Changeset 108908 in webkit

Timestamp:

Feb 25, 2012, 3:05:38 PM (14 years ago)

Author:

fpizlo@apple.com

Message:

DFG should support activations and nested functions
​https://bugs.webkit.org/show_bug.cgi?id=79554

Reviewed by Oliver Hunt.

Wrote the simplest possible implementation of activations. Big speed-up on
code that uses activations, no speed-up on major benchmarks (SunSpider, V8,
Kraken) because they do not appear to have sufficient coverage over code
that uses activations.

• bytecode/PredictedType.cpp:

(JSC::predictionToString):
(JSC::predictionFromValue):

• bytecode/PredictedType.h:

(JSC):
(JSC::isEmptyPrediction):

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::ByteCodeParser):
(ByteCodeParser):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):

• dfg/DFGCapabilities.h:

(JSC::DFG::canCompileOpcode):
(JSC::DFG::canInlineOpcode):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::needsActivation):

• dfg/DFGNode.h:

(DFG):
(JSC::DFG::Node::storageAccessDataIndex):
(Node):
(JSC::DFG::Node::hasFunctionDeclIndex):
(JSC::DFG::Node::functionDeclIndex):
(JSC::DFG::Node::hasFunctionExprIndex):
(JSC::DFG::Node::functionExprIndex):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
(DFG):
(JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/PredictedType.cpp (modified) (2 diffs)
• bytecode/PredictedType.h (modified) (2 diffs)
• dfg/DFGAbstractState.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (6 diffs)
• dfg/DFGCapabilities.h (modified) (2 diffs)
• dfg/DFGGraph.h (modified) (1 diff)
• dfg/DFGNode.h (modified) (2 diffs)
• dfg/DFGOperations.cpp (modified) (2 diffs)
• dfg/DFGOperations.h (modified) (2 diffs)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.h (modified) (5 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-02-25  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should support activations and nested functions
+        https://bugs.webkit.org/show_bug.cgi?id=79554
+
+        Reviewed by Oliver Hunt.
+        
+        Wrote the simplest possible implementation of activations. Big speed-up on
+        code that uses activations, no speed-up on major benchmarks (SunSpider, V8,
+        Kraken) because they do not appear to have sufficient coverage over code
+        that uses activations.
+
+        * bytecode/PredictedType.cpp:
+        (JSC::predictionToString):
+        (JSC::predictionFromValue):
+        * bytecode/PredictedType.h:
+        (JSC):
+        (JSC::isEmptyPrediction):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::ByteCodeParser):
+        (ByteCodeParser):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::canCompileOpcode):
+        (JSC::DFG::canInlineOpcode):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::needsActivation):
+        * dfg/DFGNode.h:
+        (DFG):
+        (JSC::DFG::Node::storageAccessDataIndex):
+        (Node):
+        (JSC::DFG::Node::hasFunctionDeclIndex):
+        (JSC::DFG::Node::functionDeclIndex):
+        (JSC::DFG::Node::hasFunctionExprIndex):
+        (JSC::DFG::Node::functionExprIndex):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
+        (DFG):
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2012-02-25  Benjamin Poulain  <benjamin@webkit.org>
 

trunk/Source/JavaScriptCore/bytecode/PredictedType.cpp

@@ -154 +154 @@
         isTop = false;
     
-    if (isTop)
-        return "Top";
+    if (isTop) {
+        ptr = description;
+        ptr.strcat("Top");
+    }
+    
+    if (value & PredictEmpty)
+        ptr.strcat("Empty");
     
