         store(base, identifierNumber, variant, value);
@@ -5242 +5241 @@
     }
     
-    case PutByIdVariant::Transition: {
+    case PutByVariant::Transition: {
         ASSERT(privateFieldPutKind.isDefine());
-        addToGraph(FilterPutByIdStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(currentCodeOrigin(), putByIdStatus)), base);
+        addToGraph(FilterPutByStatus, OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(currentCodeOrigin(), putByStatus)), base);
     
         addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.oldStructure())), base);
@@ -6453 +6452 @@
             Node* property = get(bytecode.m_property);
             Node* value = get(bytecode.m_value);
-            bool tryCompileAsPutByOffset = false;
-
-            CacheableIdentifier identifier;
-            unsigned identifierNumber = std::numeric_limits<unsigned>::max();
-            PutByIdStatus putByIdStatus;
-            {
-                ConcurrentJSLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
-                ByValInfo* byValInfo = m_inlineStackTop->m_baselineMap.get(CodeOrigin(currentCodeOrigin().bytecodeIndex())).byValInfo;
-                // FIXME: When the bytecode is not compiled in the baseline JIT, byValInfo becomes null.
-                // At that time, there is no information. For `put_private_name`, we might have some info from
-                // LLInt IC, including cached cell that we could use if ByVal is not available.
-                // https://bugs.webkit.org/show_bug.cgi?id=216779
-                if (byValInfo 
-                    && byValInfo->stubInfo
-                    && !byValInfo->tookSlowPath
-                    && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)
-                    && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
-                    && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadConstantValue)) {
-                    tryCompileAsPutByOffset = true;
-                    identifier = byValInfo->cachedId;
-                    ASSERT(identifier.isSymbolCell());
-                    identifierNumber = m_graph.identifiers().ensure(identifier.uid());
-                    UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
-                    FrozenValue* frozen = m_graph.freezeStrong(identifier.cell());
-
-                    addToGraph(CheckIsConstant, OpInfo(frozen), property);
-
-                    putByIdStatus = PutByIdStatus::computeForStubInfo(
-                        locker, m_inlineStackTop->m_profiledBlock,
-                        byValInfo->stubInfo, currentCodeOrigin(), uid);
+            bool compiledAsPutPrivateNameById = false;
+
+            if (!m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)
+                && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
+                && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadConstantValue)) {
+
+                PutByStatus status = PutByStatus::computeFor(m_inlineStackTop->m_profiledBlock, m_inlineStackTop->m_baselineMap, m_icContextStack, currentCodeOrigin());
+
+                if (CacheableIdentifier identifier = status.singleIdentifier()) {
+                    UniquedStringImpl* uid = identifier.uid();
+                    unsigned identifierNumber = m_graph.identifiers().ensure(uid);
+                    if (identifier.isCell()) {
+                        FrozenValue* frozen = m_graph.freezeStrong(identifier.cell());
+                        if (identifier.isSymbolCell())
+                            addToGraph(CheckIsConstant, OpInfo(frozen), property);
+                        else
+                            addToGraph(CheckIdent, OpInfo(uid), property);
+                    } else
+                        addToGraph(CheckIdent, OpInfo(uid), property);
+
+                    handlePutPrivateNameById(base, identifier, identifierNumber, value, status, bytecode.m_putKind);
+                    compiledAsPutPrivateNameById = true;
                 }
             }
 
-            if (tryCompileAsPutByOffset)
-                handlePutPrivateNameById(base, identifier, identifierNumber, value, putByIdStatus, bytecode.m_putKind);
-            else
+            if (!compiledAsPutPrivateNameById)
                 addToGraph(PutPrivateName, OpInfo(), OpInfo(bytecode.m_putKind), base, property, value);
 
@@ -6568 +6557 @@
             bool direct = bytecode.m_flags.isDirect();
 
-            PutByIdStatus putByIdStatus = PutByIdStatus::computeFor(
+            PutByStatus putByStatus = PutByStatus::computeFor(
                 m_inlineStackTop->m_profiledBlock,
                 m_inlineStackTop->m_baselineMap, m_icContextStack,
-                currentCodeOrigin(), m_graph.identifiers()[identifierNumber]);
+                currentCodeOrigin());
             
-            handlePutById(base, CacheableIdentifier::createFromIdentifierOwnedByCodeBlock(m_inlineStackTop->m_profiledBlock, uid), identifierNumber, value, putByIdStatus, direct, nextOpcodeIndex(), bytecode.m_flags.ecmaMode());
+            handlePutById(base, CacheableIdentifier::createFromIdentifierOwnedByCodeBlock(m_inlineStackTop->m_profiledBlock, uid), identifierNumber, value, putByStatus, direct, nextOpcodeIndex(), bytecode.m_flags.ecmaMode());
             NEXT_OPCODE(op_put_by_id);
         }
@@ -7980 +7969 @@
                     addToGraph(ForceOSRExit);
 
-                PutByIdStatus status;
+                PutByStatus status;
                 if (uid)
-                    status = PutByIdStatus::computeFor(globalObject, structure, uid, false, PrivateFieldPutKind::none());
+                    status = PutByStatus::computeFor(globalObject, structure, CacheableIdentifier::createFromIdentifierOwnedByCodeBlock(m_inlineStackTop->m_profiledBlock, uid), false, PrivateFieldPutKind::none());
                 else
-                    status = PutByIdStatus(PutByIdStatus::TakesSlowPath);
+                    status = PutByStatus(PutByStatus::LikelyTakesSlowPath);
                 if (status.numVariants() != 1
-                    || status[0].kind() != PutByIdVariant::Replace
+                    || status[0].kind() != PutByVariant::Replace
                     || status[0].structure().size() != 1) {
                     addToGraph(PutById, OpInfo(CacheableIdentifier::createFromIdentifierOwnedByCodeBlock(m_inlineStackTop->m_profiledBlock, uid)), OpInfo(bytecode.m_getPutInfo.ecmaMode()), get(bytecode.m_scope), get(bytecode.m_value));
@@ -8815 +8804 @@
 void ByteCodeParser::handlePutByVal(Bytecode bytecode, BytecodeIndex osrExitIndex)
 {
+    CodeBlock* codeBlock = m_inlineStackTop->m_codeBlock;
     Node* base = get(bytecode.m_base);
     Node* property = get(bytecode.m_property);
@@ -8820 +8810 @@
     bool isDirect = Bytecode::opcodeID == op_put_by_val_direct;
     bool compiledAsPutById = false;
-    {
-        CacheableIdentifier identifier;
-        unsigned identifierNumber = std::numeric_limits<unsigned>::max();
-        PutByIdStatus putByIdStatus;
-        {
-            ConcurrentJSLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
-            ByValInfo* byValInfo = m_inlineStackTop->m_baselineMap.get(CodeOrigin(currentCodeOrigin().bytecodeIndex())).byValInfo;
-            // FIXME: When the bytecode is not compiled in the baseline JIT, byValInfo becomes null.
-            // At that time, there is no information.
-            if (byValInfo 
-                && byValInfo->stubInfo
-                && !byValInfo->tookSlowPath
-                && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)
-                && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
-                && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadConstantValue)) {
-                compiledAsPutById = true;
-                identifier = byValInfo->cachedId;
-                identifierNumber = m_graph.identifiers().ensure(identifier.uid());
-                UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
-                FrozenValue* frozen = nullptr;
-                if (identifier.isCell())
-                    frozen = m_graph.freezeStrong(identifier.cell());
-
+
+    PutByStatus status = PutByStatus::computeFor(m_inlineStackTop->m_profiledBlock, m_inlineStackTop->m_baselineMap, m_icContextStack, currentCodeOrigin());
+
+    if (!m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)
+        && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
+        && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadConstantValue)) {
+        if (CacheableIdentifier identifier = status.singleIdentifier()) {
+            UniquedStringImpl* uid = identifier.uid();
+            unsigned identifierNumber = m_graph.identifiers().ensure(uid);
+            if (identifier.isCell()) {
+                FrozenValue* frozen = m_graph.freezeStrong(identifier.cell());
                 if (identifier.isSymbolCell())
                     addToGraph(CheckIsConstant, OpInfo(frozen), property);
-                else {
-                    ASSERT(!uid->isSymbol());
+                else
+                    addToGraph(CheckIdent, OpInfo(uid), property);
+            } else
+                addToGraph(CheckIdent, OpInfo(uid), property);
+
+            handlePutById(base, identifier, identifierNumber, value, status, isDirect, osrExitIndex, bytecode.m_ecmaMode);
+            compiledAsPutById = true;
+        } else if (status.takesSlowPath()) {
+            // Even though status is taking a slow path, it is possible that this node still has constant identifier and using PutById is always better in that case.
+            UniquedStringImpl* uid = nullptr;
+            JSCell* propertyCell = nullptr;
+            if (auto* symbol = property->dynamicCastConstant<Symbol*>(*m_vm)) {
+                uid = &symbol->uid();
+                propertyCell = symbol;
+                FrozenValue* frozen = m_graph.freezeStrong(symbol);
+                addToGraph(CheckIsConstant, OpInfo(frozen), property);
+            } else if (auto* string = property->dynamicCastConstant<JSString*>(*m_vm)) {
+                if (auto* impl = string->tryGetValueImpl(); impl->isAtom() && !parseIndex(*const_cast<StringImpl*>(impl))) {
+                    uid = bitwise_cast<UniquedStringImpl*>(impl);
+                    propertyCell = string;
+                    m_graph.freezeStrong(string);
                     addToGraph(CheckIdent, OpInfo(uid), property);
                 }
-
-                putByIdStatus = PutByIdStatus::computeForStubInfo(
-                    locker, m_inlineStackTop->m_profiledBlock,
-                    byValInfo->stubInfo, currentCodeOrigin(), uid);
-
-            }
-        }
-
-        if (compiledAsPutById)
-            handlePutById(base, identifier, identifierNumber, value, putByIdStatus, isDirect, osrExitIndex, bytecode.m_ecmaMode);
+            }
+
+            if (uid) {
+                unsigned identifierNumber = m_graph.identifiers().ensure(uid);
+                handlePutById(base, CacheableIdentifier::createFromCell(propertyCell), identifierNumber, value, status, isDirect, osrExitIndex, bytecode.m_ecmaMode);
+                compiledAsPutById = true;
+            }
+        }
     }
 
     if (!compiledAsPutById) {
-        ArrayMode arrayMode = getArrayMode(bytecode.metadata(m_inlineStackTop->m_codeBlock).m_arrayProfile, Array::Write);
+        ArrayMode arrayMode = getArrayMode(bytecode.metadata(codeBlock).m_arrayProfile, Array::Write);
 
         addVarArgChild(base);
@@ -8869 +8864 @@
         addVarArgChild(nullptr); // Leave room for property storage.
         addVarArgChild(nullptr); // Leave room for length.
-        addToGraph(Node::VarArg, isDirect ? PutByValDirect : PutByVal, OpInfo(arrayMode.asWord()), OpInfo(bytecode.m_ecmaMode));
+        Node* putByVal = addToGraph(Node::VarArg, isDirect ? PutByValDirect : PutByVal, OpInfo(arrayMode.asWord()), OpInfo(bytecode.m_ecmaMode));
         m_exitOK = false; // PutByVal and PutByValDirect must be treated as if they clobber exit state, since FixupPhase may make them generic.
+        if (status.observedStructureStubInfoSlowPath())
+            m_graph.m_slowPutByVal.add(putByVal);
     }
 }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -570 +570 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp

@@ -82 +82 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -39 +39 @@
 #include "GetByStatus.h"
 #include "JSCInlines.h"
-#include "PutByIdStatus.h"
+#include "PutByStatus.h"
 #include "StructureCache.h"
 
@@ -502 +502 @@
 
                 for (unsigned i = 0; i < data.variants.size(); ++i) {
-                    PutByIdVariant& variant = data.variants[i];
+                    PutByVariant& variant = data.variants[i];
                     variant.oldStructure().genericFilter([&] (Structure* structure) -> bool {
                         return baseValue.contains(m_graph.registerStructure(structure));
@@ -514 +514 @@
                     }
                     
-                    if (variant.kind() == PutByIdVariant::Transition
+                    if (variant.kind() == PutByVariant::Transition
                         && variant.oldStructure().onlyStructure() == variant.newStructure()) {
-                        variant = PutByIdVariant::replace(
-                            variant.oldStructure(),
-                            variant.offset());
+                        variant = PutByVariant::replace(variant.identifier(), variant.oldStructure(), variant.offset());
                         changed = true;
                     }
@@ -1214 +1212 @@
     }
 
-    void emitPutByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const PutByIdVariant& variant, unsigned identifierNumber)
+    void emitPutByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const PutByVariant& variant, unsigned identifierNumber)
     {
         NodeOrigin origin = node->origin;
@@ -1225 +1223 @@
 
         Transition* transition = nullptr;
-        if (variant.kind() == PutByIdVariant::Transition) {
+        if (variant.kind() == PutByVariant::Transition) {
             transition = m_graph.m_transitions.add(
                 m_graph.registerStructure(variant.oldStructureForTransition()), m_graph.registerStructure(variant.newStructure()));
@@ -1270 +1268 @@
         node->origin.exitOK = canExit;
 
-        if (variant.kind() == PutByIdVariant::Transition) {
+        if (variant.kind() == PutByVariant::Transition) {
             if (didAllocateStorage) {
                 m_insertionSet.insertNode(
@@ -1407 +1405 @@
             return;
 
-        PutByIdStatus status = PutByIdStatus::computeFor(
+        PutByStatus status = PutByStatus::computeFor(
             m_graph.globalObjectFor(origin.semantic),
             baseValue.m_structure.toStructureSet(),
-            node->cacheableIdentifier().uid(),
+            node->cacheableIdentifier(),
             isDirect, privateFieldPutKind);
 
@@ -1425 +1423 @@
         RegisteredStructureSet newSet;
         TransitionVector transitions;
-        for (const PutByIdVariant& variant : status.variants()) {
-            if (variant.kind() == PutByIdVariant::Transition) {
+        for (const PutByVariant& variant : status.variants()) {
+            if (variant.kind() == PutByVariant::Transition) {
                 for (const ObjectPropertyCondition& condition : variant.conditionSet()) {
                     if (m_graph.watchCondition(condition))
@@ -1449 +1447 @@
                 newSet.add(newStructure);
             } else {
-                ASSERT(variant.kind() == PutByIdVariant::Replace);
+                ASSERT(variant.kind() == PutByVariant::Replace);
                 ASSERT(privateFieldPutKind.isNone() || privateFieldPutKind.isSet());
                 DFG_ASSERT(m_graph, node, variant.conditionSet().isEmpty());
@@ -1465 +1463 @@
 
         m_insertionSet.insertNode(
-            indexInBlock, SpecNone, FilterPutByIdStatus, node->origin,
-            OpInfo(m_graph.m_plan.recordedStatuses().addPutByIdStatus(node->origin.semantic, status)),
+            indexInBlock, SpecNone, FilterPutByStatus, node->origin,
+            OpInfo(m_graph.m_plan.recordedStatuses().addPutByStatus(node->origin.semantic, status)),
             Edge(baseNode));
 

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -248 +248 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1235 +1235 @@
                         fixEdge<CellUse>(child1);
                         fixEdge<SymbolUse>(child2);
+                        break;
+                    }
+                    if (!m_graph.m_slowPutByVal.contains(node)) {
+                        fixEdge<CellUse>(child1);
                         break;
                     }
@@ -2866 +2870 @@
         case FilterCallLinkStatus:
         case FilterGetByStatus:
-        case FilterPutByIdStatus:
+        case FilterPutByStatus:
         case FilterInByStatus:
         case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -386 +386 @@
     if (node->hasInByStatus())
         out.print(comma, *node->inByStatus());
-    if (node->hasPutByIdStatus())
-        out.print(comma, *node->putByIdStatus());
+    if (node->hasPutByStatus())
+        out.print(comma, *node->putByStatus());
     if (node->hasEnumeratorMetadata())
         out.print(comma, "enumeratorModes = ", node->enumeratorMetadata().toRaw());

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -1203 +1203 @@
 
     HashSet<Node*> m_slowGetByVal;
+    HashSet<Node*> m_slowPutByVal;
 
 private:

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -253 +253 @@
     finalizeInlineCaches(m_getByVals, linkBuffer);
     finalizeInlineCaches(m_putByIds, linkBuffer);
+    finalizeInlineCaches(m_putByVals, linkBuffer);
     finalizeInlineCaches(m_delByIds, linkBuffer);
     finalizeInlineCaches(m_delByVals, linkBuffer);

