Changeset 117542 in webkit

Timestamp:

May 17, 2012, 10:30:16 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

DFG should optimize aliased uses of the Arguments object of the current call frame
​https://bugs.webkit.org/show_bug.cgi?id=86552

Source/JavaScriptCore:

Reviewed by Geoff Garen.

Performs must-alias and escape analysis on uses of CreateArguments, and if
a variable is must-aliased to CreateArguments and does not escape, then we
turn all uses of that variable into direct arguments accesses.

36% speed-up on V8/earley leading to a 2.3% speed-up overall in V8.

• bytecode/CodeBlock.h:

(JSC::CodeBlock::uncheckedArgumentsRegister):

• bytecode/ValueRecovery.h:

(JSC::ValueRecovery::argumentsThatWereNotCreated):
(ValueRecovery):
(JSC::ValueRecovery::dump):

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGAdjacencyList.h:

(AdjacencyList):
(JSC::DFG::AdjacencyList::removeEdgeFromBag):

• dfg/DFGArgumentsSimplificationPhase.cpp:

(JSC::DFG::ArgumentsSimplificationPhase::run):
(ArgumentsSimplificationPhase):
(JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
(JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
(JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
(JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
(JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):

• dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
(AssemblyHelpers):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCFGSimplificationPhase.cpp:

(JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):

• dfg/DFGGPRInfo.h:

(GPRInfo):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::collectGarbage):
(DFG):

• dfg/DFGGraph.h:

(Graph):
(JSC::DFG::Graph::executableFor):
(JSC::DFG::Graph::argumentsRegisterFor):
(JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
(JSC::DFG::Graph::clobbersWorld):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasHeapPrediction):

• dfg/DFGNodeType.h:

(DFG):

• dfg/DFGOSRExitCompiler.cpp:
• dfg/DFGOSRExitCompiler.h:

(JSC::DFG::OSRExitCompiler::OSRExitCompiler):
(OSRExitCompiler):

• dfg/DFGOSRExitCompiler32_64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGOSRExitCompiler64.cpp:

(JSC::DFG::OSRExitCompiler::compileExit):

• dfg/DFGOperations.cpp:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::ValueSource::dump):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGVariableAccessData.h:

(JSC::DFG::VariableAccessData::VariableAccessData):
(JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
(VariableAccessData):
(JSC::DFG::VariableAccessData::isArgumentsAlias):

• jit/JITOpcodes.cpp:

(JSC::JIT::emitSlow_op_get_argument_by_val):

LayoutTests:

Rubber stamped by Geoff Garen.

Added a bunch of tests that check that our optimizations for aliased uses of the
'arguments' object are robust against various forms of JavaScript crazy.

• fast/js/dfg-arguments-alias-escape-expected.txt: Added.
• fast/js/dfg-arguments-alias-escape.html: Added.
• fast/js/dfg-arguments-alias-expected.txt: Added.
• fast/js/dfg-arguments-alias.html: Added.
• fast/js/dfg-arguments-cross-code-origin-expected.txt: Added.
• fast/js/dfg-arguments-cross-code-origin.html: Added.
• fast/js/dfg-arguments-mixed-alias-expected.txt: Added.
• fast/js/dfg-arguments-mixed-alias.html: Added.
• fast/js/dfg-arguments-osr-exit-expected.txt: Added.
• fast/js/dfg-arguments-osr-exit.html: Added.
• fast/js/dfg-arguments-unexpected-escape-expected.txt: Added.
• fast/js/dfg-arguments-unexpected-escape.html: Added.
• fast/js/jsc-test-list:
• fast/js/script-tests/dfg-arguments-alias-escape.js: Added.

(foo):
(bar):

• fast/js/script-tests/dfg-arguments-alias.js: Added.

(foo):
(bar):

• fast/js/script-tests/dfg-arguments-cross-code-origin.js: Added.

(foo):
(bar):
(baz):

• fast/js/script-tests/dfg-arguments-mixed-alias.js: Added.

(foo):
(bar):

• fast/js/script-tests/dfg-arguments-osr-exit.js: Added.

(baz):
(foo):
(bar):

• fast/js/script-tests/dfg-arguments-unexpected-escape.js: Added.