     *ptr++ = 0;
@@ -222 +227 @@
 PredictedType predictionFromValue(JSValue value)
 {
+    if (value.isEmpty())
+        return PredictEmpty;
     if (value.isInt32())
         return PredictInt32;

trunk/Source/JavaScriptCore/bytecode/PredictedType.h

@@ -62 +62 @@
 static const PredictedType PredictNumber            = 0x00070000; // It's either an Int32 or a Double.
 static const PredictedType PredictBoolean           = 0x00080000; // It's definitely a Boolean.
-static const PredictedType PredictOther             = 0x40000000; // It's definitely none of the above.
-static const PredictedType PredictTop               = 0x7fffffff; // It can be any of the above.
+static const PredictedType PredictOther             = 0x08000000; // It's definitely none of the above.
+static const PredictedType PredictTop               = 0x0fffffff; // It can be any of the above.
+static const PredictedType PredictEmpty             = 0x10000000; // It's definitely an empty value marker.
+static const PredictedType PredictEmptyOrTop        = 0x1fffffff; // It can be any of the above.
 static const PredictedType FixedIndexedStorageMask = PredictByteArray | PredictInt8Array | PredictInt16Array | PredictInt32Array | PredictUint8Array | PredictUint8ClampedArray | PredictUint16Array | PredictUint32Array | PredictFloat32Array | PredictFloat64Array;
 
@@ -218 +220 @@
 }
 
+inline bool isEmptyPrediction(PredictedType value)
+{
+    return value == PredictEmpty;
+}
+
 const char* predictionToString(PredictedType value);
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -724 +724 @@
             
     case NewObject:
-        forNode(nodeIndex).set(m_codeBlock->globalObject()->emptyObjectStructure());
+        forNode(nodeIndex).set(m_codeBlock->globalObjectFor(node.codeOrigin)->emptyObjectStructure());
         m_haveStructures = true;
         break;
-            
+        
+    case CreateActivation:
+        forNode(nodeIndex).set(m_graph.m_globalData.activationStructure.get());
+        m_haveStructures = true;
+        break;
+        
+    case TearOffActivation:
+        // Does nothing that is user-visible.
+        break;
+        
+    case NewFunction:
+    case NewFunctionExpression:
+    case NewFunctionNoCheck:
+        forNode(nodeIndex).set(m_codeBlock->globalObjectFor(node.codeOrigin)->functionStructure());
+        break;
+        
     case GetCallee:
         forNode(nodeIndex).set(PredictFunction);

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -67 +67 @@
         , m_inlineStackTop(0)
         , m_haveBuiltOperandMaps(false)
+        , m_emptyJSValueIndex(UINT_MAX)
     {
         ASSERT(m_profiledBlock);
@@ -948 +949 @@
     // Mapping between values and constant numbers.
     JSValueMap m_jsValueMap;
+    // Index of the empty value, or UINT_MAX if there is no mapping. This is a horrible
+    // work-around for the fact that JSValueMap can't handle "empty" values.
+    unsigned m_emptyJSValueIndex;
     
     // Cache of code blocks that we've generated bytecode for.
@@ -2223 +2227 @@
             NEXT_OPCODE(op_loop_hint);
         }
+            
+        case op_init_lazy_reg: {
+            set(currentInstruction[1].u.operand, getJSConstantForValue(JSValue()));
+            NEXT_OPCODE(op_init_lazy_reg);
+        }
+            
+        case op_create_activation: {
+            set(currentInstruction[1].u.operand, addToGraph(CreateActivation, get(currentInstruction[1].u.operand)));
+            NEXT_OPCODE(op_create_activation);
+        }
+            
+        case op_tear_off_activation: {
+            // This currently ignores arguments because we don't support them yet.
+            addToGraph(TearOffActivation, get(currentInstruction[1].u.operand));
+            NEXT_OPCODE(op_tear_off_activation);
+        }
+            
+        case op_new_func: {
+            if (!currentInstruction[3].u.operand) {
+                set(currentInstruction[1].u.operand,
+                    addToGraph(NewFunctionNoCheck, OpInfo(currentInstruction[2].u.operand)));
+            } else {
+                set(currentInstruction[1].u.operand,
+                    addToGraph(
+                        NewFunction,
+                        OpInfo(currentInstruction[2].u.operand),
+                        get(currentInstruction[1].u.operand)));
+            }
+            NEXT_OPCODE(op_new_func);
+        }
+            
+        case op_new_func_exp: {
+            set(currentInstruction[1].u.operand,
+                addToGraph(NewFunctionExpression, OpInfo(currentInstruction[2].u.operand)));
+            NEXT_OPCODE(op_new_func_exp);
+        }
 