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -200 +200 @@
     }
 
+    void addPutByVal(const JITPutByValGenerator& gen, SlowPathGenerator* slowPath)
+    {
+        m_putByVals.append(InlineCacheWrapper<JITPutByValGenerator>(gen, slowPath));
+    }
+
     void addDelById(const JITDelByIdGenerator& gen, SlowPathGenerator* slowPath)
     {
@@ -361 +366 @@
     Vector<InlineCacheWrapper<JITGetByValGenerator>, 4> m_getByVals;
     Vector<InlineCacheWrapper<JITPutByIdGenerator>, 4> m_putByIds;
+    Vector<InlineCacheWrapper<JITPutByValGenerator>, 4> m_putByVals;
     Vector<InlineCacheWrapper<JITDelByIdGenerator>, 4> m_delByIds;
     Vector<InlineCacheWrapper<JITDelByValGenerator>, 4> m_delByVals;

trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp

@@ -107 +107 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -56 +56 @@
 #include "Operands.h"
 #include "PrivateFieldPutKind.h"
-#include "PutByIdVariant.h"
+#include "PutByVariant.h"
 #include "SetPrivateBrandVariant.h"
 #include "SpeculatedType.h"
@@ -93 +93 @@
 struct MultiPutByOffsetData {
     unsigned identifierNumber;
-    Vector<PutByIdVariant, 2> variants;
+    Vector<PutByVariant, 2> variants;
     
     bool writesStructures() const;
@@ -3211 +3211 @@
     }
     
-    bool hasPutByIdStatus()
-    {
-        return op() == FilterPutByIdStatus;
-    }
-    
-    PutByIdStatus* putByIdStatus()
-    {
-        ASSERT(hasPutByIdStatus());
-        return m_opInfo.as<PutByIdStatus*>();
+    bool hasPutByStatus()
+    {
+        return op() == FilterPutByStatus;
+    }
+    
+    PutByStatus* putByStatus()
+    {
+        ASSERT(hasPutByStatus());
+        return m_opInfo.as<PutByStatus*>();
     }
 

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -547 +547 @@
     macro(FilterGetByStatus, NodeMustGenerate) \
     macro(FilterInByStatus, NodeMustGenerate) \
-    macro(FilterPutByIdStatus, NodeMustGenerate) \
+    macro(FilterPutByStatus, NodeMustGenerate) \
     macro(FilterDeleteByStatus, NodeMustGenerate) \
     macro(FilterCheckPrivateBrandStatus, NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp

@@ -216 +216 @@
         case InlineCallFrame::GetterCall:
         case InlineCallFrame::SetterCall: {
-            if (callInstruction.opcodeID() == op_put_by_val) {
-                // We compile op_put_by_val as PutById and inlines SetterCall only when we found StructureStubInfo for this op_put_by_val.
-                // But still it is possible that we cannot find StructureStubInfo here. Let's consider the following scenario.
-                // 1. Baseline CodeBlock (A) is compiled.
-                // 2. (A) gets DFG (B).
-                // 3. Since (A) collects enough information for put_by_val, (B) can get StructureStubInfo from (A) and copmile it as inlined Setter call.
-                // 4. (A)'s JITData is destroyed since it is not executed. Then, (A) becomes LLInt.
-                // 5. The CodeBlock inlining (A) gets OSR exit. So (A) is executed and (A) eventually gets Baseline CodeBlock again.
-                // 6. (B) gets OSR exit. (B) attempts to search for StructureStubInfo in (A) for PutById (originally, put_by_val). But it does not exist since (A)'s JITData is cleared once.
-                ByValInfo* byValInfo = baselineCodeBlockForCaller->findByValInfo(CodeOrigin(callBytecodeIndex));
-                RELEASE_ASSERT(byValInfo);
-                jumpTarget = byValInfo->doneTarget.retagged<JSEntryPtrTag>();
-                break;
-            }
-
             StructureStubInfo* stubInfo = baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
             RELEASE_ASSERT(stubInfo);

trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

@@ -1259 +1259 @@
         case FilterCallLinkStatus:
         case FilterGetByStatus:
-        case FilterPutByIdStatus:
+        case FilterPutByStatus:
         case FilterInByStatus:
         case FilterDeleteByStatus:
@@ -2555 +2555 @@
                         // at this point, we can simply trust that the incoming value has the right type
                         // for whatever structure we are using.
-                        data->variants.append(
-                            PutByIdVariant::replace(currentSet, currentOffset));
+                        data->variants.append(PutByVariant::replace(nullptr, currentSet, currentOffset));
                         currentOffset = offset;
                         currentSet.clear();
@@ -2562 +2561 @@
                     currentSet.add(structure.get());
                 }
-                data->variants.append(
-                    PutByIdVariant::replace(currentSet, currentOffset));
+                data->variants.append(PutByVariant::replace(nullptr, currentSet, currentOffset));
             }
 
@@ -2616 +2614 @@
                 case FilterCallLinkStatus:
                 case FilterGetByStatus:
-                case FilterPutByIdStatus:
+                case FilterPutByStatus:
                 case FilterInByStatus:
                 case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -1450 +1450 @@
         case FilterCallLinkStatus:
         case FilterGetByStatus:
-        case FilterPutByIdStatus:
+        case FilterPutByStatus:
         case FilterInByStatus:
         case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -360 +360 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -2691 +2691 @@
         case Array::Generic: {
             ASSERT(node->op() == PutByVal || node->op() == PutByValDirect);
-
-            if (child1.useKind() == CellUse) {
-                if (child2.useKind() == StringUse) {
-                    compilePutByValForCellWithString(node, child1, child2, child3);
-                    alreadyHandled = true;
-                    break;
+            if (m_graph.m_slowPutByVal.contains(node)) {
+                if (child1.useKind() == CellUse) {
+                    if (child2.useKind() == StringUse) {
+                        compilePutByValForCellWithString(node, child1, child2, child3);
+                        alreadyHandled = true;
+                        break;
+                    }
+
+                    if (child2.useKind() == SymbolUse) {
+                        compilePutByValForCellWithSymbol(node, child1, child2, child3);
+                        alreadyHandled = true;
+                        break;
+                    }
                 }
 
-                if (child2.useKind() == SymbolUse) {
-                    compilePutByValForCellWithSymbol(node, child1, child2, child3);
-                    alreadyHandled = true;
-                    break;
-                }
+                SpeculateCellOperand base(this, child1); // Save a register, speculate cell. We'll probably be right.
+                JSValueOperand property(this, child2);
+                JSValueOperand value(this, child3);
+                GPRReg baseGPR = base.gpr();
+                JSValueRegs propertyRegs = property.jsValueRegs();
+                JSValueRegs valueRegs = value.jsValueRegs();
+
+                flushRegisters();
+                if (node->op() == PutByValDirect)
+                    callOperation(node->ecmaMode().isStrict() ? operationPutByValDirectCellStrict : operationPutByValDirectCellNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, propertyRegs, valueRegs);
+                else
+                    callOperation(node->ecmaMode().isStrict() ? operationPutByValCellStrict : operationPutByValCellNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, propertyRegs, valueRegs);
+                m_jit.exceptionCheck();
+
+                noResult(node);
+                alreadyHandled = true;
+                break;
             }
-            
-            SpeculateCellOperand base(this, child1); // Save a register, speculate cell. We'll probably be right.
-            JSValueOperand property(this, child2);
-            JSValueOperand value(this, child3);
-            GPRReg baseGPR = base.gpr();
+
+            JSValueOperand base(this, child1, ManualOperandSpeculation);
+            JSValueOperand property(this, child2, ManualOperandSpeculation);
+            JSValueOperand value(this, child3, ManualOperandSpeculation);
+            JSValueRegs baseRegs = base.jsValueRegs();
             JSValueRegs propertyRegs = property.jsValueRegs();
             JSValueRegs valueRegs = value.jsValueRegs();
-            
-            flushRegisters();
-            if (node->op() == PutByValDirect)
-                callOperation(node->ecmaMode().isStrict() ? operationPutByValDirectCellStrict : operationPutByValDirectCellNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, propertyRegs, valueRegs);
-            else
-                callOperation(node->ecmaMode().isStrict() ? operationPutByValCellStrict : operationPutByValCellNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, propertyRegs, valueRegs);
-            m_jit.exceptionCheck();
-            
+
+            speculate(node, child1);
+            speculate(node, child2);
+            speculate(node, child3);
+
+            CodeOrigin codeOrigin = node->origin.semantic;
+            CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
+            RegisterSet usedRegisters = this->usedRegisters();
+            bool isDirect = node->op() == PutByValDirect;
+            ECMAMode ecmaMode = node->ecmaMode();
+
+            JITPutByValGenerator gen(
+                m_jit.codeBlock(), JITType::DFGJIT, codeOrigin, callSite, AccessType::PutByVal, usedRegisters,
+                baseRegs, propertyRegs, valueRegs, InvalidGPRReg, InvalidGPRReg);
+
+            if (m_state.forNode(child2).isType(SpecString))
+                gen.stubInfo()->propertyIsString = true;
+            else if (m_state.forNode(child2).isType(SpecInt32Only))
+                gen.stubInfo()->propertyIsInt32 = true;
+            else if (m_state.forNode(child2).isType(SpecSymbol))
+                gen.stubInfo()->propertyIsSymbol = true;
+
+            gen.generateFastPath(m_jit);
+
+            JITCompiler::JumpList slowCases;
+            slowCases.append(gen.slowPathJump());
+
+            std::unique_ptr<SlowPathGenerator> slowPath;
+            auto operation = isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize);
+            slowPath = slowPathCall(
+                slowCases, this, operation,
+                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseRegs, propertyRegs, valueRegs, gen.stubInfo(), nullptr);
+
+            m_jit.addPutByVal(gen, slowPath.get());
+            addSlowPathGenerator(WTFMove(slowPath));
+
             noResult(node);
             alreadyHandled = true;
@@ -4323 +4370 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3178 +3178 @@
         case Array::Generic: {
             DFG_ASSERT(m_jit.graph(), node, node->op() == PutByVal || node->op() == PutByValDirect, node->op());
-
-            if (child1.useKind() == CellUse) {
-                if (child2.useKind() == StringUse) {
-                    compilePutByValForCellWithString(node, child1, child2, child3);
-                    alreadyHandled = true;
-                    break;
+            if (m_graph.m_slowPutByVal.contains(node) || (child1.useKind() != CellUse && child1.useKind() != KnownCellUse)) {
+                if (child1.useKind() == CellUse) {
+                    if (child2.useKind() == StringUse) {
+                        compilePutByValForCellWithString(node, child1, child2, child3);
+                        alreadyHandled = true;
+                        break;
+                    }
+
+                    if (child2.useKind() == SymbolUse) {
+                        compilePutByValForCellWithSymbol(node, child1, child2, child3);
+                        alreadyHandled = true;
+                        break;
+                    }
                 }
 
-                if (child2.useKind() == SymbolUse) {
-                    compilePutByValForCellWithSymbol(node, child1, child2, child3);
-                    alreadyHandled = true;
-                    break;
-                }
+                JSValueOperand arg1(this, child1);
+                JSValueOperand arg2(this, child2);
+                JSValueOperand arg3(this, child3);
+                GPRReg arg1GPR = arg1.gpr();
+                GPRReg arg2GPR = arg2.gpr();
+                GPRReg arg3GPR = arg3.gpr();
+                flushRegisters();
+                if (node->op() == PutByValDirect)
+                    callOperation(node->ecmaMode().isStrict() ? operationPutByValDirectStrict : operationPutByValDirectNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), arg1GPR, arg2GPR, arg3GPR);
+                else
+                    callOperation(node->ecmaMode().isStrict() ? operationPutByValStrict : operationPutByValNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), arg1GPR, arg2GPR, arg3GPR);
+                m_jit.exceptionCheck();
+
+                noResult(node);
+                alreadyHandled = true;
+                break;
             }
-            
-            JSValueOperand arg1(this, child1);
-            JSValueOperand arg2(this, child2);
-            JSValueOperand arg3(this, child3);
-            GPRReg arg1GPR = arg1.gpr();
-            GPRReg arg2GPR = arg2.gpr();
-            GPRReg arg3GPR = arg3.gpr();
-            flushRegisters();
-            if (node->op() == PutByValDirect)
-                callOperation(node->ecmaMode().isStrict() ? operationPutByValDirectStrict : operationPutByValDirectNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), arg1GPR, arg2GPR, arg3GPR);
-            else
-                callOperation(node->ecmaMode().isStrict() ? operationPutByValStrict : operationPutByValNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), arg1GPR, arg2GPR, arg3GPR);
-            m_jit.exceptionCheck();
-            
+
+            SpeculateCellOperand base(this, child1);
+            JSValueOperand property(this, child2, ManualOperandSpeculation);
+            JSValueOperand value(this, child3, ManualOperandSpeculation);
+            GPRReg baseGPR = base.gpr();
+            GPRReg propertyGPR = property.gpr();
+            GPRReg valueGPR = value.gpr();
+
+            GPRTemporary stubInfo;
+            GPRReg stubInfoGPR = InvalidGPRReg;
+            if (JITCode::useDataIC(JITType::DFGJIT)) {
+                stubInfo = GPRTemporary(this);
+                stubInfoGPR = stubInfo.gpr();
+            }
+
+            speculate(node, child2);
+            speculate(node, child3);
+
+            CodeOrigin codeOrigin = node->origin.semantic;
+            CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
+            RegisterSet usedRegisters = this->usedRegisters();
+            bool isDirect = node->op() == PutByValDirect;
+            ECMAMode ecmaMode = node->ecmaMode();
+
+            JITPutByValGenerator gen(
+                m_jit.codeBlock(), JITType::DFGJIT, codeOrigin, callSite, AccessType::PutByVal, usedRegisters,
+                JSValueRegs(baseGPR), JSValueRegs(propertyGPR), JSValueRegs(valueGPR), InvalidGPRReg, stubInfoGPR);
+
+            if (m_state.forNode(child2).isType(SpecString))
+                gen.stubInfo()->propertyIsString = true;
+            else if (m_state.forNode(child2).isType(SpecInt32Only))
+                gen.stubInfo()->propertyIsInt32 = true;
+            else if (m_state.forNode(child2).isType(SpecSymbol))
+                gen.stubInfo()->propertyIsSymbol = true;
+
+            gen.generateFastPath(m_jit);
+
+            JITCompiler::JumpList slowCases;
+            if (!JITCode::useDataIC(JITType::DFGJIT))
+                slowCases.append(gen.slowPathJump());
+
+            std::unique_ptr<SlowPathGenerator> slowPath;
+            auto operation = isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize);
+            if (JITCode::useDataIC(JITType::DFGJIT)) {
+                slowPath = slowPathICCall(
+                    slowCases, this, gen.stubInfo(), stubInfoGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), operation,
+                    NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseGPR, propertyGPR, valueGPR, stubInfoGPR, nullptr);
+            } else {
+                slowPath = slowPathCall(
+                    slowCases, this, operation,
+                    NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseGPR, propertyGPR, valueGPR, gen.stubInfo(), nullptr);
+            }
+
+            m_jit.addPutByVal(gen, slowPath.get());
+            addSlowPathGenerator(WTFMove(slowPath));
+
             noResult(node);
             alreadyHandled = true;
@@ -5872 +5932 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp

@@ -234 +234 @@
             case PutByValAlias: {
                 switch (m_node->arrayMode().modeForPut().type()) {
+                case Array::Generic:
+                case Array::BigInt64Array:
+                case Array::BigUint64Array: {
+                    Edge child1 = m_graph.varArgChild(m_node, 0);
+                    Edge child3 = m_graph.varArgChild(m_node, 2);
+                    if (!m_graph.m_slowPutByVal.contains(m_node) && (child1.useKind() == CellUse || child1.useKind() == KnownCellUse))
+                        considerBarrier(child1, child3);
+                    break;
+                }
                 case Array::Contiguous:
                 case Array::ArrayStorage:

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -313 +313 @@
                 case MultiPutByOffset:
                     for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
-                        const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
-                        if (variant.kind() != PutByIdVariant::Transition)
+                        const PutByVariant& variant = node->multiPutByOffsetData().variants[i];
+                        if (variant.kind() != PutByVariant::Transition)
                             continue;
                         VALIDATE((node), !variant.oldStructureForTransition()->dfgShouldWatch());

trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp

@@ -197 +197 @@
                 
             case FilterGetByStatus:
-            case FilterPutByIdStatus:
+            case FilterPutByStatus:
             case FilterCallLinkStatus:
             case FilterInByStatus:
@@ -422 +422 @@
 
             case FilterGetByStatus:
-            case FilterPutByIdStatus:
+            case FilterPutByStatus:
             case FilterCallLinkStatus:
             case FilterInByStatus:

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -408 +408 @@
     case FilterCallLinkStatus:
     case FilterGetByStatus:
-    case FilterPutByIdStatus:
+    case FilterPutByStatus:
     case FilterInByStatus:
     case FilterDeleteByStatus:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -1650 +1650 @@
         case FilterCallLinkStatus:
         case FilterGetByStatus:
-        case FilterPutByIdStatus:
+        case FilterPutByStatus:
         case FilterInByStatus:
         case FilterDeleteByStatus:
@@ -5557 +5557 @@
         case Array::BigUint64Array:
         case Array::Generic: {
-            if (child1.useKind() == CellUse) {
-                V_JITOperation_GCCJ operation = nullptr;
-                if (child2.useKind() == StringUse) {
-                    if (m_node->op() == PutByValDirect) {
-                        if (m_node->ecmaMode().isStrict())
-                            operation = operationPutByValDirectCellStringStrict;
-                        else
-                            operation = operationPutByValDirectCellStringNonStrict;
+            if (m_graph.m_slowPutByVal.contains(m_node) || (child1.useKind() != CellUse && child1.useKind() != KnownCellUse)) {
+                if (child1.useKind() == CellUse) {
+                    V_JITOperation_GCCJ operation = nullptr;
+                    if (child2.useKind() == StringUse) {
+                        if (m_node->op() == PutByValDirect) {
+                            if (m_node->ecmaMode().isStrict())
+                                operation = operationPutByValDirectCellStringStrict;
+                            else
+                                operation = operationPutByValDirectCellStringNonStrict;
+                        } else {
+                            if (m_node->ecmaMode().isStrict())
+                                operation = operationPutByValCellStringStrict;
+                            else
+                                operation = operationPutByValCellStringNonStrict;
+                        }
+                        vmCall(Void, operation, weakPointer(globalObject), lowCell(child1), lowString(child2), lowJSValue(child3));
+                        return;
+                    }
+
+                    if (child2.useKind() == SymbolUse) {
+                        if (m_node->op() == PutByValDirect) {
+                            if (m_node->ecmaMode().isStrict())
+                                operation = operationPutByValDirectCellSymbolStrict;
+                            else
+                                operation = operationPutByValDirectCellSymbolNonStrict;
+                        } else {
+                            if (m_node->ecmaMode().isStrict())
+                                operation = operationPutByValCellSymbolStrict;
+                            else
+                                operation = operationPutByValCellSymbolNonStrict;
+                        }
+                        vmCall(Void, operation, weakPointer(globalObject), lowCell(child1), lowSymbol(child2), lowJSValue(child3));
+                        return;
+                    }
+                }
+
+                V_JITOperation_GJJJ operation;
+                if (m_node->op() == PutByValDirect) {
+                    if (m_node->ecmaMode().isStrict())
+                        operation = operationPutByValDirectStrict;
+                    else
+                        operation = operationPutByValDirectNonStrict;
+                } else {
+                    if (m_node->ecmaMode().isStrict())
+                        operation = operationPutByValStrict;
+                    else
+                        operation = operationPutByValNonStrict;
+                }
+
+                vmCall(
+                    Void, operation, weakPointer(globalObject),
+                    lowJSValue(child1), lowJSValue(child2), lowJSValue(child3));
+                return;
+            }
+
+            Node* node = m_node;
+
+            LValue base = lowCell(child1);
+            LValue property = lowJSValue(child2, ManualOperandSpeculation);
+            LValue value = lowJSValue(child3, ManualOperandSpeculation);
+
+            speculate(child2);
+            speculate(child3);
+            bool propertyIsString = false;
+            bool propertyIsInt32 = false;
+            bool propertyIsSymbol = false;
+            if (abstractValue(child2).isType(SpecString))
+                propertyIsString = true;
+            else if (abstractValue(child2).isType(SpecInt32Only))
+                propertyIsInt32 = true;
+            else if (abstractValue(child2).isType(SpecSymbol))
+                propertyIsSymbol = true;
+
+            PatchpointValue* patchpoint = m_out.patchpoint(Void);
+            patchpoint->appendSomeRegister(base);
+            patchpoint->appendSomeRegister(property);
+            patchpoint->appendSomeRegister(value);
+            patchpoint->append(m_notCellMask, ValueRep::lateReg(GPRInfo::notCellMaskRegister));
+            patchpoint->append(m_numberTag, ValueRep::lateReg(GPRInfo::numberTagRegister));
+            patchpoint->clobber(RegisterSet::macroScratchRegisters());
+            patchpoint->numGPScratchRegisters = JITCode::useDataIC(JITType::FTLJIT) ? 1 : 0;
+
+            RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
+
+            State* state = &m_ftlState;
+            CodeOrigin nodeSemanticOrigin = node->origin.semantic;
+            ECMAMode ecmaMode = m_node->ecmaMode();
+            bool isDirect = m_node->op() == PutByValDirect;
+            patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
+                AllowMacroScratchRegisterUsage allowScratch(jit);
+
+                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(nodeSemanticOrigin);
+
+                // This is the direct exit target for operation calls.
+                Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
+
+                // This is the exit for call IC's created by the IC for getters. We don't have
+                // to do anything weird other than call this, since it will associate the exit with
+                // the callsite index.
+                exceptionHandle->scheduleExitCreationForUnwind(params, callSiteIndex);
+
+                GPRReg baseGPR = params[0].gpr();
+                GPRReg propertyGPR = params[1].gpr();
+                GPRReg valueGPR = params[2].gpr();
+                GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
+
+                auto generator = Box<JITPutByValGenerator>::create(
+                    jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex, AccessType::PutByVal,
+                    params.unavailableRegisters(), JSValueRegs(baseGPR), JSValueRegs(propertyGPR), JSValueRegs(valueGPR), InvalidGPRReg, stubInfoGPR);
+
+                generator->stubInfo()->propertyIsString = propertyIsString;
+                generator->stubInfo()->propertyIsInt32 = propertyIsInt32;
+                generator->stubInfo()->propertyIsSymbol = propertyIsSymbol;
+
+                generator->generateFastPath(jit);
+                CCallHelpers::Label done = jit.label();
+
+                params.addLatePath([=] (CCallHelpers& jit) {
+                    AllowMacroScratchRegisterUsage allowScratch(jit);
+
+                    if (!JITCode::useDataIC(JITType::FTLJIT))
+                        generator->slowPathJump().link(&jit);
+                    CCallHelpers::Label slowPathBegin = jit.label();
+                    CCallHelpers::Call slowPathCall;
+                    auto operation = isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize);
+                    if (JITCode::useDataIC(JITType::FTLJIT)) {
+                        jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
+                        generator->stubInfo()->m_slowOperation = operation;
+                        slowPathCall = callOperation(
+                            *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
+                            exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), InvalidGPRReg,
+                            jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
+                            baseGPR, propertyGPR, valueGPR, stubInfoGPR, CCallHelpers::TrustedImmPtr(nullptr)).call();
                     } else {
-                        if (m_node->ecmaMode().isStrict())
-                            operation = operationPutByValCellStringStrict;
-                        else
-                            operation = operationPutByValCellStringNonStrict;
+                        slowPathCall = callOperation(
+                            *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
+                            exceptions.get(), operation, InvalidGPRReg,
+                            jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
+                            baseGPR, propertyGPR, valueGPR, CCallHelpers::TrustedImmPtr(generator->stubInfo()), CCallHelpers::TrustedImmPtr(nullptr)).call();
                     }
-                    vmCall(Void, operation, weakPointer(globalObject), lowCell(child1), lowString(child2), lowJSValue(child3));
-                    return;
-                }
-
-                if (child2.useKind() == SymbolUse) {
-                    if (m_node->op() == PutByValDirect) {
-                        if (m_node->ecmaMode().isStrict())
-                            operation = operationPutByValDirectCellSymbolStrict;
-                        else
-                            operation = operationPutByValDirectCellSymbolNonStrict;
-                    } else {
-                        if (m_node->ecmaMode().isStrict())
-                            operation = operationPutByValCellSymbolStrict;
-                        else
-                            operation = operationPutByValCellSymbolNonStrict;
-                    }
-                    vmCall(Void, operation, weakPointer(globalObject), lowCell(child1), lowSymbol(child2), lowJSValue(child3));
-                    return;
-                }
-            }
-
-            V_JITOperation_GJJJ operation;
-            if (m_node->op() == PutByValDirect) {
-                if (m_node->ecmaMode().isStrict())
-                    operation = operationPutByValDirectStrict;
-                else
-                    operation = operationPutByValDirectNonStrict;
-            } else {
-                if (m_node->ecmaMode().isStrict())
-                    operation = operationPutByValStrict;
-                else
-                    operation = operationPutByValNonStrict;
-            }
-                
-            vmCall(
-                Void, operation, weakPointer(globalObject),
-                lowJSValue(child1), lowJSValue(child2), lowJSValue(child3));
+                    jit.jump().linkTo(done, &jit);
+
+                    generator->reportSlowPathCall(slowPathBegin, slowPathCall);
+
+                    jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
+                        generator->finalize(linkBuffer, linkBuffer);
+                    });
+                });
+            });
             return;
         }
@@ -8952 +9050 @@
         RegisteredStructureSet baseSet;
         for (unsigned i = data.variants.size(); i--;) {
-            PutByIdVariant variant = data.variants[i];
+            PutByVariant variant = data.variants[i];
             for (unsigned j = variant.oldStructure().size(); j--;) {
                 RegisteredStructure structure = m_graph.registerStructure(variant.oldStructure()[j]);
@@ -8967 +9065 @@
             m_out.appendTo(blocks[i], i + 1 < data.variants.size() ? blocks[i + 1] : exit);
             
-            PutByIdVariant variant = data.variants[i];
+            PutByVariant variant = data.variants[i];
 
             LValue storage;
-            if (variant.kind() == PutByIdVariant::Replace) {
+            if (variant.kind() == PutByVariant::Replace) {
                 if (isInlineOffset(variant.offset()))
                     storage = base;
@@ -8976 +9074 @@
                     storage = m_out.loadPtr(base, m_heaps.JSObject_butterfly);
             } else {
-                DFG_ASSERT(m_graph, m_node, variant.kind() == PutByIdVariant::Transition, variant.kind());
+                DFG_ASSERT(m_graph, m_node, variant.kind() == PutByVariant::Transition, variant.kind());
                 m_graph.m_plan.transitions().addLazily(
                     m_origin.semantic.codeOriginOwner(),
@@ -8988 +9086 @@
             storeProperty(value, storage, data.identifierNumber, variant.offset());
             
-            if (variant.kind() == PutByIdVariant::Transition) {
+            if (variant.kind() == PutByVariant::Transition) {
                 ASSERT(variant.oldStructureForTransition()->indexingType() == variant.newStructure()->indexingType());
                 ASSERT(variant.oldStructureForTransition()->typeInfo().inlineTypeFlags() == variant.newStructure()->typeInfo().inlineTypeFlags());

trunk/Source/JavaScriptCore/generator/DSL.rb

@@ -142 +142 @@
 #include "Opcode.h"
 #include "PrivateFieldPutKind.h"
-#include "PutByIdStatus.h"
+#include "PutByStatus.h"
 #include "PutByIdFlags.h"
 #include "ToThisStatus.h"

trunk/Source/JavaScriptCore/jit/ICStats.h

@@ -68 +68 @@
     macro(OperationPutByIdDefinePrivateFieldFieldStrictOptimize) \
     macro(OperationPutByIdPutPrivateFieldFieldStrictOptimize) \
-    macro(PutByIdAddAccessCase) \
-    macro(PutByIdReplaceWithJump) \
-    macro(PutByIdSelfPatch) \
-    macro(InByIdSelfPatch) \
+    macro(PutByAddAccessCase) \
+    macro(PutByReplaceWithJump) \
+    macro(PutBySelfPatch) \
+    macro(InBySelfPatch) \
     macro(DelByReplaceWithJump) \
     macro(DelByReplaceWithGeneric) \

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -511 +511 @@
     m_getByIdWithThisIndex = 0;
     m_putByIdIndex = 0;
+    m_putByValIndex = 0;
     m_inByIdIndex = 0;
     m_inByValIndex = 0;
@@ -663 +664 @@
     RELEASE_ASSERT(m_getByIdWithThisIndex == m_getByIdsWithThis.size());
     RELEASE_ASSERT(m_putByIdIndex == m_putByIds.size());
+    RELEASE_ASSERT(m_putByValIndex == m_putByVals.size());
     RELEASE_ASSERT(m_inByIdIndex == m_inByIds.size());
     RELEASE_ASSERT(m_instanceOfIndex == m_instanceOfs.size());
@@ -910 +912 @@
     finalizeInlineCaches(m_getByIdsWithThis, patchBuffer);
     finalizeInlineCaches(m_putByIds, patchBuffer);
+    finalizeInlineCaches(m_putByVals, patchBuffer);
     finalizeInlineCaches(m_delByIds, patchBuffer);
     finalizeInlineCaches(m_delByVals, patchBuffer);

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -226 +226 @@
         }
         
-        static void compilePutByVal(const ConcurrentJSLocker& locker, VM& vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
-        {
-            JIT jit(vm, codeBlock);
-            jit.m_bytecodeIndex = byValInfo->bytecodeIndex;
-            jit.privateCompilePutByVal<OpPutByVal>(locker, byValInfo, returnAddress, arrayMode);
-        }
-        
-        static void compileDirectPutByVal(const ConcurrentJSLocker& locker, VM& vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
-        {
-            JIT jit(vm, codeBlock);
-            jit.m_bytecodeIndex = byValInfo->bytecodeIndex;
-            jit.privateCompilePutByVal<OpPutByValDirect>(locker, byValInfo, returnAddress, arrayMode);
-        }
-
-        template<typename Op>
-        static void compilePutByValWithCachedId(VM& vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, PutKind putKind, CacheableIdentifier propertyName)
-        {
-            JIT jit(vm, codeBlock);
-            jit.m_bytecodeIndex = byValInfo->bytecodeIndex;
-            jit.privateCompilePutByValWithCachedId<Op>(byValInfo, returnAddress, putKind, propertyName);
-        }
-
         static void compilePutPrivateNameWithCachedId(VM& vm, CodeBlock* codeBlock, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, CacheableIdentifier propertyName)
         {
@@ -268 +246 @@
         CompilationResult privateCompile(JITCompilationEffort);
         
-        void privateCompileGetByVal(const ConcurrentJSLocker&, ByValInfo*, ReturnAddressPtr, JITArrayMode);
-        template<typename Op>
-        void privateCompilePutByVal(const ConcurrentJSLocker&, ByValInfo*, ReturnAddressPtr, JITArrayMode);
-        template<typename Op>
-        void privateCompilePutByValWithCachedId(ByValInfo*, ReturnAddressPtr, PutKind, CacheableIdentifier);
-
         void privateCompilePutPrivateNameWithCachedId(ByValInfo*, ReturnAddressPtr, CacheableIdentifier);
-
-        void privateCompilePatchGetArrayLength(ReturnAddressPtr returnAddress);
 
         // Add a call out from JIT code, without an exception check.
@@ -383 +353 @@
 
         void emitArrayProfilingSiteWithCell(RegisterID cellGPR, ArrayProfile*, RegisterID scratchGPR);
+        void emitArrayProfilingSiteWithCell(RegisterID cellGPR, RegisterID arrayProfileGPR, RegisterID scratchGPR);
         void emitArrayProfileStoreToHoleSpecialCase(ArrayProfile*);
         void emitArrayProfileOutOfBoundsSpecialCase(ArrayProfile*);
-        
-        JITArrayMode chooseArrayMode(ArrayProfile*);
-        
-        // Property is in regT1, base is in regT0. regT2 contains indecing type.
-        // The value to store is not yet loaded. Property is int-checked and
-        // zero-extended. Base is cell checked. Structure is already profiled.
-        // returns the slow cases.
-        template<typename Op>
-        JumpList emitInt32PutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo)
-        {
-            return emitGenericContiguousPutByVal(bytecode, badType, byValInfo, Int32Shape);
-        }
-        template<typename Op>
-        JumpList emitDoublePutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo)
-        {
-            return emitGenericContiguousPutByVal(bytecode, badType, byValInfo, DoubleShape);
-        }
-        template<typename Op>
-        JumpList emitContiguousPutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo)
-        {
-            return emitGenericContiguousPutByVal(bytecode, badType, byValInfo);
-        }
-        template<typename Op>
-        JumpList emitGenericContiguousPutByVal(Op, PatchableJump& badType, ByValInfo*, IndexingType indexingShape = ContiguousShape);
-        template<typename Op>
-        JumpList emitArrayStoragePutByVal(Op, PatchableJump& badType, ByValInfo*);
-        template<typename Op>
-        JumpList emitIntTypedArrayPutByVal(Op, PatchableJump& badType, ByValInfo*, TypedArrayType);
-        template<typename Op>
-        JumpList emitFloatTypedArrayPutByVal(Op, PatchableJump& badType, ByValInfo*, TypedArrayType);
 
         template<typename Op>
@@ -1065 +1006 @@
         Vector<JITGetByIdWithThisGenerator> m_getByIdsWithThis;
         Vector<JITPutByIdGenerator> m_putByIds;
+        Vector<JITPutByValGenerator> m_putByVals;
         Vector<JITInByIdGenerator> m_inByIds;
         Vector<JITInByValGenerator> m_inByVals;
@@ -1092 +1034 @@
         unsigned m_getByIdWithThisIndex { UINT_MAX };
         unsigned m_putByIdIndex { UINT_MAX };
+        unsigned m_putByValIndex { UINT_MAX };
         unsigned m_inByIdIndex { UINT_MAX };
         unsigned m_inByValIndex { UINT_MAX };

trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp

@@ -143 +143 @@
     JSValueRegs base, JSValueRegs value, GPRReg stubInfoGPR, GPRReg scratch, 
     ECMAMode ecmaMode, PutKind putKind)
-        : JITByIdGenerator(codeBlock, jitType, codeOrigin, callSite, AccessType::Put, usedRegisters, base, value, stubInfoGPR)
+        : JITByIdGenerator(codeBlock, jitType, codeOrigin, callSite, AccessType::PutById, usedRegisters, base, value, stubInfoGPR)
         , m_ecmaMode(ecmaMode)
         , m_putKind(putKind)
@@ -382 +382 @@
 }
 