(baz):
(foo):
(bar):

Location:

branches/dfgopt

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/dfg-arguments-alias-escape-expected.txt (added)
• LayoutTests/fast/js/dfg-arguments-alias-escape.html (added)
• LayoutTests/fast/js/dfg-arguments-alias-expected.txt (added)
• LayoutTests/fast/js/dfg-arguments-alias.html (added)
• LayoutTests/fast/js/dfg-arguments-cross-code-origin-expected.txt (added)
• LayoutTests/fast/js/dfg-arguments-cross-code-origin.html (added)
• LayoutTests/fast/js/dfg-arguments-mixed-alias-expected.txt (added)
• LayoutTests/fast/js/dfg-arguments-mixed-alias.html (added)
• LayoutTests/fast/js/dfg-arguments-osr-exit-expected.txt (added)
• LayoutTests/fast/js/dfg-arguments-osr-exit.html (added)
• LayoutTests/fast/js/dfg-arguments-unexpected-escape-expected.txt (added)
• LayoutTests/fast/js/dfg-arguments-unexpected-escape.html (added)
• LayoutTests/fast/js/jsc-test-list (modified) (1 diff)
• LayoutTests/fast/js/script-tests/dfg-arguments-alias-escape.js (added)
• LayoutTests/fast/js/script-tests/dfg-arguments-alias.js (added)
• LayoutTests/fast/js/script-tests/dfg-arguments-cross-code-origin.js (added)
• LayoutTests/fast/js/script-tests/dfg-arguments-mixed-alias.js (added)
• LayoutTests/fast/js/script-tests/dfg-arguments-osr-exit.js (added)
• LayoutTests/fast/js/script-tests/dfg-arguments-unexpected-escape.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/ValueRecovery.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractState.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAdjacencyList.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGPRInfo.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGGraph.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp (modified) (6 diffs)
• Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGVariableAccessData.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (1 diff)

branches/dfgopt/LayoutTests/ChangeLog

@@ +1 @@
+2012-05-17  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should optimize aliased uses of the Arguments object of the current call frame
+        https://bugs.webkit.org/show_bug.cgi?id=86552
+
+        Rubber stamped by Geoff Garen.
+        
+        Added a bunch of tests that check that our optimizations for aliased uses of the
+        'arguments' object are robust against various forms of JavaScript crazy.
+        
+        * fast/js/dfg-arguments-alias-escape-expected.txt: Added.
+        * fast/js/dfg-arguments-alias-escape.html: Added.
+        * fast/js/dfg-arguments-alias-expected.txt: Added.
+        * fast/js/dfg-arguments-alias.html: Added.
+        * fast/js/dfg-arguments-cross-code-origin-expected.txt: Added.
+        * fast/js/dfg-arguments-cross-code-origin.html: Added.
+        * fast/js/dfg-arguments-mixed-alias-expected.txt: Added.
+        * fast/js/dfg-arguments-mixed-alias.html: Added.
+        * fast/js/dfg-arguments-osr-exit-expected.txt: Added.
+        * fast/js/dfg-arguments-osr-exit.html: Added.
+        * fast/js/dfg-arguments-unexpected-escape-expected.txt: Added.
+        * fast/js/dfg-arguments-unexpected-escape.html: Added.
+        * fast/js/jsc-test-list:
+        * fast/js/script-tests/dfg-arguments-alias-escape.js: Added.
+        (foo):
+        (bar):
+        * fast/js/script-tests/dfg-arguments-alias.js: Added.
+        (foo):
+        (bar):
+        * fast/js/script-tests/dfg-arguments-cross-code-origin.js: Added.
+        (foo):
+        (bar):
+        (baz):
+        * fast/js/script-tests/dfg-arguments-mixed-alias.js: Added.
+        (foo):
+        (bar):
+        * fast/js/script-tests/dfg-arguments-osr-exit.js: Added.
+        (baz):
+        (foo):
+        (bar):
+        * fast/js/script-tests/dfg-arguments-unexpected-escape.js: Added.
+        (baz):
+        (foo):
+        (bar):
+
 2012-04-17  Vincent Scheib  <scheib@chromium.org>
 