         default:
@@ -2475 +2515 @@
     for (size_t i = 0; i < m_codeBlock->numberOfIdentifiers(); ++i)
         m_identifierMap.add(m_codeBlock->identifier(i).impl(), i);
-    for (size_t i = 0; i < m_codeBlock->numberOfConstantRegisters(); ++i)
-        m_jsValueMap.add(JSValue::encode(m_codeBlock->getConstant(i + FirstConstantRegisterIndex)), i + FirstConstantRegisterIndex);
+    for (size_t i = 0; i < m_codeBlock->numberOfConstantRegisters(); ++i) {
+        JSValue value = m_codeBlock->getConstant(i + FirstConstantRegisterIndex);
+        if (!value)
+            m_emptyJSValueIndex = i + FirstConstantRegisterIndex;
+        else
+            m_jsValueMap.add(JSValue::encode(value), i + FirstConstantRegisterIndex);
+    }
     
     m_haveBuiltOperandMaps = true;
@@ -2526 +2571 @@
         for (size_t i = 0; i < codeBlock->numberOfConstantRegisters(); ++i) {
             JSValue value = codeBlock->getConstant(i + FirstConstantRegisterIndex);
+            if (!value) {
+                if (byteCodeParser->m_emptyJSValueIndex == UINT_MAX) {
+                    byteCodeParser->m_emptyJSValueIndex = byteCodeParser->m_codeBlock->numberOfConstantRegisters() + FirstConstantRegisterIndex;
+                    byteCodeParser->m_codeBlock->addConstant(JSValue());
+                    byteCodeParser->m_constants.append(ConstantRecord());
+                }
+                m_constantRemap[i] = byteCodeParser->m_emptyJSValueIndex;
+                continue;
+            }
             pair<JSValueMap::iterator, bool> result = byteCodeParser->m_jsValueMap.add(JSValue::encode(value), byteCodeParser->m_codeBlock->numberOfConstantRegisters() + FirstConstantRegisterIndex);
             if (result.second) {
@@ -2653 +2707 @@
     // We should be pretending that the code has an activation.
     ASSERT(m_graph.needsActivation());
-#else
-    // For now we should never see code that needs activations.
-    ASSERT(!m_graph.needsActivation());
 #endif
     

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -155 +155 @@
     case op_construct:
     case op_new_regexp: 
+    case op_init_lazy_reg:
+    case op_create_activation:
+    case op_tear_off_activation:
+    case op_new_func:
+    case op_new_func_exp:
         return true;
         
@@ -180 +185 @@
     // Inlining doesn't correctly remap regular expression operands.
     case op_new_regexp:
+        return false;
+        
+    // We don't support inlining code that creates activations or has nested functions.
+    case op_init_lazy_reg:
+    case op_create_activation:
+    case op_tear_off_activation:
+    case op_new_func:
+    case op_new_func_exp:
         return false;
         

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -311 +311 @@
         return true;
 #else
-        return m_codeBlock->ownerExecutable()->needsActivation() && m_codeBlock->codeType() != GlobalCode;
+        return m_codeBlock->needsFullScopeChain() && m_codeBlock->codeType() != GlobalCode;
 #endif
     }

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -292 +292 @@
     macro(StrCat, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
     \
+    /* Nodes used for activations. Activation support works by having it anchored at */\
+    /* epilgoues via TearOffActivation, and all CreateActivation nodes kept alive by */\
+    /* being threaded with each other. */\
+    macro(CreateActivation, NodeResultJS) \
+    macro(TearOffActivation, NodeMustGenerate) \
+    \
+    /* Nodes for creating functions. */\
+    macro(NewFunctionNoCheck, NodeResultJS) \
+    macro(NewFunction, NodeResultJS) \
+    macro(NewFunctionExpression, NodeResultJS) \
+    \
     /* Block terminals. */\
     macro(Jump, NodeMustGenerate | NodeIsTerminal | NodeIsJump) \
@@ -776 +787 @@
     unsigned storageAccessDataIndex()
     {
+        ASSERT(hasStorageAccessData());
+        return m_opInfo;
+    }
+    
+    bool hasFunctionDeclIndex()
+    {
+        return op == NewFunction
+            || op == NewFunctionNoCheck;
+    }
+    
+    unsigned functionDeclIndex()
+    {
+        ASSERT(hasFunctionDeclIndex());
+        return m_opInfo;
+    }
+    
+    bool hasFunctionExprIndex()
+    {
+        return op == NewFunctionExpression;
+    }
+    
+    unsigned functionExprIndex()
+    {
+        ASSERT(hasFunctionExprIndex());
         return m_opInfo;
     }