+JITPutByValGenerator::JITPutByValGenerator(CodeBlock* codeBlock, JITType jitType, CodeOrigin codeOrigin, CallSiteIndex callSiteIndex, AccessType accessType, const RegisterSet& usedRegisters, JSValueRegs base, JSValueRegs property, JSValueRegs value, GPRReg arrayProfileGPR, GPRReg stubInfoGPR)
+    : Base(codeBlock, jitType, codeOrigin, callSiteIndex, accessType, usedRegisters)
+    , m_base(base)
+    , m_value(value)
+{
+    m_stubInfo->hasConstantIdentifier = false;
+
+    m_stubInfo->baseGPR = base.payloadGPR();
+    m_stubInfo->regs.propertyGPR = property.payloadGPR();
+    m_stubInfo->valueGPR = value.payloadGPR();
+    m_stubInfo->m_stubInfoGPR = stubInfoGPR;
+    m_stubInfo->m_arrayProfileGPR = arrayProfileGPR;
+#if USE(JSVALUE32_64)
+    m_stubInfo->baseTagGPR = base.tagGPR();
+    m_stubInfo->valueTagGPR = value.tagGPR();
+    m_stubInfo->v.propertyTagGPR = property.tagGPR();
+#endif
+}
+
+void JITPutByValGenerator::generateFastPath(MacroAssembler& jit)
+{
+    m_start = jit.label();
+    if (JITCode::useDataIC(m_jitType)) {
+        jit.move(CCallHelpers::TrustedImmPtr(m_stubInfo), m_stubInfo->m_stubInfoGPR);
+        jit.call(CCallHelpers::Address(m_stubInfo->m_stubInfoGPR, StructureStubInfo::offsetOfCodePtr()), JITStubRoutinePtrTag);
+    } else
+        m_slowPathJump = jit.patchableJump();
+    m_done = jit.label();
+}
+
+void JITPutByValGenerator::finalize(LinkBuffer& fastPath, LinkBuffer& slowPath)
+{
+    Base::finalize(fastPath, slowPath, fastPath.locationOf<JITStubRoutinePtrTag>(m_start));
+    if (JITCode::useDataIC(m_jitType))
+        m_stubInfo->m_codePtr = m_stubInfo->slowPathStartLocation;
+}
+
 JITPrivateBrandAccessGenerator::JITPrivateBrandAccessGenerator(CodeBlock* codeBlock, JITType jitType, CodeOrigin codeOrigin, CallSiteIndex callSiteIndex, AccessType accessType, const RegisterSet& usedRegisters, JSValueRegs base, JSValueRegs brand, GPRReg stubInfoGPR)
     : Base(codeBlock, jitType, codeOrigin, callSiteIndex, accessType, usedRegisters)

trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h

@@ -130 +130 @@
 class JITPutByIdGenerator final : public JITByIdGenerator {
 public:
-    JITPutByIdGenerator()
-        : m_ecmaMode(ECMAMode::strict())
-    { }
+    JITPutByIdGenerator() = default;
 
     JITPutByIdGenerator(
@@ -143 +141 @@
 
 private:
-    ECMAMode m_ecmaMode;
+    ECMAMode m_ecmaMode { ECMAMode::strict() };
     PutKind m_putKind;
+};
+
+class JITPutByValGenerator final : public JITInlineCacheGenerator {
+    using Base = JITInlineCacheGenerator;
+public:
+    JITPutByValGenerator() = default;
+
+    JITPutByValGenerator(
+        CodeBlock*, JITType, CodeOrigin, CallSiteIndex, AccessType, const RegisterSet& usedRegisters,
+        JSValueRegs base, JSValueRegs property, JSValueRegs result, GPRReg arrayProfileGPR, GPRReg stubInfoGPR);
+
+    MacroAssembler::Jump slowPathJump() const
+    {
+        ASSERT(m_slowPathJump.m_jump.isSet());
+        return m_slowPathJump.m_jump;
+    }
+
+    void finalize(LinkBuffer& fastPathLinkBuffer, LinkBuffer& slowPathLinkBuffer);
+
+    void generateFastPath(MacroAssembler&);
+
+private:
+    JSValueRegs m_base;
+    JSValueRegs m_value;
+
+    MacroAssembler::Label m_start;
+    MacroAssembler::PatchableJump m_slowPathJump;
 };
 

trunk/Source/JavaScriptCore/jit/JITInlines.h

@@ -353 +353 @@
 }
 
+inline void JIT::emitArrayProfilingSiteWithCell(RegisterID cellGPR, RegisterID arrayProfileGPR, RegisterID scratchGPR)
+{
+    if (shouldEmitProfiling()) {
+        load32(MacroAssembler::Address(cellGPR, JSCell::structureIDOffset()), scratchGPR);
+        store32(scratchGPR, Address(arrayProfileGPR, ArrayProfile::offsetOfLastSeenStructureID()));
+    }
+}
+
 inline void JIT::emitArrayProfileStoreToHoleSpecialCase(ArrayProfile* arrayProfile)
 {
@@ -361 +369 @@
 {
     store8(TrustedImm32(1), arrayProfile->addressOfOutOfBounds());
-}
-
-inline JITArrayMode JIT::chooseArrayMode(ArrayProfile* profile)
-{
-    auto arrayProfileSaw = [] (ArrayModes arrayModes, IndexingType capability) {
-        return arrayModesIncludeIgnoringTypedArrays(arrayModes, capability);
-    };
-
-    ConcurrentJSLocker locker(m_codeBlock->m_lock);
-    profile->computeUpdatedPrediction(locker, m_codeBlock);
-    ArrayModes arrayModes = profile->observedArrayModes(locker);
-    if (arrayProfileSaw(arrayModes, DoubleShape))
-        return JITDouble;
-    if (arrayProfileSaw(arrayModes, Int32Shape))
-        return JITInt32;
-    if (arrayProfileSaw(arrayModes, ArrayStorageShape))
-        return JITArrayStorage;
-    return JITContiguous;
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -720 +720 @@
     
     if (stubInfo->considerCachingBy(vm, codeBlock, structure, identifier))
-        repatchPutByID(globalObject, codeBlock, baseValue, structure, identifier, slot, *stubInfo, PutKind::NotDirect);
+        repatchPutBy(globalObject, codeBlock, baseValue, structure, identifier, slot, *stubInfo, PutByKind::ById, PutKind::NotDirect);
 }
 
@@ -752 +752 @@
     
     if (stubInfo->considerCachingBy(vm, codeBlock, structure, identifier))
-        repatchPutByID(globalObject, codeBlock, baseValue, structure, identifier, slot, *stubInfo, PutKind::NotDirect);
+        repatchPutBy(globalObject, codeBlock, baseValue, structure, identifier, slot, *stubInfo, PutByKind::ById, PutKind::NotDirect);
 }
 
@@ -783 +783 @@
     
     if (stubInfo->considerCachingBy(vm, codeBlock, structure, identifier))
-        repatchPutByID(globalObject, codeBlock, baseObject, structure, identifier, slot, *stubInfo, PutKind::Direct);
+        repatchPutBy(globalObject, codeBlock, baseObject, structure, identifier, slot, *stubInfo, PutByKind::ById, PutKind::Direct);
 }
 
@@ -814 +814 @@
     
     if (stubInfo->considerCachingBy(vm, codeBlock, structure, identifier))
-        repatchPutByID(globalObject, codeBlock, baseObject, structure, identifier, slot, *stubInfo, PutKind::Direct);
+        repatchPutBy(globalObject, codeBlock, baseObject, structure, identifier, slot, *stubInfo, PutByKind::ById, PutKind::Direct);
 }
 
@@ -889 +889 @@
 
         if (stubInfo->considerCachingBy(vm, codeBlock, oldStructure, identifier))
-            repatchPutByID(globalObject, codeBlock, baseObject, oldStructure, identifier, putSlot, *stubInfo, PutKind::DirectPrivateFieldDefine);
+            repatchPutBy(globalObject, codeBlock, baseObject, oldStructure, identifier, putSlot, *stubInfo, PutByKind::ById, PutKind::DirectPrivateFieldDefine);
     });
 }
@@ -925 +925 @@
 
         if (stubInfo->considerCachingBy(vm, codeBlock, oldStructure, identifier))
-            repatchPutByID(globalObject, codeBlock, baseObject, oldStructure, identifier, putSlot, *stubInfo, PutKind::DirectPrivateFieldSet);
+            repatchPutBy(globalObject, codeBlock, baseObject, oldStructure, identifier, putSlot, *stubInfo, PutByKind::ById, PutKind::DirectPrivateFieldSet);
     });
 }
 
-static void putByVal(JSGlobalObject* globalObject, JSValue baseValue, JSValue subscript, JSValue value, ByValInfo* byValInfo, ECMAMode ecmaMode)
+static void putByVal(JSGlobalObject* globalObject, JSValue baseValue, JSValue subscript, JSValue value, ArrayProfile* arrayProfile, ECMAMode ecmaMode)
 {
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
     if (std::optional<uint32_t> index = subscript.tryGetAsUint32Index()) {
-        byValInfo->tookSlowPath = true;
         uint32_t i = *index;
         if (baseValue.isObject()) {
@@ -943 +942 @@
             }
 
-            byValInfo->arrayProfile->setOutOfBounds();
+            if (arrayProfile)
+                arrayProfile->setOutOfBounds();
             scope.release();
             object->methodTable(vm)->putByIndex(object, globalObject, i, value, ecmaMode.isStrict());
@@ -952 +952 @@
         baseValue.putByIndex(globalObject, i, value, ecmaMode.isStrict());
         return;
-    } 
+    }
+
     if (subscript.isNumber()) {
-        byValInfo->tookSlowPath = true;
-        if (baseValue.isObject())
-            byValInfo->arrayProfile->setOutOfBounds();
+        if (baseValue.isObject()) {
+            if (arrayProfile)
+                arrayProfile->setOutOfBounds();
+        }
     }
 
@@ -963 +965 @@
     RETURN_IF_EXCEPTION(scope, void());
 
-    if (byValInfo->stubInfo && (!CacheableIdentifier::isCacheableIdentifierCell(subscript) || byValInfo->cachedId.uid() != property))
-        byValInfo->tookSlowPath = true;
-
     scope.release();
     PutPropertySlot slot(baseValue, ecmaMode.isStrict());
@@ -971 +970 @@
 }
 
-static void directPutByVal(JSGlobalObject* globalObject, JSObject* baseObject, JSValue subscript, JSValue value, ByValInfo* byValInfo, ECMAMode ecmaMode)
+static void directPutByVal(JSGlobalObject* globalObject, JSObject* baseObject, JSValue subscript, JSValue value, ArrayProfile* arrayProfile, ECMAMode ecmaMode)
 {
     VM& vm = globalObject->vm();
@@ -977 +976 @@
 
     if (std::optional<uint32_t> maybeIndex = subscript.tryGetAsUint32Index()) {
-        byValInfo->tookSlowPath = true;
         uint32_t index = *maybeIndex;
 
@@ -989 +987 @@
             FALLTHROUGH;
         default:
-            byValInfo->arrayProfile->setOutOfBounds();
+            if (arrayProfile)
+                arrayProfile->setOutOfBounds();
             break;
         }
@@ -1003 +1002 @@
 
     if (std::optional<uint32_t> index = parseIndex(property)) {
-        byValInfo->tookSlowPath = true;
         scope.release();
         baseObject->putDirectIndex(globalObject, index.value(), value, 0, ecmaMode.isStrict() ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
         return;
     }
-
-    if (byValInfo->stubInfo && (!CacheableIdentifier::isCacheableIdentifierCell(subscript) || byValInfo->cachedId.uid() != property))
-        byValInfo->tookSlowPath = true;
 
     scope.release();
@@ -1024 +1019 @@
 };
 
-static OptimizationResult tryPutByValOptimize(JSGlobalObject* globalObject, CallFrame* callFrame, CodeBlock* codeBlock, JSValue baseValue, JSValue subscript, ByValInfo* byValInfo, ReturnAddressPtr returnAddress)
-{
-    UNUSED_PARAM(callFrame);
-
-    // See if it's worth optimizing at all.
-    OptimizationResult optimizationResult = OptimizationResult::NotOptimized;
-
-    VM& vm = globalObject->vm();
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    if (baseValue.isObject() && isCopyOnWrite(baseValue.getObject()->indexingMode()))
-        return OptimizationResult::GiveUp;
-
-    if (baseValue.isObject() && subscript.isInt32()) {
-        JSObject* object = asObject(baseValue);
-
-        ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
-        ASSERT(!byValInfo->stubRoutine);
-
-        Structure* structure = object->structure(vm);
-        if (hasOptimizableIndexing(structure)) {
-            // Attempt to optimize.
-            JITArrayMode arrayMode = jitArrayModeForStructure(structure);
-            if (jitArrayModePermitsPut(arrayMode) && arrayMode != byValInfo->arrayMode) {
-                ConcurrentJSLocker locker(codeBlock->m_lock);
-                byValInfo->arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
-                JIT::compilePutByVal(locker, vm, codeBlock, byValInfo, returnAddress, arrayMode);
-                optimizationResult = OptimizationResult::Optimized;
+static ALWAYS_INLINE void putByValOptimize(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, JSValue subscript, JSValue value, StructureStubInfo* stubInfo, ArrayProfile* profile, ECMAMode ecmaMode)
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (baseValue.isObject()) {
+        JSObject* baseObject = asObject(baseValue);
+        if (!isCopyOnWrite(baseObject->indexingMode()) && subscript.isInt32()) {
+            Structure* structure = baseObject->structure(vm);
+            if (stubInfo->considerCachingGeneric(vm, codeBlock, structure)) {
+                if (profile) {
+                    ConcurrentJSLocker locker(codeBlock->m_lock);
+                    profile->computeUpdatedPrediction(locker, codeBlock, structure);
+                }
+                repatchArrayPutByVal(globalObject, codeBlock, baseValue, subscript, *stubInfo, PutKind::NotDirect, ecmaMode);
             }
         }
 
-        // If we failed to patch and we have some object that intercepts indexed get, then don't even wait until 10 times.
-        if (optimizationResult != OptimizationResult::Optimized && object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero())
-            optimizationResult = OptimizationResult::GiveUp;
-    }
-
-    if (baseValue.isObject() && CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
-        const Identifier propertyName = subscript.toPropertyKey(globalObject);
-        RETURN_IF_EXCEPTION(scope, OptimizationResult::GiveUp);
-        if (subscript.isSymbol() || !parseIndex(propertyName)) {
-            ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
-            ASSERT(!byValInfo->stubRoutine);
-            if (byValInfo->seen) {
-                if (byValInfo->cachedId.uid() == propertyName) {
-                    JIT::compilePutByValWithCachedId<OpPutByVal>(vm, codeBlock, byValInfo, returnAddress, PutKind::NotDirect, byValInfo->cachedId);
-                    optimizationResult = OptimizationResult::Optimized;
-                } else {
-                    // Seem like a generic property access site.
-                    optimizationResult = OptimizationResult::GiveUp;
-                }
-            } else {
-                {
-                    ConcurrentJSLocker locker(codeBlock->m_lock);
-                    byValInfo->seen = true;
-                    byValInfo->cachedId = CacheableIdentifier::createFromCell(subscript.asCell());
-                    optimizationResult = OptimizationResult::SeenOnce;
-                }
-                vm.heap.writeBarrier(codeBlock, subscript.asCell());
+        if (CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
+            const Identifier propertyName = subscript.toPropertyKey(globalObject);
+            RETURN_IF_EXCEPTION(scope, void());
+            if (subscript.isSymbol() || !parseIndex(propertyName)) {
+                AccessType accessType = static_cast<AccessType>(stubInfo->accessType);
+                PutPropertySlot slot(baseValue, ecmaMode.isStrict(), codeBlock->putByIdContext());
+
+                Structure* structure = CommonSlowPaths::originalStructureBeforePut(vm, baseValue);
+                baseObject->putInline(globalObject, propertyName, value, slot);
+                RETURN_IF_EXCEPTION(scope, void());
+
+                if (accessType != static_cast<AccessType>(stubInfo->accessType))
+                    return;
+
+                CacheableIdentifier identifier = CacheableIdentifier::createFromCell(subscript.asCell());
+                if (stubInfo->considerCachingBy(vm, codeBlock, structure, identifier))
+                    repatchPutBy(globalObject, codeBlock, baseValue, structure, identifier, slot, *stubInfo, PutByKind::ByVal, PutKind::NotDirect);
+                return;
             }
         }
     }
 