branches/dfgopt/LayoutTests/fast/js/jsc-test-list

@@ -65 +65 @@
 fast/js/delete-getters-setters
 fast/js/delete-then-put
+fast/js/dfg-arguments-osr-exit
+fast/js/dfg-arguments-mixed-alias
+fast/js/dfg-arguments-cross-code-origin
+fast/js/dfg-arguments-unexpected-escape
+fast/js/dfg-arguments-alias
+fast/js/dfg-arguments-alias-escape
 fast/js/dfg-array-length-dead
 fast/js/dfg-convert-this-dom-window

branches/dfgopt/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-05-17  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should optimize aliased uses of the Arguments object of the current call frame
+        https://bugs.webkit.org/show_bug.cgi?id=86552
+
+        Reviewed by Geoff Garen.
+        
+        Performs must-alias and escape analysis on uses of CreateArguments, and if
+        a variable is must-aliased to CreateArguments and does not escape, then we
+        turn all uses of that variable into direct arguments accesses.
+        
+        36% speed-up on V8/earley leading to a 2.3% speed-up overall in V8.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::uncheckedArgumentsRegister):
+        * bytecode/ValueRecovery.h:
+        (JSC::ValueRecovery::argumentsThatWereNotCreated):
+        (ValueRecovery):
+        (JSC::ValueRecovery::dump):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGAdjacencyList.h:
+        (AdjacencyList):
+        (JSC::DFG::AdjacencyList::removeEdgeFromBag):
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        (ArgumentsSimplificationPhase):
+        (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
+        (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUses):
+        (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
+        (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
+        (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
+        * dfg/DFGAssemblyHelpers.h:
+        (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
+        (AssemblyHelpers):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
+        * dfg/DFGGPRInfo.h:
+        (GPRInfo):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::collectGarbage):
+        (DFG):
+        * dfg/DFGGraph.h:
+        (Graph):
+        (JSC::DFG::Graph::executableFor):
+        (JSC::DFG::Graph::argumentsRegisterFor):
+        (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
+        (JSC::DFG::Graph::clobbersWorld):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOSRExitCompiler.cpp:
+        * dfg/DFGOSRExitCompiler.h:
+        (JSC::DFG::OSRExitCompiler::OSRExitCompiler):
+        (OSRExitCompiler):
+        * dfg/DFGOSRExitCompiler32_64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOSRExitCompiler64.cpp:
+        (JSC::DFG::OSRExitCompiler::compileExit):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::ValueSource::dump):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGVariableAccessData.h:
+        (JSC::DFG::VariableAccessData::VariableAccessData):
+        (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
+        (VariableAccessData):
+        (JSC::DFG::VariableAccessData::isArgumentsAlias):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emitSlow_op_get_argument_by_val):
+
 2012-05-16  Filip Pizlo  <fpizlo@apple.com>
 

branches/dfgopt/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -448 +448 @@
             return m_argumentsRegister;
         }
+        int uncheckedArgumentsRegister()
+        {
+            if (!usesArguments())
+                return InvalidVirtualRegister;
+            return argumentsRegister();
+        }
         void setActivationRegister(int activationRegister)
         {

branches/dfgopt/Source/JavaScriptCore/bytecode/ValueRecovery.h

@@ -62 +62 @@
     CellDisplacedInRegisterFile,
     BooleanDisplacedInRegisterFile,
+    // It's an Arguments object.
+    ArgumentsThatWereNotCreated,
     // It's a constant.
     Constant,
@@ -188 +190 @@
         result.m_technique = Constant;
         result.m_source.constant = JSValue::encode(value);
+        return result;
+    }
+    
+    static ValueRecovery argumentsThatWereNotCreated()
+    {
+        ValueRecovery result;
+        result.m_technique = ArgumentsThatWereNotCreated;
         return result;
     }
@@ -316 +325 @@
             fprintf(out, "*bool(%d)", virtualRegister());
             break;
+        case ArgumentsThatWereNotCreated:
+            fprintf(out, "arguments");
+            break;
         case Constant:
             fprintf(out, "[%s]", constant().description());

branches/dfgopt/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1096 +1096 @@
         