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -34 +34 @@
 #include "InlineASM.h"
 #include "Interpreter.h"
+#include "JSActivation.h"
 #include "JSByteArray.h"
 #include "JSGlobalData.h"
+#include "JSStaticScopeObject.h"
 #include "Operations.h"
 
@@ -973 +975 @@
     
     return JSValue::encode(RegExpObject::create(exec->globalData(), exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->regExpStructure(), regexp));
+}
+
+JSCell* DFG_OPERATION operationCreateActivation(ExecState* exec)
+{
+    JSGlobalData& globalData = exec->globalData();
+    JSActivation* activation = JSActivation::create(
+        globalData, exec, static_cast<FunctionExecutable*>(exec->codeBlock()->ownerExecutable()));
+    exec->setScopeChain(exec->scopeChain()->push(activation));
+    return activation;
+}
+
+void DFG_OPERATION operationTearOffActivation(ExecState* exec, JSCell* activation)
+{
+    ASSERT(activation);
+    ASSERT(activation->inherits(&JSActivation::s_info));
+    static_cast<JSActivation*>(activation)->tearOff(exec->globalData());
+}
+
+JSCell* DFG_OPERATION operationNewFunction(ExecState* exec, JSCell* functionExecutable)
+{
+    ASSERT(functionExecutable->inherits(&FunctionExecutable::s_info));
+    return static_cast<FunctionExecutable*>(functionExecutable)->make(exec, exec->scopeChain());
+}
+
+JSCell* DFG_OPERATION operationNewFunctionExpression(ExecState* exec, JSCell* functionExecutableAsCell)
+{
+    ASSERT(functionExecutableAsCell->inherits(&FunctionExecutable::s_info));
+    FunctionExecutable* functionExecutable =
+        static_cast<FunctionExecutable*>(functionExecutableAsCell);
+    JSFunction *function = functionExecutable->make(exec, exec->scopeChain());
+    if (!functionExecutable->name().isNull()) {
+        JSStaticScopeObject* functionScopeObject =
+            JSStaticScopeObject::create(
+                exec, functionExecutable->name(), function, ReadOnly | DontDelete);
+        function->setScope(exec->globalData(), function->scope()->push(functionScopeObject));
+    }
+    return function;
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -90 +90 @@
 typedef double DFG_OPERATION (*D_DFGOperation_EJ)(ExecState*, EncodedJSValue);
 typedef void* DFG_OPERATION (*P_DFGOperation_E)(ExecState*);
+typedef void DFG_OPERATION (V_DFGOperation_EC)(ExecState*, JSCell*);
 
 // These routines are provide callbacks out to C++ implementations of operations too complex to JIT.
@@ -146 +147 @@
 void* DFG_OPERATION operationVirtualConstruct(ExecState*);
 void* DFG_OPERATION operationLinkConstruct(ExecState*);
+JSCell* DFG_OPERATION operationCreateActivation(ExecState*);
+void DFG_OPERATION operationTearOffActivation(ExecState*, JSCell*);
+JSCell* DFG_OPERATION operationNewFunction(ExecState*, JSCell*);
+JSCell* DFG_OPERATION operationNewFunctionExpression(ExecState*, JSCell*);
 
 // This method is used to lookup an exception hander, keyed by faultLocation, which is