-    if (optimizationResult != OptimizationResult::Optimized && optimizationResult != OptimizationResult::SeenOnce) {
-        // If we take slow path more than 10 times without patching then make sure we
-        // never make that mistake again. For cases where we see non-index-intercepting
-        // objects, this gives 10 iterations worth of opportunity for us to observe
-        // that the put_by_val may be polymorphic. We count up slowPathCount even if
-        // the result is GiveUp.
-        if (++byValInfo->slowPathCount >= 10)
-            optimizationResult = OptimizationResult::GiveUp;
-    }
-
-    return optimizationResult;
-}
-
-JSC_DEFINE_JIT_OPERATION(operationPutByValOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo, ECMAMode ecmaMode))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    auto scope = DECLARE_THROW_SCOPE(vm);
+    RELEASE_AND_RETURN(scope, putByVal(globalObject, baseValue, subscript, value, profile, ecmaMode));
+}
+
+JSC_DEFINE_JIT_OPERATION(operationPutByValStrictOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
 
     JSValue baseValue = JSValue::decode(encodedBaseValue);
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
-    CodeBlock* codeBlock = callFrame->codeBlock();
-    OptimizationResult result = tryPutByValOptimize(globalObject, callFrame, codeBlock, baseValue, subscript, byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS));
-    RETURN_IF_EXCEPTION(scope, void());
-    if (result == OptimizationResult::GiveUp) {
-        // Don't ever try to optimize.
-        byValInfo->tookSlowPath = true;
-        if (codeBlock->useDataIC())
-            byValInfo->m_slowOperation = operationPutByValGeneric;
-        else
-            ctiPatchCallByReturnAddress(ReturnAddressPtr(OUR_RETURN_ADDRESS), operationPutByValGeneric);
-    }
-    RELEASE_AND_RETURN(scope, putByVal(globalObject, baseValue, subscript, value, byValInfo, ecmaMode));
-}
-
-static OptimizationResult tryDirectPutByValOptimize(JSGlobalObject* globalObject, CallFrame* callFrame, CodeBlock* codeBlock, JSObject* object, JSValue subscript, ByValInfo* byValInfo, ReturnAddressPtr returnAddress)
-{
-    UNUSED_PARAM(callFrame);
-
-    // See if it's worth optimizing at all.
-    OptimizationResult optimizationResult = OptimizationResult::NotOptimized;
-
-    VM& vm = globalObject->vm();
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    if (subscript.isInt32()) {
-        ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
-        ASSERT(!byValInfo->stubRoutine);
-
-        Structure* structure = object->structure(vm);
-        if (hasOptimizableIndexing(structure)) {
-            // Attempt to optimize.
-            JITArrayMode arrayMode = jitArrayModeForStructure(structure);
-            if (jitArrayModePermitsPutDirect(arrayMode) && arrayMode != byValInfo->arrayMode) {
+
+    putByValOptimize(globalObject, callFrame->codeBlock(), baseValue, subscript, value, stubInfo, profile, ECMAMode::strict());
+}
+
+JSC_DEFINE_JIT_OPERATION(operationPutByValNonStrictOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
+
+    putByValOptimize(globalObject, callFrame->codeBlock(), baseValue, subscript, value, stubInfo, profile, ECMAMode::sloppy());
+}
+
+static ALWAYS_INLINE void directPutByValOptimize(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, JSValue subscript, JSValue value, StructureStubInfo* stubInfo, ArrayProfile* profile, ECMAMode ecmaMode)
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    RELEASE_ASSERT(baseValue.isObject());
+    JSObject* baseObject = asObject(baseValue);
+
+    if (!isCopyOnWrite(baseObject->indexingMode()) && subscript.isInt32()) {
+        Structure* structure = baseObject->structure(vm);
+        if (stubInfo->considerCachingGeneric(vm, codeBlock, structure)) {
+            if (profile) {
                 ConcurrentJSLocker locker(codeBlock->m_lock);
-                byValInfo->arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
-
-                JIT::compileDirectPutByVal(locker, vm, codeBlock, byValInfo, returnAddress, arrayMode);
-                optimizationResult = OptimizationResult::Optimized;
+                profile->computeUpdatedPrediction(locker, codeBlock, structure);
             }
+            repatchArrayPutByVal(globalObject, codeBlock, baseValue, subscript, *stubInfo, PutKind::Direct, ecmaMode);
         }
-
-        // If we failed to patch and we have some object that intercepts indexed get, then don't even wait until 10 times.
-        if (optimizationResult != OptimizationResult::Optimized && object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero())
-            optimizationResult = OptimizationResult::GiveUp;
-    } else if (CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
+    }
+
+    if (CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
         const Identifier propertyName = subscript.toPropertyKey(globalObject);
-        RETURN_IF_EXCEPTION(scope, OptimizationResult::GiveUp);
+        RETURN_IF_EXCEPTION(scope, void());
         if (subscript.isSymbol() || !parseIndex(propertyName)) {
-            ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
-            ASSERT(!byValInfo->stubRoutine);
-            if (byValInfo->seen) {
-                if (byValInfo->cachedId.uid() == propertyName) {
-                    JIT::compilePutByValWithCachedId<OpPutByValDirect>(vm, codeBlock, byValInfo, returnAddress, PutKind::Direct, byValInfo->cachedId);
-                    optimizationResult = OptimizationResult::Optimized;
-                } else {
-                    // Seem like a generic property access site.
-                    optimizationResult = OptimizationResult::GiveUp;
-                }
-            } else {
-                {
-                    ConcurrentJSLocker locker(codeBlock->m_lock);
-                    byValInfo->seen = true;
-                    byValInfo->cachedId = CacheableIdentifier::createFromCell(subscript.asCell());
-                    optimizationResult = OptimizationResult::SeenOnce;
-                }
-                vm.heap.writeBarrier(codeBlock, subscript.asCell());
-            }
+            AccessType accessType = static_cast<AccessType>(stubInfo->accessType);
+            PutPropertySlot slot(baseValue, ecmaMode.isStrict(), codeBlock->putByIdContext());
+
+            Structure* structure = CommonSlowPaths::originalStructureBeforePut(vm, baseValue);
+            CommonSlowPaths::putDirectWithReify(vm, globalObject, baseObject, propertyName, value, slot);
+
+            RETURN_IF_EXCEPTION(scope, void());
+
+            if (accessType != static_cast<AccessType>(stubInfo->accessType))
+                return;
+
+            CacheableIdentifier identifier = CacheableIdentifier::createFromCell(subscript.asCell());
+            if (stubInfo->considerCachingBy(vm, codeBlock, structure, identifier))
+                repatchPutBy(globalObject, codeBlock, baseValue, structure, identifier, slot, *stubInfo, PutByKind::ByVal, PutKind::Direct);
+            return;
         }
     }
 
-    if (optimizationResult != OptimizationResult::Optimized && optimizationResult != OptimizationResult::SeenOnce) {
-        // If we take slow path more than 10 times without patching then make sure we
-        // never make that mistake again. For cases where we see non-index-intercepting
-        // objects, this gives 10 iterations worth of opportunity for us to observe
-        // that the get_by_val may be polymorphic. We count up slowPathCount even if
-        // the result is GiveUp.
-        if (++byValInfo->slowPathCount >= 10)
-            optimizationResult = OptimizationResult::GiveUp;
-    }
-
-    return optimizationResult;
-}
-
-JSC_DEFINE_JIT_OPERATION(operationDirectPutByValOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo, ECMAMode ecmaMode))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    auto scope = DECLARE_THROW_SCOPE(vm);
+    RELEASE_AND_RETURN(scope, directPutByVal(globalObject, baseObject, subscript, value, profile, ecmaMode));
+
+}
+
+JSC_DEFINE_JIT_OPERATION(operationDirectPutByValStrictOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
+
+    directPutByValOptimize(globalObject, callFrame->codeBlock(), baseValue, subscript, value, stubInfo, profile, ECMAMode::strict());
+}
+
+JSC_DEFINE_JIT_OPERATION(operationDirectPutByValNonStrictOptimize, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
+
+    directPutByValOptimize(globalObject, callFrame->codeBlock(), baseValue, subscript, value, stubInfo, profile, ECMAMode::sloppy());
+}
+
+JSC_DEFINE_JIT_OPERATION(operationPutByValStrictGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
+
+    stubInfo->tookSlowPath = true;
+
+    putByVal(globalObject, baseValue, subscript, value, profile, ECMAMode::strict());
+}
+
+JSC_DEFINE_JIT_OPERATION(operationPutByValNonStrictGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    JSValue baseValue = JSValue::decode(encodedBaseValue);
+    JSValue subscript = JSValue::decode(encodedSubscript);
+    JSValue value = JSValue::decode(encodedValue);
+
+    stubInfo->tookSlowPath = true;
+
+    putByVal(globalObject, baseValue, subscript, value, profile, ECMAMode::sloppy());
+}
+
+JSC_DEFINE_JIT_OPERATION(operationDirectPutByValStrictGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
 
     JSValue baseValue = JSValue::decode(encodedBaseValue);
@@ -1203 +1199 @@
     JSValue value = JSValue::decode(encodedValue);
     RELEASE_ASSERT(baseValue.isObject());
-    JSObject* object = asObject(baseValue);
-    CodeBlock* codeBlock = callFrame->codeBlock();
-    OptimizationResult result = tryDirectPutByValOptimize(globalObject, callFrame, codeBlock, object, subscript, byValInfo, ReturnAddressPtr(OUR_RETURN_ADDRESS));
-    RETURN_IF_EXCEPTION(scope, void());
-    if (result == OptimizationResult::GiveUp) {
-        // Don't ever try to optimize.
-        byValInfo->tookSlowPath = true;
-        if (codeBlock->useDataIC())
-            byValInfo->m_slowOperation = operationDirectPutByValGeneric;
-        else
-            ctiPatchCallByReturnAddress(ReturnAddressPtr(OUR_RETURN_ADDRESS), operationDirectPutByValGeneric);
-    }
-
-    RELEASE_AND_RETURN(scope, directPutByVal(globalObject, object, subscript, value, byValInfo, ecmaMode));
-}
-
-JSC_DEFINE_JIT_OPERATION(operationPutByValGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo, ECMAMode ecmaMode))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    
-    JSValue baseValue = JSValue::decode(encodedBaseValue);
-    JSValue subscript = JSValue::decode(encodedSubscript);
-    JSValue value = JSValue::decode(encodedValue);
-
-    putByVal(globalObject, baseValue, subscript, value, byValInfo, ecmaMode);
-}
-
-
-JSC_DEFINE_JIT_OPERATION(operationDirectPutByValGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, ByValInfo* byValInfo, ECMAMode ecmaMode))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    
+
+    stubInfo->tookSlowPath = true;
+
+    directPutByVal(globalObject, asObject(baseValue), subscript, value, profile, ECMAMode::strict());
+}
+
+JSC_DEFINE_JIT_OPERATION(operationDirectPutByValNonStrictGeneric, void, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue, StructureStubInfo* stubInfo, ArrayProfile* profile))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
     JSValue baseValue = JSValue::decode(encodedBaseValue);
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
     RELEASE_ASSERT(baseValue.isObject());
-    directPutByVal(globalObject, asObject(baseValue), subscript, value, byValInfo, ecmaMode);
+
+    stubInfo->tookSlowPath = true;
+
+    directPutByVal(globalObject, asObject(baseValue), subscript, value, profile, ECMAMode::sloppy());
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -204 +204 @@
 JSC_DECLARE_JIT_OPERATION(operationPutPrivateNameOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, PrivateFieldPutKind));
 JSC_DECLARE_JIT_OPERATION(operationPutPrivateNameGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, PrivateFieldPutKind));
-JSC_DECLARE_JIT_OPERATION(operationPutByValOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, ECMAMode));
-JSC_DECLARE_JIT_OPERATION(operationDirectPutByValOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, ECMAMode));
-JSC_DECLARE_JIT_OPERATION(operationPutByValGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, ECMAMode));
-JSC_DECLARE_JIT_OPERATION(operationDirectPutByValGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, ByValInfo*, ECMAMode));
+
+JSC_DECLARE_JIT_OPERATION(operationPutByValNonStrictOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationPutByValStrictOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationDirectPutByValNonStrictOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationDirectPutByValStrictOptimize, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationPutByValNonStrictGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationPutByValStrictGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationDirectPutByValStrictGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
+JSC_DECLARE_JIT_OPERATION(operationDirectPutByValNonStrictGeneric, void, (JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue, StructureStubInfo*, ArrayProfile*));
 
 JSC_DECLARE_JIT_OPERATION(operationCallEval, EncodedJSValue, (JSGlobalObject*, CallFrame*, ECMAMode));

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -439 +439 @@
     VirtualRegister base = bytecode.m_base;
     VirtualRegister property = bytecode.m_property;
-    ArrayProfile* profile = &metadata.m_arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo(m_bytecodeIndex);
-
-    emitGetVirtualRegister(base, regT0);
-    bool propertyNameIsIntegerConstant = isOperandConstantInt(property);
-    if (propertyNameIsIntegerConstant)
-        move(Imm32(getOperandConstantInt(property)), regT1);
-    else
-        emitGetVirtualRegister(property, regT1);
-
-    emitJumpSlowCaseIfNotJSCell(regT0, base);
-    PatchableJump notIndex;
-    if (!propertyNameIsIntegerConstant) {
-        if (JITCode::useDataIC(JITType::BaselineJIT)) {
-            auto isInt32 = branchIfInt32(regT1);
-            farJump(AbsoluteAddress(&byValInfo->m_notIndexJumpTarget), JITStubRoutinePtrTag);
-            isInt32.link(this);
-        } else {
-            notIndex = emitPatchableJumpIfNotInt(regT1);
-            addSlowCase(notIndex);
-        }
-        // See comment in op_get_by_val.
-        zeroExtend32ToWord(regT1, regT1);
-    }
-    emitArrayProfilingSiteWithCell(regT0, profile, regT2);
-
-    PatchableJump badType;
-    JumpList slowCases;
-
-    // FIXME: Maybe we should do this inline?
-    load8(Address(regT0, JSCell::indexingTypeAndMiscOffset()), regT2);
-    addSlowCase(branchTest32(NonZero, regT2, TrustedImm32(CopyOnWrite)));
-    and32(TrustedImm32(IndexingShapeMask), regT2);
-
-    JITArrayMode mode = chooseArrayMode(profile);
-    switch (mode) {
-    case JITInt32:
-        slowCases = emitInt32PutByVal(bytecode, badType, byValInfo);
-        break;
-    case JITDouble:
-        slowCases = emitDoublePutByVal(bytecode, badType, byValInfo);
-        break;
-    case JITContiguous:
-        slowCases = emitContiguousPutByVal(bytecode, badType, byValInfo);
-        break;
-    case JITArrayStorage:
-        slowCases = emitArrayStoragePutByVal(bytecode, badType, byValInfo);
-        break;
-    default:
-        CRASH();
-        break;
-    }
-    
-    if (!JITCode::useDataIC(JITType::BaselineJIT))
-        addSlowCase(badType);
-    addSlowCase(slowCases);
-    
-    Label done = label();
-    
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeIndex, notIndex, badType, mode, profile, done, done));
-}
-
-template<typename Op>
-JIT::JumpList JIT::emitGenericContiguousPutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo, IndexingType indexingShape)
-{
-    auto& metadata = bytecode.metadata(m_codeBlock);
     VirtualRegister value = bytecode.m_value;
     ArrayProfile* profile = &metadata.m_arrayProfile;
-    
-    JumpList slowCases;
-
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        if (byValInfo) {
-            auto isCorrectType = branch32(Equal, regT2, TrustedImm32(indexingShape));
-            farJump(AbsoluteAddress(&byValInfo->m_badTypeJumpTarget), JITStubRoutinePtrTag);
-            isCorrectType.link(this);
-        } else
-            badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
-    } else
-        badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
-
-    
-    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
-    Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
-
-    Label storeResult = label();
-    emitGetVirtualRegister(value, regT3);
-    switch (indexingShape) {
-    case Int32Shape:
-        slowCases.append(branchIfNotInt32(regT3));
-        store64(regT3, BaseIndex(regT2, regT1, TimesEight));
-        break;
-    case DoubleShape: {
-        Jump notInt = branchIfNotInt32(regT3);
-        convertInt32ToDouble(regT3, fpRegT0);
-        Jump ready = jump();
-        notInt.link(this);
-        add64(numberTagRegister, regT3);
-        move64ToDouble(regT3, fpRegT0);
-        slowCases.append(branchIfNaN(fpRegT0));
-        ready.link(this);
-        storeDouble(fpRegT0, BaseIndex(regT2, regT1, TimesEight));
-        break;
-    }
-    case ContiguousShape:
-        store64(regT3, BaseIndex(regT2, regT1, TimesEight));
-        emitWriteBarrier(bytecode.m_base, value, ShouldFilterValue);
-        break;
-    default:
-        CRASH();
-        break;
-    }
-    
-    Jump done = jump();
-    outOfBounds.link(this);
-    
-    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfVectorLength())));
-    
-    emitArrayProfileStoreToHoleSpecialCase(profile);
-    
-    add32(TrustedImm32(1), regT1, regT3);
-    store32(regT3, Address(regT2, Butterfly::offsetOfPublicLength()));
-    jump().linkTo(storeResult, this);
-    
-    done.link(this);
-    
-    return slowCases;
-}
-
-template<typename Op>
-JIT::JumpList JIT::emitArrayStoragePutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo)
-{
-    auto& metadata = bytecode.metadata(m_codeBlock);
-    VirtualRegister value = bytecode.m_value;
-    ArrayProfile* profile = &metadata.m_arrayProfile;
-    
-    JumpList slowCases;
-    
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        if (byValInfo) {
-            auto isCorrectType = branch32(Equal, regT2, TrustedImm32(ArrayStorageShape));
-            farJump(AbsoluteAddress(&byValInfo->m_badTypeJumpTarget), JITStubRoutinePtrTag);
-            isCorrectType.link(this);
-        } else
-            badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
-    } else
-        badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
-
-    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
-    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
-
-    Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
-
-    Label storeResult(this);
-    emitGetVirtualRegister(value, regT3);
-    store64(regT3, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
-    emitWriteBarrier(bytecode.m_base, value, ShouldFilterValue);
-    Jump end = jump();
-    
-    empty.link(this);
-    emitArrayProfileStoreToHoleSpecialCase(profile);
-    add32(TrustedImm32(1), Address(regT2, ArrayStorage::numValuesInVectorOffset()));
-    branch32(Below, regT1, Address(regT2, ArrayStorage::lengthOffset())).linkTo(storeResult, this);
-
-    add32(TrustedImm32(1), regT1);
-    store32(regT1, Address(regT2, ArrayStorage::lengthOffset()));
-    sub32(TrustedImm32(1), regT1);
-    jump().linkTo(storeResult, this);
-
-    end.link(this);
-    
-    return slowCases;
+
+    emitGetVirtualRegister(base, regT0);
+    emitGetVirtualRegister(property, regT1);
+    emitGetVirtualRegister(value, regT2);
+    move(TrustedImmPtr(profile), regT3);
+
+    emitJumpSlowCaseIfNotJSCell(regT0, base);
+    emitArrayProfilingSiteWithCell(regT0, regT3, regT4);
+
+    JITPutByValGenerator gen(
+        m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), AccessType::PutByVal, RegisterSet::stubUnavailableRegisters(),
+        JSValueRegs(regT0), JSValueRegs(regT1), JSValueRegs(regT2), regT3, regT4);
+    if (isOperandConstantInt(property))
+        gen.stubInfo()->propertyIsInt32 = true;
+    gen.generateFastPath(*this);
+    if (!JITCode::useDataIC(JITType::BaselineJIT))
+        addSlowCase(gen.slowPathJump());
+    else
+        addSlowCase();
+    m_putByVals.append(gen);
+
+    // IC can write new Structure without write-barrier if a base is cell.
+    // FIXME: Use UnconditionalWriteBarrier in Baseline effectively to reduce code size.
+    // https://bugs.webkit.org/show_bug.cgi?id=209395
+    emitWriteBarrier(base, ShouldFilterBase);
 }
 