     case GetMyArgumentsLength:
-        if (!m_graph.m_executablesWhoseArgumentsEscaped.contains(
-                m_graph.executableFor(node.codeOrigin))) {
-            // We know that this executable does not escape its arguments, so we can optimize
-            // the arguments a bit. Note that this is not sufficient to force constant folding
-            // of GetMyArgumentsLength, because GetMyArgumentsLength is a clobbering operation.
-            // We perform further optimizations on this later on.
-            if (node.codeOrigin.inlineCallFrame) {
-                forNode(nodeIndex).set(jsNumber(node.codeOrigin.inlineCallFrame->arguments.size() - 1));
-                break;
-            }
-            forNode(nodeIndex).set(PredictInt32);
-            break;
-        }
+        // We know that this executable does not escape its arguments, so we can optimize
+        // the arguments a bit. Note that this is not sufficient to force constant folding
+        // of GetMyArgumentsLength, because GetMyArgumentsLength is a clobbering operation.
+        // We perform further optimizations on this later on.
+        if (node.codeOrigin.inlineCallFrame) {
+            forNode(nodeIndex).set(jsNumber(node.codeOrigin.inlineCallFrame->arguments.size() - 1));
+            break;
+        }
+        forNode(nodeIndex).set(PredictInt32);
+        break;
+        
+    case GetMyArgumentsLengthSafe:
         // This potentially clobbers all structures if the arguments object had a getter
         // installed on the length property.
@@ -1118 +1117 @@
         
     case GetMyArgumentByVal:
-        if (!m_graph.m_executablesWhoseArgumentsEscaped.contains(
-                m_graph.executableFor(node.codeOrigin))) {
-            // We know that this executable does not escape its arguments, so we can optimize
-            // the arguments a bit. Note that this ends up being further optimized by the
-            // ArgumentsSimplificationPhase.
-            forNode(node.child1()).filter(PredictInt32);
-            forNode(nodeIndex).makeTop();
-            break;
-        }
+        // We know that this executable does not escape its arguments, so we can optimize
+        // the arguments a bit. Note that this ends up being further optimized by the
+        // ArgumentsSimplificationPhase.
+        forNode(node.child1()).filter(PredictInt32);
+        forNode(nodeIndex).makeTop();
+        break;
+        
+    case GetMyArgumentByValSafe:
         // This potentially clobbers all structures if the property we're accessing has
         // a getter. We don't speculate against this.

branches/dfgopt/Source/JavaScriptCore/dfg/DFGAdjacencyList.h

@@ -129 +129 @@
         initialize();
     }
+    
+    // Call this if you wish to remove an edge and the node treats the list of children
+    // as a "bag" - an unordered set where the index of the edge does not matter.
+    void removeEdgeFromBag(unsigned edgeIndex)
+    {
+        for (unsigned i = edgeIndex; i < Size - 1; ++i)
+            setChild(i, child(i + 1));
+        setChild(Size - 1, Edge());
+    }
 
     unsigned firstChild() const

branches/dfgopt/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp

@@ -35 +35 @@
 #include "DFGPhase.h"
 #include "DFGValidate.h"
+#include <wtf/HashSet.h>
+#include <wtf/HashMap.h>
 
 namespace JSC { namespace DFG {
+
+namespace {
+
+template<typename T>
+struct NullableHashTraits : public HashTraits<T> {
+    static const bool emptyValueIsZero = false;
+    static T emptyValue() { return reinterpret_cast<T>(1); }
+};
+
+struct ArgumentsAliasingData {
+    InlineCallFrame* callContext;
+    bool callContextSet;
+    bool multipleCallContexts;
+    
+    bool assignedFromArguments;
+    bool assignedFromManyThings;
+    
+    bool escapes;
+    
+    ArgumentsAliasingData()
+        : callContext(0)
+        , callContextSet(false)
+        , multipleCallContexts(false)
+        , assignedFromArguments(false)
+        , assignedFromManyThings(false)
+        , escapes(false)
+    {
+    }
+    
+    void mergeCallContext(InlineCallFrame* newCallContext)
+    {
+        if (multipleCallContexts)
+            return;
+        
+        if (!callContextSet) {
+            callContext = newCallContext;
+            callContextSet = true;
+            return;
+        }
+        
+        if (callContext == newCallContext)
+            return;
+        
+        multipleCallContexts = true;
+    }
+    
+    bool callContextIsValid()
+    {
+        return callContextSet && !multipleCallContexts;
+    }
+    
+    void mergeArgumentsAssignment()
+    {
+        assignedFromArguments = true;
+    }
+    
+    void mergeNonArgumentsAssignment()
+    {
+        assignedFromManyThings = true;
+    }
+    
+    bool argumentsAssignmentIsValid()
+    {
+        return assignedFromArguments && !assignedFromManyThings;
+    }
+    
+    bool isValid()
+    {
+        return callContextIsValid() && argumentsAssignmentIsValid() && !escapes;
+    }
+};
+
+} // end anonymous namespace
 