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -398 +398 @@
         }
             
+        case CreateActivation: {
+            changed |= setPrediction(PredictObjectOther);
+            break;
+        }
+            
+        case NewFunction:
+        case NewFunctionNoCheck:
+        case NewFunctionExpression: {
+            changed |= setPrediction(PredictFunction);
+            break;
+        }
+            
         case GetArrayLength:
         case GetByteArrayLength:
@@ -440 +452 @@
         case PutStructure:
         case PutByOffset:
+        case TearOffActivation:
             break;
             

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -2690 +2690 @@
 }
 
+void SpeculativeJIT::compileNewFunctionNoCheck(Node& node)
+{
+    GPRResult result(this);
+    GPRReg resultGPR = result.gpr();
+    flushRegisters();
+    callOperation(
+        operationNewFunction, resultGPR, m_jit.codeBlock()->functionDecl(node.functionDeclIndex()));
+    cellResult(resultGPR, m_compileIndex);
+}
+
+void SpeculativeJIT::compileNewFunctionExpression(Node& node)
+{
+    GPRResult result(this);
+    GPRReg resultGPR = result.gpr();
+    flushRegisters();
+    callOperation(
+        operationNewFunctionExpression,
+        resultGPR,
+        m_jit.codeBlock()->functionExpr(node.functionExprIndex()));
+    cellResult(resultGPR, m_compileIndex);
+}
+
 } } // namespace JSC::DFG
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1161 +1161 @@
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(C_DFGOperation_EC operation, GPRReg result, JSCell* cell)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(cell));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(C_DFGOperation_ECC operation, GPRReg result, GPRReg arg1, JSCell* cell)
     {
@@ -1195 +1200 @@
         m_jit.setupArgumentsWithExecState(arg1, arg2);
         return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(V_DFGOperation_EC operation, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheck(operation);
     }
     JITCompiler::Call callOperation(V_DFGOperation_EJPP operation, GPRReg arg1, GPRReg arg2, void* pointer)
@@ -1329 +1339 @@
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(C_DFGOperation_EC operation, GPRReg result, JSCell* cell)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(cell));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(C_DFGOperation_ECC operation, GPRReg result, GPRReg arg1, JSCell* cell)
     {
@@ -1363 +1378 @@
         m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag);
         return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
+    JITCompiler::Call callOperation(V_DFGOperation_EC operation, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheck(operation);
     }
     JITCompiler::Call callOperation(V_DFGOperation_EJPP operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, void* pointer)
@@ -1714 +1734 @@
     void compileGetByValOnFloatTypedArray(const TypedArrayDescriptor&, Node&, size_t elementSize, TypedArraySpeculationRequirements);
     void compilePutByValForFloatTypedArray(const TypedArrayDescriptor&, GPRReg base, GPRReg property, Node&, size_t elementSize, TypedArraySpeculationRequirements);
+    void compileNewFunctionNoCheck(Node& node);
+    void compileNewFunctionExpression(Node& node);
     
     // It is acceptable to have structure be equal to scratch, so long as you're fine