@@ -663 +518 @@
     VirtualRegister value;
     ECMAMode ecmaMode = ECMAMode::strict();
+    ArrayProfile* profile = nullptr;
 
     auto load = [&](auto bytecode) {
@@ -669 +525 @@
         value = bytecode.m_value;
         ecmaMode = bytecode.m_ecmaMode;
+        auto& metadata = bytecode.metadata(m_codeBlock);
+        profile = &metadata.m_arrayProfile;
     };
 
@@ -676 +534 @@
         load(currentInstruction->as<OpPutByVal>());
 
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
+    JITPutByValGenerator& gen = m_putByVals[m_putByValIndex++];
 
     linkAllSlowCases(iter);
-    Label slowPath = label();
+
+    Label coldPathBegin = label();
 
 #if !ENABLE(EXTRA_CTI_THUNKS)
-    emitGetVirtualRegister(base, regT0);
-    emitGetVirtualRegister(property, regT1);
-    emitGetVirtualRegister(value, regT2);
-    Call call = callOperation(isDirect ? operationDirectPutByValOptimize : operationPutByValOptimize, TrustedImmPtr(m_codeBlock->globalObject()), regT0, regT1, regT2, byValInfo, TrustedImm32(ecmaMode.value()));
+    // They are configured in the fast path and not clobbered.
+    Call call = callOperation(isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize), TrustedImmPtr(m_codeBlock->globalObject()), regT0, regT1, regT2, gen.stubInfo(), regT3);
 #else
     VM& vm = this->vm();
@@ -691 +548 @@
     ASSERT(BytecodeIndex(bytecodeOffset) == m_bytecodeIndex);
 
-    constexpr GPRReg bytecodeOffsetGPR = argumentGPR0;
+    // They are configured in the fast path and not clobbered.
+    // constexpr GPRReg baseGPR = regT0;
+    // constexpr GPRReg propertyGPR = regT1;
+    // constexpr GPRReg valueGPR = regT2;
+    // constexpr GPRReg profileGPR = regT3;
+    constexpr GPRReg stubInfoGPR = regT4;
+    constexpr GPRReg bytecodeOffsetGPR = regT5;
     move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
-
-    constexpr GPRReg baseGPR = argumentGPR1;
-    constexpr GPRReg propertyGPR = argumentGPR2;
-    constexpr GPRReg valuePR = argumentGPR3;
-    constexpr GPRReg byValInfoGPR = argumentGPR4;
-    constexpr GPRReg ecmaModeGPR = argumentGPR5;
-
-    emitGetVirtualRegister(base, baseGPR);
-    emitGetVirtualRegister(property, propertyGPR);
-    emitGetVirtualRegister(value, valuePR);
-    move(TrustedImmPtr(byValInfo), byValInfoGPR);
-    move(TrustedImm32(ecmaMode.value()), ecmaModeGPR);
+    move(TrustedImmPtr(gen.stubInfo()), stubInfoGPR);
     emitNakedNearCall(vm.getCTIStub(slow_op_put_by_val_prepareCallGenerator).retaggedCode<NoPtrTag>());
-
     Call call;
+    auto operation = isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize);
     if (JITCode::useDataIC(JITType::BaselineJIT))
-        byValInfo->m_slowOperation = isDirect ? operationDirectPutByValOptimize : operationPutByValOptimize;
-    else
-        call = appendCall(isDirect ? operationDirectPutByValOptimize : operationPutByValOptimize);
+        gen.stubInfo()->m_slowOperation = operation;
+    else
+        call = appendCall(operation);
     emitNakedNearCall(vm.getCTIStub(checkExceptionGenerator).retaggedCode<NoPtrTag>());
 #endif // ENABLE(EXTRA_CTI_THUNKS)
 
-    m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
-    m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
-    m_byValInstructionIndex++;
+    gen.reportSlowPathCall(coldPathBegin, call);
 }
 
@@ -732 +582 @@
         jit.tagReturnAddress();
 
-    constexpr GPRReg bytecodeOffsetGPR = argumentGPR0;
+    constexpr GPRReg globalObjectGPR = regT5;
+    constexpr GPRReg baseGPR = regT0;
+    constexpr GPRReg propertyGPR = regT1;
+    constexpr GPRReg valueGPR = regT2;
+    constexpr GPRReg stubInfoGPR = regT4;
+    constexpr GPRReg profileGPR = regT3;
+    constexpr GPRReg bytecodeOffsetGPR = regT5;
+
     jit.store32(bytecodeOffsetGPR, tagFor(CallFrameSlot::argumentCountIncludingThis));
-
-    constexpr GPRReg globalObjectGPR = argumentGPR0;
-    constexpr GPRReg baseGPR = argumentGPR1;
-    constexpr GPRReg propertyGPR = argumentGPR2;
-    constexpr GPRReg valuePR = argumentGPR3;
-    constexpr GPRReg byValInfoGPR = argumentGPR4;
-    constexpr GPRReg ecmaModeGPR = argumentGPR5;
-
     jit.loadPtr(addressFor(CallFrameSlot::codeBlock), globalObjectGPR);
     jit.loadPtr(Address(globalObjectGPR, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
 
-    jit.setupArguments<decltype(operationPutByValOptimize)>(globalObjectGPR, baseGPR, propertyGPR, valuePR, byValInfoGPR, ecmaModeGPR);
+    jit.setupArguments<decltype(operationPutByValStrictOptimize)>(globalObjectGPR, baseGPR, propertyGPR, valueGPR, stubInfoGPR, profileGPR);
     jit.prepareCallOperation(vm);
 
     if (JITCode::useDataIC(JITType::BaselineJIT))
-        jit.farJump(Address(argumentGPR4, ByValInfo::offsetOfSlowOperation()), OperationPtrTag);
+        jit.farJump(Address(argumentGPR4, StructureStubInfo::offsetOfSlowOperation()), OperationPtrTag);
     else
         jit.ret();
@@ -811 +660 @@
     constexpr GPRReg baseGPR = argumentGPR1;
     constexpr GPRReg propertyGPR = argumentGPR2;
-    constexpr GPRReg valuePR = argumentGPR3;
+    constexpr GPRReg valueGPR = argumentGPR3;
     constexpr GPRReg byValInfoGPR = argumentGPR4;
     constexpr GPRReg putKindGPR = argumentGPR5;
@@ -817 +666 @@
     emitGetVirtualRegister(bytecode.m_base, baseGPR);
     emitGetVirtualRegister(bytecode.m_property, propertyGPR);
-    emitGetVirtualRegister(bytecode.m_value, valuePR);
+    emitGetVirtualRegister(bytecode.m_value, valueGPR);
     move(TrustedImmPtr(byValInfo), byValInfoGPR);
     move(TrustedImm32(putKind.value()), putKindGPR);
@@ -853 +702 @@
     constexpr GPRReg baseGPR = argumentGPR1;
     constexpr GPRReg propertyGPR = argumentGPR2;
-    constexpr GPRReg valuePR = argumentGPR3;
+    constexpr GPRReg valueGPR = argumentGPR3;
     constexpr GPRReg byValInfoGPR = argumentGPR4;
     constexpr GPRReg putKindGPR = argumentGPR5;
@@ -860 +709 @@
     jit.loadPtr(Address(globalObjectGPR, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
 
-    jit.setupArguments<decltype(operationPutPrivateNameOptimize)>(globalObjectGPR, baseGPR, propertyGPR, valuePR, byValInfoGPR, putKindGPR);
+    jit.setupArguments<decltype(operationPutPrivateNameOptimize)>(globalObjectGPR, baseGPR, propertyGPR, valueGPR, byValInfoGPR, putKindGPR);
     jit.prepareCallOperation(vm);
 
@@ -3292 +3141 @@
 }
 
-template<typename Op>
-void JIT::privateCompilePutByVal(const ConcurrentJSLocker&, ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
-{
-    const Instruction* currentInstruction = m_codeBlock->instructions().at(byValInfo->bytecodeIndex).ptr();
-    auto bytecode = currentInstruction->as<Op>();
-    
-    PatchableJump badType;
-    JumpList slowCases;
-
-    bool needsLinkForWriteBarrier = false;
-
-    switch (arrayMode) {
-    case JITInt32:
-        slowCases = emitInt32PutByVal(bytecode, badType, nullptr);
-        break;
-    case JITDouble:
-        slowCases = emitDoublePutByVal(bytecode, badType, nullptr);
-        break;
-    case JITContiguous:
-        slowCases = emitContiguousPutByVal(bytecode, badType, nullptr);
-        needsLinkForWriteBarrier = true;
-        break;
-    case JITArrayStorage:
-        slowCases = emitArrayStoragePutByVal(bytecode, badType, nullptr);
-        needsLinkForWriteBarrier = true;
-        break;
-    default:
-        TypedArrayType type = typedArrayTypeForJITArrayMode(arrayMode);
-        if (isInt(type))
-            slowCases = emitIntTypedArrayPutByVal(bytecode, badType, nullptr, type);
-        else {
-            // FIXME: Optimize BigInt64Array / BigUint64Array in IC
-            // Currently, BigInt64Array / BigUint64Array never comes here.
-            // https://bugs.webkit.org/show_bug.cgi?id=221183
-            ASSERT(isFloat(type));
-            slowCases = emitFloatTypedArrayPutByVal(bytecode, badType, nullptr, type);
-        }
-        break;
-    }
-    
-    Jump done = jump();
-
-    LinkBuffer patchBuffer(*this, m_codeBlock, LinkBuffer::Profile::InlineCache);
-    patchBuffer.link(badType, byValInfo->slowPathTarget);
-    patchBuffer.link(slowCases, byValInfo->slowPathTarget);
-    patchBuffer.link(done, byValInfo->doneTarget);
-    if (needsLinkForWriteBarrier) {
-        ASSERT(removeCodePtrTag(m_farCalls.last().callee.executableAddress()) == removeCodePtrTag(operationWriteBarrierSlowPath));
-        patchBuffer.link(m_farCalls.last().from, m_farCalls.last().callee);
-    }
-    
-    bool isDirect = currentInstruction->opcodeID() == op_put_by_val_direct;
-    if (!isDirect) {
-        byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
-            m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
-            "Baseline put_by_val stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
-        
-    } else {
-        byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
-            m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
-            "Baseline put_by_val_direct stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
-    }
-
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        byValInfo->m_badTypeJumpTarget = CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code());
-        byValInfo->m_slowOperation = isDirect ? operationDirectPutByValGeneric : operationPutByValGeneric;
-    } else {
-        MacroAssembler::repatchJump(byValInfo->m_badTypeJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
-        MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(isDirect ? operationDirectPutByValGeneric : operationPutByValGeneric));
-    }
-}
-// This function is only consumed from another translation unit (JITOperations.cpp),
-// so we list off the two expected specializations in advance.
-template void JIT::privateCompilePutByVal<OpPutByVal>(const ConcurrentJSLocker&, ByValInfo*, ReturnAddressPtr, JITArrayMode);
-template void JIT::privateCompilePutByVal<OpPutByValDirect>(const ConcurrentJSLocker&, ByValInfo*, ReturnAddressPtr, JITArrayMode);
-
 void JIT::privateCompilePutPrivateNameWithCachedId(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, CacheableIdentifier propertyName)
 {
@@ -3409 +3182 @@
 }
 