 class ArgumentsSimplificationPhase : public Phase {
@@ -52 +127 @@
         bool changed = false;
         
-        InsertionSet<NodeIndex> insertionSet;
-        
+        // Record which arguments are known to escape no matter what.
+        for (unsigned i = codeBlock()->inlineCallFrames().size(); i--;) {
+            InlineCallFrame* inlineCallFrame = &codeBlock()->inlineCallFrames()[i];
+            if (m_graph.m_executablesWhoseArgumentsEscaped.contains(
+                    m_graph.executableFor(inlineCallFrame)))
+                m_createsArguments.add(inlineCallFrame);
+        }
+        
+        // Create data for variable access datas that we will want to analyze.
+        for (unsigned i = m_graph.m_variableAccessData.size(); i--;) {
+            VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
+            if (!variableAccessData->isRoot())
+                continue;
+            if (variableAccessData->isCaptured())
+                continue;
+            m_argumentsAliasing.add(variableAccessData, ArgumentsAliasingData());
+        }
+        
+        // Figure out which variables alias the arguments and nothing else, and are
+        // used only for GetByVal and GetArgumentsLength accesses. At the same time,
+        // identify uses of CreateArguments that are not consistent with the arguments
+        // being aliased only to variables that satisfy these constraints.
         for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
             BasicBlock* block = m_graph.m_blocks[blockIndex].get();
@@ -61 +156 @@
                 NodeIndex nodeIndex = block->at(indexInBlock);
                 Node& node = m_graph[nodeIndex];
+                if (!node.shouldGenerate())
+                    continue;
                 switch (node.op()) {
-                case GetMyArgumentsLength: {
-                    if (m_graph.m_executablesWhoseArgumentsEscaped.contains(
-                            m_graph.executableFor(node.codeOrigin)))
-                        break;
+                case CreateArguments: {
+                    // Ignore this op. If we see a lone CreateArguments then we want to
+                    // completely ignore it because:
+                    // 1) The default would be to see that the child is a GetLocal on the
+                    //    arguments register and conclude that we have an arguments escape.
+                    // 2) The fact that a CreateArguments exists does not mean that it
+                    //    will continue to exist after we're done with this phase. As far
+                    //    as this phase is concerned, a CreateArguments only "exists" if it
+                    //    is used in a manner that necessitates its existance.
+                    break;
+                }
+                    
+                case SetLocal: {
+                    Node& source = m_graph[node.child1()];
+                    VariableAccessData* variableAccessData = node.variableAccessData();
+                    if (source.op() != CreateArguments) {
+                        // Make sure that the source of the SetLocal knows that if it's
+                        // a variable that we think is aliased to the arguments, then it
+                        // may escape at this point. In future, we could track transitive
+                        // aliasing. But not yet.
+                        observeBadArgumentsUse(node.child1());
+                        
+                        if (variableAccessData->isCaptured())
+                            break;
+                        
+                        // Make sure that if it's a variable that we think is aliased to
+                        // the arguments, that we know that it might actually not be.
+                        ArgumentsAliasingData& data =
+                            m_argumentsAliasing.find(variableAccessData)->second;
+                        data.mergeNonArgumentsAssignment();
+                        data.mergeCallContext(node.codeOrigin.inlineCallFrame);
+                        break;
+                    }
+                    int argumentsRegister =
+                        m_graph.uncheckedArgumentsRegisterFor(node.codeOrigin);
+                    if (variableAccessData->local() == argumentsRegister
+                        || variableAccessData->local() ==
+                            unmodifiedArgumentsRegister(argumentsRegister)) {
+                        if (node.codeOrigin.inlineCallFrame == source.codeOrigin.inlineCallFrame)
+                            break;
+                        m_createsArguments.add(source.codeOrigin.inlineCallFrame);
+                        break;
+                    }
+                    if (variableAccessData->isCaptured()) {
+                        m_createsArguments.add(source.codeOrigin.inlineCallFrame);