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3489 +3489 @@
     }
 
+    case CreateActivation: {
+        JSValueOperand value(this, node.child1());
+        GPRTemporary result(this, value);
+        
+        GPRReg valueTagGPR = value.tagGPR();
+        GPRReg valuePayloadGPR = value.payloadGPR();
+        GPRReg resultGPR = result.gpr();
+        
+        m_jit.move(valuePayloadGPR, resultGPR);
+        
+        JITCompiler::Jump alreadyCreated = m_jit.branch32(JITCompiler::NotEqual, valueTagGPR, TrustedImm32(JSValue::EmptyValueTag));
+        
+        silentSpillAllRegisters(resultGPR);
+        callOperation(operationCreateActivation, resultGPR);
+        silentFillAllRegisters(resultGPR);
+        
+        alreadyCreated.link(&m_jit);
+        
+        cellResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case TearOffActivation: {
+        JSValueOperand value(this, node.child1());
+        GPRTemporary result(this, value);
+        
+        GPRReg valueTagGPR = value.tagGPR();
+        GPRReg valuePayloadGPR = value.payloadGPR();
+        
+        JITCompiler::Jump notCreated = m_jit.branch32(JITCompiler::Equal, valueTagGPR, TrustedImm32(JSValue::EmptyValueTag));
+        
+        silentSpillAllRegisters(InvalidGPRReg);
+        callOperation(operationTearOffActivation, valuePayloadGPR);
+        silentFillAllRegisters(InvalidGPRReg);
+        
+        notCreated.link(&m_jit);
+        
+        noResult(m_compileIndex);
+        break;
+    }
+        
+    case NewFunctionNoCheck:
+        compileNewFunctionNoCheck(node);
+        break;
+        
+    case NewFunction: {
+        JSValueOperand value(this, node.child1());
+        GPRTemporary result(this, value);
+        
+        GPRReg valueTagGPR = value.tagGPR();
+        GPRReg valuePayloadGPR = value.payloadGPR();
+        GPRReg resultGPR = result.gpr();
+        
+        m_jit.move(valuePayloadGPR, resultGPR);
+        
+        JITCompiler::Jump alreadyCreated = m_jit.branch32(JITCompiler::NotEqual, valueTagGPR, TrustedImm32(JSValue::EmptyValueTag));
+        
+        silentSpillAllRegisters(resultGPR);
+        callOperation(
+            operationNewFunction, resultGPR, m_jit.codeBlock()->functionDecl(node.functionDeclIndex()));
+        silentFillAllRegisters(resultGPR);
+        
+        alreadyCreated.link(&m_jit);
+        
+        cellResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case NewFunctionExpression:
+        compileNewFunctionExpression(node);
+        break;
+
     case ForceOSRExit: {
         terminateSpeculativeExecution(Uncountable, JSValueRegs(), NoNode);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3452 +3452 @@
         break;
     }
+        
+    case CreateActivation: {
+        JSValueOperand value(this, node.child1());
+        GPRTemporary result(this, value);
+        
+        GPRReg valueGPR = value.gpr();
+        GPRReg resultGPR = result.gpr();
+        
+        m_jit.move(valueGPR, resultGPR);
+        
+        JITCompiler::Jump alreadyCreated = m_jit.branchTestPtr(JITCompiler::NonZero, resultGPR);
+        
+        silentSpillAllRegisters(resultGPR);
+        callOperation(operationCreateActivation, resultGPR);
+        silentFillAllRegisters(resultGPR);
+        
+        alreadyCreated.link(&m_jit);
+        
+        cellResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case TearOffActivation: {
+        JSValueOperand value(this, node.child1());
+        GPRReg valueGPR = value.gpr();
+        
+        JITCompiler::Jump notCreated = m_jit.branchTestPtr(JITCompiler::Zero, valueGPR);
+        
+        silentSpillAllRegisters(InvalidGPRReg);
+        callOperation(operationTearOffActivation, valueGPR);
+        silentFillAllRegisters(InvalidGPRReg);
+        
+        notCreated.link(&m_jit);
+        
+        noResult(m_compileIndex);
+        break;
+    }
+        
+    case NewFunctionNoCheck:
+        compileNewFunctionNoCheck(node);
+        break;
+        
+    case NewFunction: {
+        JSValueOperand value(this, node.child1());
+        GPRTemporary result(this, value);
+        
+        GPRReg valueGPR = value.gpr();
+        GPRReg resultGPR = result.gpr();
+        
+        m_jit.move(valueGPR, resultGPR);
+        
+        JITCompiler::Jump alreadyCreated = m_jit.branchTestPtr(JITCompiler::NonZero, resultGPR);
+        
+        silentSpillAllRegisters(resultGPR);
+        callOperation(
+            operationNewFunction, resultGPR, m_jit.codeBlock()->functionDecl(node.functionDeclIndex()));
+        silentFillAllRegisters(resultGPR);
+        
+        alreadyCreated.link(&m_jit);
+        
+        cellResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case NewFunctionExpression:
+        compileNewFunctionExpression(node);
+        break;
 
     case ForceOSRExit: {