-template<typename Op>
-void JIT::privateCompilePutByValWithCachedId(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, PutKind putKind, CacheableIdentifier propertyName)
-{
-    ASSERT((putKind == PutKind::Direct && Op::opcodeID == op_put_by_val_direct) || (putKind == PutKind::NotDirect && Op::opcodeID == op_put_by_val));
-    const Instruction* currentInstruction = m_codeBlock->instructions().at(byValInfo->bytecodeIndex).ptr();
-    auto bytecode = currentInstruction->as<Op>();
-
-    JumpList doneCases;
-    JumpList slowCases;
-
-    JITPutByIdGenerator gen = emitPutByValWithCachedId(bytecode, putKind, propertyName, doneCases, slowCases);
-
-    ConcurrentJSLocker locker(m_codeBlock->m_lock);
-    LinkBuffer patchBuffer(*this, m_codeBlock, LinkBuffer::Profile::InlineCache);
-    patchBuffer.link(slowCases, byValInfo->slowPathTarget);
-    patchBuffer.link(doneCases, byValInfo->doneTarget);
-    if (!m_exceptionChecks.empty())
-        patchBuffer.link(m_exceptionChecks, byValInfo->exceptionHandler);
-
-    for (const auto& callSite : m_nearCalls) {
-        if (callSite.callee)
-            patchBuffer.link(callSite.from, callSite.callee);
-    }
-    for (const auto& callSite : m_farCalls) {
-        if (callSite.callee)
-            patchBuffer.link(callSite.from, callSite.callee);
-    }
-    gen.finalize(patchBuffer, patchBuffer);
-
-    byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
-        m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
-        "Baseline put_by_val%s with cached property name '%s' stub for %s, return point %p", (putKind == PutKind::Direct) ? "_direct" : "", propertyName.uid()->utf8().data(), toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
-    byValInfo->stubInfo = gen.stubInfo();
-
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        byValInfo->m_notIndexJumpTarget = CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code());
-        byValInfo->m_slowOperation = putKind == PutKind::Direct ? operationDirectPutByValGeneric : operationPutByValGeneric;
-    } else {
-        MacroAssembler::repatchJump(byValInfo->m_notIndexJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
-        MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(putKind == PutKind::Direct ? operationDirectPutByValGeneric : operationPutByValGeneric));
-    }
-}
-// This function is only consumed from another translation unit (JITOperations.cpp),
-// so we list off the two expected specializations in advance.
-template void JIT::privateCompilePutByValWithCachedId<OpPutByVal>(ByValInfo*, ReturnAddressPtr, PutKind, CacheableIdentifier);
-template void JIT::privateCompilePutByValWithCachedId<OpPutByValDirect>(ByValInfo*, ReturnAddressPtr, PutKind, CacheableIdentifier);
-
-template<typename Op>
-JIT::JumpList JIT::emitIntTypedArrayPutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo, TypedArrayType type)
-{
-    auto& metadata = bytecode.metadata(m_codeBlock);
-    ArrayProfile* profile = &metadata.m_arrayProfile;
-    ASSERT(isInt(type));
-    
-    VirtualRegister value = bytecode.m_value;
-
-#if USE(JSVALUE64)
-    RegisterID base = regT0;
-    RegisterID property = regT1;
-    RegisterID earlyScratch = regT3;
-    RegisterID lateScratch = regT2;
-    RegisterID lateScratch2 = regT4;
-#else
-    RegisterID base = regT0;
-    RegisterID property = regT2;
-    RegisterID earlyScratch = regT3;
-    RegisterID lateScratch = regT1;
-    RegisterID lateScratch2 = regT4;
-#endif
-    
-    JumpList slowCases;
-    
-    load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
-
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        if (byValInfo) {
-            auto isCorrectType = branch32(Equal, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
-            farJump(AbsoluteAddress(&byValInfo->m_badTypeJumpTarget), JITStubRoutinePtrTag);
-            isCorrectType.link(this);
-        } else
-            badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
-    } else
-        badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
-
-    load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2);
-    Jump inBounds = branch32(Below, property, lateScratch2);
-    emitArrayProfileOutOfBoundsSpecialCase(profile);
-    slowCases.append(jump());
-    inBounds.link(this);
-    
-#if USE(JSVALUE64)
-    emitGetVirtualRegister(value, earlyScratch);
-    slowCases.append(branchIfNotInt32(earlyScratch));
-#else
-    emitLoad(value, lateScratch, earlyScratch);
-    slowCases.append(branchIfNotInt32(lateScratch));
-#endif
-    
-    // We would be loading this into base as in get_by_val, except that the slow
-    // path expects the base to be unclobbered.
-    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
-    cageConditionallyAndUntag(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2, false);
-    
-    if (isClamped(type)) {
-        ASSERT(elementSize(type) == 1);
-        ASSERT(!JSC::isSigned(type));
-        Jump inBounds = branch32(BelowOrEqual, earlyScratch, TrustedImm32(0xff));
-        Jump tooBig = branch32(GreaterThan, earlyScratch, TrustedImm32(0xff));
-        xor32(earlyScratch, earlyScratch);
-        Jump clamped = jump();
-        tooBig.link(this);
-        move(TrustedImm32(0xff), earlyScratch);
-        clamped.link(this);
-        inBounds.link(this);
-    }
-    
-    switch (elementSize(type)) {
-    case 1:
-        store8(earlyScratch, BaseIndex(lateScratch, property, TimesOne));
-        break;
-    case 2:
-        store16(earlyScratch, BaseIndex(lateScratch, property, TimesTwo));
-        break;
-    case 4:
-        store32(earlyScratch, BaseIndex(lateScratch, property, TimesFour));
-        break;
-    default:
-        CRASH();
-    }
-    
-    return slowCases;
-}
-
-template<typename Op>
-JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo, TypedArrayType type)
-{
-    auto& metadata = bytecode.metadata(m_codeBlock);
-    ArrayProfile* profile = &metadata.m_arrayProfile;
-    ASSERT(isFloat(type));
-    
-    VirtualRegister value = bytecode.m_value;
-
-#if USE(JSVALUE64)
-    RegisterID base = regT0;
-    RegisterID property = regT1;
-    RegisterID earlyScratch = regT3;
-    RegisterID lateScratch = regT2;
-    RegisterID lateScratch2 = regT4;
-#else
-    RegisterID base = regT0;
-    RegisterID property = regT2;
-    RegisterID earlyScratch = regT3;
-    RegisterID lateScratch = regT1;
-    RegisterID lateScratch2 = regT4;
-#endif
-    
-    JumpList slowCases;
-    
-    load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
-
-    if (JITCode::useDataIC(JITType::BaselineJIT)) {
-        if (byValInfo) {
-            auto isCorrectType = branch32(Equal, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
-            farJump(AbsoluteAddress(&byValInfo->m_badTypeJumpTarget), JITStubRoutinePtrTag);
-            isCorrectType.link(this);
-        } else
-            badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
-    } else
-        badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
-
-    load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2);
-    Jump inBounds = branch32(Below, property, lateScratch2);
-    emitArrayProfileOutOfBoundsSpecialCase(profile);
-    slowCases.append(jump());
-    inBounds.link(this);
-    
-#if USE(JSVALUE64)
-    emitGetVirtualRegister(value, earlyScratch);
-    Jump doubleCase = branchIfNotInt32(earlyScratch);
-    convertInt32ToDouble(earlyScratch, fpRegT0);
-    Jump ready = jump();
-    doubleCase.link(this);
-    slowCases.append(branchIfNotNumber(earlyScratch));
-    add64(numberTagRegister, earlyScratch);
-    move64ToDouble(earlyScratch, fpRegT0);
-    ready.link(this);
-#else
-    emitLoad(value, lateScratch, earlyScratch);
-    Jump doubleCase = branchIfNotInt32(lateScratch);
-    convertInt32ToDouble(earlyScratch, fpRegT0);
-    Jump ready = jump();
-    doubleCase.link(this);
-    slowCases.append(branch32(Above, lateScratch, TrustedImm32(JSValue::LowestTag)));
-    moveIntsToDouble(earlyScratch, lateScratch, fpRegT0);
-    ready.link(this);
-#endif
-    
-    // We would be loading this into base as in get_by_val, except that the slow
-    // path expects the base to be unclobbered.
-    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
-    cageConditionallyAndUntag(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2, false);
-    
-    switch (elementSize(type)) {
-    case 4:
-        convertDoubleToFloat(fpRegT0, fpRegT0);
-        storeFloat(fpRegT0, BaseIndex(lateScratch, property, TimesFour));
-        break;
-    case 8:
-        storeDouble(fpRegT0, BaseIndex(lateScratch, property, TimesEight));
-        break;
-    default:
-        CRASH();
-    }
-    
-    return slowCases;
-}
-
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -467 +467 @@
     VirtualRegister base = bytecode.m_base;
     VirtualRegister property = bytecode.m_property;
-    ArrayProfile* profile = &metadata.m_arrayProfile;
-    ByValInfo* byValInfo = m_codeBlock->addByValInfo(m_bytecodeIndex);
-    
-    emitLoad2(base, regT1, regT0, property, regT3, regT2);
-    
-    emitJumpSlowCaseIfNotJSCell(base, regT1);
-    PatchableJump notIndex = patchableBranch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag));
-    addSlowCase(notIndex);
-    emitArrayProfilingSiteWithCell(regT0, profile, regT1);
-    
-    PatchableJump badType;
-    JumpList slowCases;
-
-    // FIXME: Maybe we should do this inline?
-    load8(Address(regT0, JSCell::indexingTypeAndMiscOffset()), regT1);
-    addSlowCase(branchTest32(NonZero, regT1, TrustedImm32(CopyOnWrite)));
-    and32(TrustedImm32(IndexingShapeMask), regT1);
-    
-    JITArrayMode mode = chooseArrayMode(profile);
-    switch (mode) {
-    case JITInt32:
-        slowCases = emitInt32PutByVal(bytecode, badType, byValInfo);
-        break;
-    case JITDouble:
-        slowCases = emitDoublePutByVal(bytecode, badType, byValInfo);
-        break;
-    case JITContiguous:
-        slowCases = emitContiguousPutByVal(bytecode, badType, byValInfo);
-        break;
-    case JITArrayStorage:
-        slowCases = emitArrayStoragePutByVal(bytecode, badType, byValInfo);
-        break;
-    default:
-        CRASH();
-        break;
-    }
-    
-    addSlowCase(badType);
-    addSlowCase(slowCases);
-    
-    Label done = label();
-    
-    m_byValCompilationInfo.append(ByValCompilationInfo(byValInfo, m_bytecodeIndex, notIndex, badType, mode, profile, done, done));
-}
-
-template <typename Op>
-JIT::JumpList JIT::emitGenericContiguousPutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo, IndexingType indexingShape)
-{
-    auto& metadata = bytecode.metadata(m_codeBlock);
-    VirtualRegister base = bytecode.m_base;
     VirtualRegister value = bytecode.m_value;
     ArrayProfile* profile = &metadata.m_arrayProfile;
 
-    JumpList slowCases;
-    
-    UNUSED_PARAM(byValInfo);
-    badType = patchableBranch32(NotEqual, regT1, TrustedImm32(ContiguousShape));
-    
-    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
-    Jump outOfBounds = branch32(AboveOrEqual, regT2, Address(regT3, Butterfly::offsetOfPublicLength()));
-    
-    Label storeResult = label();
-    emitLoad(value, regT1, regT0);
-    switch (indexingShape) {
-    case Int32Shape:
-        slowCases.append(branchIfNotInt32(regT1));
-        store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-        store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-        break;
-    case ContiguousShape:
-        store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-        store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-        emitLoad(base, regT2, regT3);
-        emitWriteBarrier(base, value, ShouldFilterValue);
-        break;
-    case DoubleShape: {
-        Jump notInt = branchIfNotInt32(regT1);
-        convertInt32ToDouble(regT0, fpRegT0);
-        Jump ready = jump();
-        notInt.link(this);
-        moveIntsToDouble(regT0, regT1, fpRegT0);
-        slowCases.append(branchIfNaN(fpRegT0));
-        ready.link(this);
-        storeDouble(fpRegT0, BaseIndex(regT3, regT2, TimesEight));
-        break;
-    }
-    default:
-        CRASH();
-        break;
-    }
-        
-    Jump done = jump();
-    
-    outOfBounds.link(this);
-    slowCases.append(branch32(AboveOrEqual, regT2, Address(regT3, Butterfly::offsetOfVectorLength())));
-    
-    emitArrayProfileStoreToHoleSpecialCase(profile);
-    
-    add32(TrustedImm32(1), regT2, regT1);
-    store32(regT1, Address(regT3, Butterfly::offsetOfPublicLength()));
-    jump().linkTo(storeResult, this);
-    
-    done.link(this);
-    
-    return slowCases;
-}
-
-template <typename Op>
-JIT::JumpList JIT::emitArrayStoragePutByVal(Op bytecode, PatchableJump& badType, ByValInfo* byValInfo)
-{
-    auto& metadata = bytecode.metadata(m_codeBlock);
-    VirtualRegister base = bytecode.m_base;
-    VirtualRegister value = bytecode.m_value;
-    ArrayProfile* profile = &metadata.m_arrayProfile;
-
-    JumpList slowCases;
-    
-    UNUSED_PARAM(byValInfo);
-    badType = patchableBranch32(NotEqual, regT1, TrustedImm32(ArrayStorageShape));
-    
-    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
-    slowCases.append(branch32(AboveOrEqual, regT2, Address(regT3, ArrayStorage::vectorLengthOffset())));
-
-    Jump empty = branch32(Equal, BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
-    
-    Label storeResult(this);
-    emitLoad(value, regT1, regT0);
-    store32(regT0, BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload))); // payload
-    store32(regT1, BaseIndex(regT3, regT2, TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag))); // tag
-    Jump end = jump();
-    
-    empty.link(this);
-    emitArrayProfileStoreToHoleSpecialCase(profile);
-    add32(TrustedImm32(1), Address(regT3, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
-    branch32(Below, regT2, Address(regT3, ArrayStorage::lengthOffset())).linkTo(storeResult, this);
-    
-    add32(TrustedImm32(1), regT2, regT0);
-    store32(regT0, Address(regT3, ArrayStorage::lengthOffset()));
-    jump().linkTo(storeResult, this);
-    
-    end.link(this);
-    
-    emitWriteBarrier(base, value, ShouldFilterValue);
-    
-    return slowCases;
+    emitLoad2(base, regT1, regT0, property, regT3, regT2);
+    emitLoad(value, regT5, regT4);
+    move(TrustedImmPtr(profile), regT6);
+    emitJumpSlowCaseIfNotJSCell(base, regT1);
+    emitArrayProfilingSiteWithCell(regT0, regT6, regT7);
+
+    JITPutByValGenerator gen(
+        m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), AccessType::PutByVal, RegisterSet::stubUnavailableRegisters(),
+        JSValueRegs(regT1, regT0), JSValueRegs(regT3, regT2), JSValueRegs(regT5, regT4), regT6, InvalidGPRReg);
+    gen.generateFastPath(*this);
+    addSlowCase(gen.slowPathJump());
+    m_putByVals.append(gen);
+
+    // IC can write new Structure without write-barrier if a base is cell.
+    // FIXME: Use UnconditionalWriteBarrier in Baseline effectively to reduce code size.
+    // https://bugs.webkit.org/show_bug.cgi?id=209395
+    emitWriteBarrier(base, ShouldFilterBase);
 }
 
@@ -621 +496 @@
     VirtualRegister value;
     ECMAMode ecmaMode = ECMAMode::strict();
+    ArrayProfile* profile = nullptr;
 
     auto load = [&](auto bytecode) {
@@ -627 +503 @@
         value = bytecode.m_value;
         ecmaMode = JIT::ecmaMode(bytecode);
+        auto& metadata = bytecode.metadata(m_codeBlock);
+        profile = &metadata.m_arrayProfile;
     };
 
@@ -634 +512 @@
         load(currentInstruction->as<OpPutByVal>());
 
-    ByValInfo* byValInfo = m_byValCompilationInfo[m_byValInstructionIndex].byValInfo;
-    
-    linkAllSlowCases(iter);
-    Label slowPath = label();
-    
+    JITPutByValGenerator& gen = m_putByVals[m_putByValIndex++];
+
+    linkAllSlowCases(iter);
+
+    Label coldPathBegin = label();
+
     // The register selection below is chosen to reduce register swapping on ARM.
     // Swapping shouldn't happen on other platforms.
-    emitLoad(base, regT2, regT1);
-    emitLoad(property, regT3, regT0);
+    emitLoad2(base, regT2, regT1, property, regT3, regT0);
     emitLoad(value, regT5, regT4);
-    Call call = callOperation(isDirect ? operationDirectPutByValOptimize : operationPutByValOptimize, m_codeBlock->globalObject(), JSValueRegs(regT2, regT1), JSValueRegs(regT3, regT0), JSValueRegs(regT5, regT4), byValInfo, TrustedImm32(ecmaMode.value()));
-
-    m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
-    m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
-    m_byValInstructionIndex++;
+
+    Call call = callOperation(isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize), TrustedImmPtr(m_codeBlock->globalObject()), JSValueRegs(regT2, regT1), JSValueRegs(regT3, regT0), JSValueRegs(regT5, regT4), gen.stubInfo(), profile);
+
+    gen.reportSlowPathCall(coldPathBegin, call);
 }
 

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -569 +569 @@
 }
 
-static auto appropriateGenericPutByIdFunction(const PutPropertySlot &slot, PutKind putKind) -> decltype(&operationPutByIdDirectStrict)
-{
-    switch (putKind) {
-    case PutKind::NotDirect:
-        if (slot.isStrictMode())
-            return operationPutByIdStrict;
-        return operationPutByIdNonStrict;
-    case PutKind::Direct:
-        if (slot.isStrictMode())
-            return operationPutByIdDirectStrict;
-        return operationPutByIdDirectNonStrict;
-    case PutKind::DirectPrivateFieldDefine:
-        ASSERT(slot.isStrictMode());
-        return operationPutByIdDefinePrivateFieldStrict;
-    case PutKind::DirectPrivateFieldSet:
-        ASSERT(slot.isStrictMode());
-        return operationPutByIdSetPrivateFieldStrict;
+static FunctionPtr<CFunctionPtrTag> appropriateGenericPutByFunction(const PutPropertySlot &slot, PutByKind putByKind, PutKind putKind)
+{
+    switch (putByKind) {
+    case PutByKind::ById: {
+        switch (putKind) {
+        case PutKind::NotDirect:
+            if (slot.isStrictMode())
+                return operationPutByIdStrict;
+            return operationPutByIdNonStrict;
+        case PutKind::Direct:
+            if (slot.isStrictMode())
+                return operationPutByIdDirectStrict;
+            return operationPutByIdDirectNonStrict;
+        case PutKind::DirectPrivateFieldDefine:
+            ASSERT(slot.isStrictMode());
+            return operationPutByIdDefinePrivateFieldStrict;
+        case PutKind::DirectPrivateFieldSet:
+            ASSERT(slot.isStrictMode());
+            return operationPutByIdSetPrivateFieldStrict;
+        }
+        break;
+    }
+    case PutByKind::ByVal: {
+        switch (putKind) {
+        case PutKind::NotDirect:
+            if (slot.isStrictMode())
+                return operationPutByValStrictGeneric;
+            return operationPutByValNonStrictGeneric;
+        case PutKind::Direct:
+            if (slot.isStrictMode())
+                return operationDirectPutByValStrictGeneric;
+            return operationDirectPutByValNonStrictGeneric;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+        break;
+    }
     }
     // Make win port compiler happy
@@ -592 +613 @@
 }
 
-static auto appropriateOptimizingPutByIdFunction(const PutPropertySlot &slot, PutKind putKind) -> decltype(&operationPutByIdDirectStrictOptimize)
-{
-    switch (putKind) {
-    case PutKind::NotDirect:
-        if (slot.isStrictMode())
-            return operationPutByIdStrictOptimize;
-        return operationPutByIdNonStrictOptimize;
-    case PutKind::Direct:
-        if (slot.isStrictMode())
-            return operationPutByIdDirectStrictOptimize;
-        return operationPutByIdDirectNonStrictOptimize;
-    case PutKind::DirectPrivateFieldDefine:
-        ASSERT(slot.isStrictMode());
-        return operationPutByIdDefinePrivateFieldStrictOptimize;
-    case PutKind::DirectPrivateFieldSet:
-        ASSERT(slot.isStrictMode());
-        return operationPutByIdSetPrivateFieldStrictOptimize;
+static FunctionPtr<CFunctionPtrTag> appropriateOptimizingPutByFunction(const PutPropertySlot &slot, PutByKind putByKind, PutKind putKind)
+{
+    switch (putByKind) {
+    case PutByKind::ById:
+        switch (putKind) {
+        case PutKind::NotDirect:
+            if (slot.isStrictMode())
+                return operationPutByIdStrictOptimize;
+            return operationPutByIdNonStrictOptimize;
+        case PutKind::Direct:
+            if (slot.isStrictMode())
+                return operationPutByIdDirectStrictOptimize;
+            return operationPutByIdDirectNonStrictOptimize;
+        case PutKind::DirectPrivateFieldDefine:
+            ASSERT(slot.isStrictMode());
+            return operationPutByIdDefinePrivateFieldStrictOptimize;
+        case PutKind::DirectPrivateFieldSet:
+            ASSERT(slot.isStrictMode());
+            return operationPutByIdSetPrivateFieldStrictOptimize;
+        }
+        break;
+    case PutByKind::ByVal: {
+        switch (putKind) {
+        case PutKind::NotDirect:
+            if (slot.isStrictMode())
+                return operationPutByValStrictOptimize;
+            return operationPutByValNonStrictOptimize;
+        case PutKind::Direct:
+            if (slot.isStrictMode())
+                return operationDirectPutByValStrictOptimize;
+            return operationDirectPutByValNonStrictOptimize;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+        break;
+    }
     }
     // Make win port compiler happy
@@ -615 +656 @@
 }
 
-static InlineCacheAction tryCachePutByID(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, Structure* oldStructure, CacheableIdentifier propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
+static InlineCacheAction tryCachePutBy(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, Structure* oldStructure, CacheableIdentifier propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutByKind putByKind, PutKind putKind)
 {
     VM& vm = globalObject->vm();
@@ -683 +724 @@
                     bool generatedCodeInline = InlineAccess::generateSelfPropertyReplace(stubInfo, oldStructure, slot.cachedOffset());
                     if (generatedCodeInline) {
-                        LOG_IC((ICEvent::PutByIdSelfPatch, oldStructure->classInfo(), ident, slot.base() == baseValue));
-                        repatchSlowPathCall(codeBlock, stubInfo, appropriateOptimizingPutByIdFunction(slot, putKind));
+                        LOG_IC((ICEvent::PutBySelfPatch, oldStructure->classInfo(), ident, slot.base() == baseValue));
+                        repatchSlowPathCall(codeBlock, stubInfo, appropriateOptimizingPutByFunction(slot, putByKind, putKind));
                         stubInfo.initPutByIdReplace(locker, codeBlock, oldStructure, slot.cachedOffset(), propertyName);
                         return RetryCacheLater;
@@ -818 +859 @@
         }
 
-        LOG_IC((ICEvent::PutByIdAddAccessCase, oldStructure->classInfo(), ident, slot.base() == baseValue));
+        LOG_IC((ICEvent::PutByAddAccessCase, oldStructure->classInfo(), ident, slot.base() == baseValue));
         
         result = stubInfo.addAccessCase(locker, globalObject, codeBlock, slot.isStrictMode() ? ECMAMode::strict() : ECMAMode::sloppy(), propertyName, WTFMove(newCase));
 
         if (result.generatedSomeCode()) {
-            LOG_IC((ICEvent::PutByIdReplaceWithJump, oldStructure->classInfo(), ident, slot.base() == baseValue));
+            LOG_IC((ICEvent::PutByReplaceWithJump, oldStructure->classInfo(), ident, slot.base() == baseValue));
             
             RELEASE_ASSERT(result.code());
@@ -836 +877 @@
 }
 
-void repatchPutByID(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, Structure* oldStructure, CacheableIdentifier propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
+void repatchPutBy(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, Structure* oldStructure, CacheableIdentifier propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutByKind putByKind, PutKind putKind)
 {
     SuperSamplerScope superSamplerScope(false);
     
-    if (tryCachePutByID(globalObject, codeBlock, baseValue, oldStructure, propertyName, slot, stubInfo, putKind) == GiveUpOnCache)
-        repatchSlowPathCall(codeBlock, stubInfo, appropriateGenericPutByIdFunction(slot, putKind));
+    if (tryCachePutBy(globalObject, codeBlock, baseValue, oldStructure, propertyName, slot, stubInfo, putByKind, putKind) == GiveUpOnCache)
+        repatchSlowPathCall(codeBlock, stubInfo, appropriateGenericPutByFunction(slot, putByKind, putKind));
+}
+
+static InlineCacheAction tryCacheArrayPutByVal(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, JSValue index, StructureStubInfo& stubInfo, PutKind)
+{
+    if (!baseValue.isCell())
+        return GiveUpOnCache;
+
+    if (!index.isInt32())
+        return RetryCacheLater;
+
+    VM& vm = globalObject->vm();
+    AccessGenerationResult result;
+
+    {
+        JSCell* base = baseValue.asCell();
+
+        AccessCase::AccessType accessType;
+        if (isTypedView(base->classInfo(vm)->typedArrayStorageType)) {
+            switch (base->classInfo(vm)->typedArrayStorageType) {
+            case TypeInt8:
+                accessType = AccessCase::IndexedTypedArrayInt8Store;
+                break;
+            case TypeUint8:
+                accessType = AccessCase::IndexedTypedArrayUint8Store;
+                break;
+            case TypeUint8Clamped:
+                accessType = AccessCase::IndexedTypedArrayUint8ClampedStore;
+                break;
+            case TypeInt16:
+                accessType = AccessCase::IndexedTypedArrayInt16Store;
+                break;
+            case TypeUint16:
+                accessType = AccessCase::IndexedTypedArrayUint16Store;
+                break;
+            case TypeInt32:
+                accessType = AccessCase::IndexedTypedArrayInt32Store;
+                break;
+            case TypeUint32:
+                accessType = AccessCase::IndexedTypedArrayUint32Store;
+                break;
+            case TypeFloat32:
+                accessType = AccessCase::IndexedTypedArrayFloat32Store;
+                break;
+            case TypeFloat64:
+                accessType = AccessCase::IndexedTypedArrayFloat64Store;
+                break;
+            // FIXME: Optimize BigInt64Array / BigUint64Array in IC
+            // https://bugs.webkit.org/show_bug.cgi?id=221183
+            case TypeBigInt64:
+            case TypeBigUint64:
+                return GiveUpOnCache;
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+            }
+        } else {
+            IndexingType indexingShape = base->indexingType() & IndexingShapeMask;
+            switch (indexingShape) {
+            case Int32Shape:
+                accessType = AccessCase::IndexedInt32Store;
+                break;
+            case DoubleShape:
+                accessType = AccessCase::IndexedDoubleStore;
+                break;
+            case ContiguousShape:
+                accessType = AccessCase::IndexedContiguousStore;
+                break;
+            case ArrayStorageShape:
+                accessType = AccessCase::IndexedArrayStorageStore;
+                break;
+            default:
+                return GiveUpOnCache;
+            }
+        }
+
+        GCSafeConcurrentJSLocker locker(codeBlock->m_lock, globalObject->vm().heap);
+        result = stubInfo.addAccessCase(locker, globalObject, codeBlock, ECMAMode::strict(), nullptr, AccessCase::create(vm, codeBlock, accessType, nullptr));
+
+        if (result.generatedSomeCode()) {
+            LOG_IC((ICEvent::PutByReplaceWithJump, baseValue.classInfoOrNull(vm), Identifier()));
+
+            RELEASE_ASSERT(result.code());
+            InlineAccess::rewireStubAsJumpInAccessNotUsingInlineAccess(codeBlock, stubInfo, CodeLocationLabel<JITStubRoutinePtrTag>(result.code()));
+        }
+    }
+
+    fireWatchpointsAndClearStubIfNeeded(vm, stubInfo, codeBlock, result);
+    return result.shouldGiveUpNow() ? GiveUpOnCache : RetryCacheLater;
+}
+
+void repatchArrayPutByVal(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue base, JSValue index, StructureStubInfo& stubInfo, PutKind putKind, ECMAMode ecmaMode)
+{
+    if (tryCacheArrayPutByVal(globalObject, codeBlock, base, index, stubInfo, putKind) == GiveUpOnCache)
+        repatchSlowPathCall(codeBlock, stubInfo, putKind == PutKind::Direct ? (ecmaMode.isStrict() ? operationDirectPutByValStrictGeneric : operationDirectPutByValNonStrictGeneric) : (ecmaMode.isStrict() ? operationPutByValStrictGeneric : operationPutByValNonStrictGeneric));
 }
 
@@ -987 +1121 @@
                 bool generatedCodeInline = InlineAccess::generateSelfInAccess(stubInfo, structure);
                 if (generatedCodeInline) {
-                    LOG_IC((ICEvent::InByIdSelfPatch, structure->classInfo(), ident, slot.slotBase() == base));
+                    LOG_IC((ICEvent::InBySelfPatch, structure->classInfo(), ident, slot.slotBase() == base));
                     structure->startWatchingPropertyForReplacements(vm, slot.cachedOffset());
                     repatchSlowPathCall(codeBlock, stubInfo, operationInByIdOptimize);
@@ -1757 +1891 @@
 }
 
-void resetPutByID(CodeBlock* codeBlock, StructureStubInfo& stubInfo)
-{
-    using FunctionType = decltype(&operationPutByIdDirectStrictOptimize);
-    FunctionType unoptimizedFunction = reinterpret_cast<FunctionType>(readPutICCallTarget(codeBlock, stubInfo).executableAddress());
-    FunctionType optimizedFunction;
-    if (unoptimizedFunction == operationPutByIdStrict || unoptimizedFunction == operationPutByIdStrictOptimize)
-        optimizedFunction = operationPutByIdStrictOptimize;
-    else if (unoptimizedFunction == operationPutByIdNonStrict || unoptimizedFunction == operationPutByIdNonStrictOptimize)
-        optimizedFunction = operationPutByIdNonStrictOptimize;
-    else if (unoptimizedFunction == operationPutByIdDirectStrict || unoptimizedFunction == operationPutByIdDirectStrictOptimize)
-        optimizedFunction = operationPutByIdDirectStrictOptimize;
-    else if (unoptimizedFunction == operationPutByIdSetPrivateFieldStrict || unoptimizedFunction == operationPutByIdSetPrivateFieldStrictOptimize)
-        optimizedFunction = operationPutByIdSetPrivateFieldStrictOptimize;
-    else if (unoptimizedFunction == operationPutByIdDefinePrivateFieldStrict || unoptimizedFunction == operationPutByIdDefinePrivateFieldStrictOptimize)
-        optimizedFunction = operationPutByIdDefinePrivateFieldStrictOptimize;
-    else {
-        ASSERT(unoptimizedFunction == operationPutByIdDirectNonStrict || unoptimizedFunction == operationPutByIdDirectNonStrictOptimize);
-        optimizedFunction = operationPutByIdDirectNonStrictOptimize;
+void resetPutBy(CodeBlock* codeBlock, StructureStubInfo& stubInfo, PutByKind kind)
+{
+    FunctionPtr<CFunctionPtrTag> optimizedFunction;
+    switch (kind) {
+    case PutByKind::ById: {
+        using FunctionType = decltype(&operationPutByIdDirectStrictOptimize);
+        FunctionType unoptimizedFunction = reinterpret_cast<FunctionType>(readPutICCallTarget(codeBlock, stubInfo).executableAddress());
+        if (unoptimizedFunction == operationPutByIdStrict || unoptimizedFunction == operationPutByIdStrictOptimize)
+            optimizedFunction = operationPutByIdStrictOptimize;
+        else if (unoptimizedFunction == operationPutByIdNonStrict || unoptimizedFunction == operationPutByIdNonStrictOptimize)
+            optimizedFunction = operationPutByIdNonStrictOptimize;
+        else if (unoptimizedFunction == operationPutByIdDirectStrict || unoptimizedFunction == operationPutByIdDirectStrictOptimize)
+            optimizedFunction = operationPutByIdDirectStrictOptimize;
+        else if (unoptimizedFunction == operationPutByIdSetPrivateFieldStrict || unoptimizedFunction == operationPutByIdSetPrivateFieldStrictOptimize)
+            optimizedFunction = operationPutByIdSetPrivateFieldStrictOptimize;
+        else if (unoptimizedFunction == operationPutByIdDefinePrivateFieldStrict || unoptimizedFunction == operationPutByIdDefinePrivateFieldStrictOptimize)
+            optimizedFunction = operationPutByIdDefinePrivateFieldStrictOptimize;
+        else {
+            ASSERT(unoptimizedFunction == operationPutByIdDirectNonStrict || unoptimizedFunction == operationPutByIdDirectNonStrictOptimize);
+            optimizedFunction = operationPutByIdDirectNonStrictOptimize;
+        }
+        break;
+    }
+    case PutByKind::ByVal: {
+        using FunctionType = decltype(&operationPutByValStrictOptimize);
+        FunctionType unoptimizedFunction = reinterpret_cast<FunctionType>(readPutICCallTarget(codeBlock, stubInfo).executableAddress());
+        if (unoptimizedFunction == operationPutByValStrictGeneric || unoptimizedFunction == operationPutByValStrictOptimize)
+            optimizedFunction = operationPutByValStrictOptimize;
+        else if (unoptimizedFunction == operationPutByValNonStrictGeneric || unoptimizedFunction == operationPutByValNonStrictOptimize)
+            optimizedFunction = operationPutByValNonStrictOptimize;
+        else if (unoptimizedFunction == operationDirectPutByValStrictGeneric || unoptimizedFunction == operationDirectPutByValStrictOptimize)
+            optimizedFunction = operationDirectPutByValStrictOptimize;
+        else {
+            ASSERT(unoptimizedFunction == operationDirectPutByValNonStrictGeneric || unoptimizedFunction == operationDirectPutByValNonStrictOptimize);
+            optimizedFunction = operationDirectPutByValNonStrictOptimize;
+        }
+        break;
+    }
     }
 
     repatchSlowPathCall(codeBlock, stubInfo, optimizedFunction);
-    InlineAccess::resetStubAsJumpInAccess(codeBlock, stubInfo);
+    switch (kind) {
+    case PutByKind::ById:
+        InlineAccess::resetStubAsJumpInAccess(codeBlock, stubInfo);
+        break;
+    case PutByKind::ByVal:
+        InlineAccess::resetStubAsJumpInAccessNotUsingInlineAccess(codeBlock, stubInfo);
+        break;
+    }
 }
 

trunk/Source/JavaScriptCore/jit/Repatch.h

@@ -44 +44 @@
 };
 
+enum class PutByKind {
+    ById,
+    ByVal,
+};
+
 enum class DelByKind {
     ById,
@@ -57 +62 @@
 void repatchArrayGetByVal(JSGlobalObject*, CodeBlock*, JSValue base, JSValue index, StructureStubInfo&);
 void repatchGetBy(JSGlobalObject*, CodeBlock*, JSValue, CacheableIdentifier, const PropertySlot&, StructureStubInfo&, GetByKind);
-void repatchPutByID(JSGlobalObject*, CodeBlock*, JSValue, Structure*, CacheableIdentifier, const PutPropertySlot&, StructureStubInfo&, PutKind);
+void repatchArrayPutByVal(JSGlobalObject*, CodeBlock*, JSValue base, JSValue index, StructureStubInfo&, PutKind, ECMAMode);
+void repatchPutBy(JSGlobalObject*, CodeBlock*, JSValue, Structure*, CacheableIdentifier, const PutPropertySlot&, StructureStubInfo&, PutByKind, PutKind);
 void repatchDeleteBy(JSGlobalObject*, CodeBlock*, DeletePropertySlot&, JSValue, Structure*, CacheableIdentifier, StructureStubInfo&, DelByKind, ECMAMode);
 void repatchInBy(JSGlobalObject*, CodeBlock*, JSObject*, CacheableIdentifier, bool wasFound, const PropertySlot&, StructureStubInfo&, InByKind);
@@ -70 +76 @@
 void linkPolymorphicCall(JSGlobalObject*, CallFrame*, CallLinkInfo&, CallVariant);
 void resetGetBy(CodeBlock*, StructureStubInfo&, GetByKind);
-void resetPutByID(CodeBlock*, StructureStubInfo&);
+void resetPutBy(CodeBlock*, StructureStubInfo&, PutByKind);
 void resetDelBy(CodeBlock*, StructureStubInfo&, DelByKind);
 void resetInBy(CodeBlock*, StructureStubInfo&, InByKind);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.h

@@ -33 +33 @@
 
 // The following is a set of alias for the opcode names. This is needed
-// because there is code (e.g. in GetByStatus.cpp and PutByIdStatus.cpp)
+// because there is code (e.g. in GetByStatus.cpp and PutByStatus.cpp)
 // which refers to the opcodes expecting them to be prefixed with "llint_".
 // In the CLoop implementation, the 2 are equivalent. Hence, we set up this