+                        break;
+                    }
+                    ArgumentsAliasingData& data =
+                        m_argumentsAliasing.find(variableAccessData)->second;
+                    data.mergeArgumentsAssignment();
+                    // This ensures that the variable's uses are in the same context as
+                    // the arguments it is aliasing.
+                    data.mergeCallContext(node.codeOrigin.inlineCallFrame);
+                    data.mergeCallContext(source.codeOrigin.inlineCallFrame);
+                    break;
+                }
+                    
+                case GetLocal:
+                case Phi: {
+                    VariableAccessData* variableAccessData = node.variableAccessData();
+                    if (variableAccessData->isCaptured())
+                        break;
+                    ArgumentsAliasingData& data =
+                        m_argumentsAliasing.find(variableAccessData)->second;
+                    data.mergeCallContext(node.codeOrigin.inlineCallFrame);
+                    break;
+                }
+                    
+                case Flush: {
+                    VariableAccessData* variableAccessData = node.variableAccessData();
+                    if (variableAccessData->isCaptured())
+                        break;
+                    ArgumentsAliasingData& data =
+                        m_argumentsAliasing.find(variableAccessData)->second;
+                    data.mergeCallContext(node.codeOrigin.inlineCallFrame);
+                    
+                    // If a variable is used in a flush then by definition it escapes.
+                    data.escapes = true;
+                    break;
+                }
+                    
+                case SetArgument: {
+                    VariableAccessData* variableAccessData = node.variableAccessData();
+                    if (variableAccessData->isCaptured())
+                        break;
+                    ArgumentsAliasingData& data =
+                        m_argumentsAliasing.find(variableAccessData)->second;
+                    data.mergeNonArgumentsAssignment();
+                    data.mergeCallContext(node.codeOrigin.inlineCallFrame);
+                    break;
+                }
+                    
+                case GetByVal: {
+                    if (!node.prediction()
+                        || !m_graph[node.child1()].prediction()
+                        || !m_graph[node.child2()].prediction()) {
+                        observeBadArgumentsUses(node);
+                        break;
+                    }
+                    
+                    if (!isActionableArrayPrediction(m_graph[node.child1()].prediction())
+                        || !m_graph[node.child2()].shouldSpeculateInteger()) {
+                        observeBadArgumentsUses(node);
+                        break;
+                    }
+                    
+                    if (m_graph[node.child1()].shouldSpeculateArguments()) {
+                        // If arguments is used as an index, then it's an escaping use.
+                        // That's so awful and pretty much impossible since it would
+                        // imply that the arguments were predicted integer, but it's
+                        // good to be defensive and thorough.
+                        observeBadArgumentsUse(node.child2());
+                        observeProperArgumentsUse(node, node.child1());
+                        break;
+                    }
+                    
+                    observeBadArgumentsUses(node);
+                    break;
+                }
+                    
+                case GetArgumentsLength: {
+                    observeProperArgumentsUse(node, node.child1());
+                    break;
+                }
+                    
+                default:
+                    observeBadArgumentsUses(node);
+                    break;
+                }
+            }
+        }
+
+        // Now we know which variables are aliased to arguments. But if any of them are
+        // found to have escaped, or were otherwise invalidated, then we need to mark
+        // the arguments as requiring creation. This is a property of SetLocals to
+        // variables that are neither the correct arguments register nor are marked as
+        // being arguments-aliased.
+        for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+            BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+            if (!block)
+                continue;
+            for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+                NodeIndex nodeIndex = block->at(indexInBlock);
+                Node& node = m_graph[nodeIndex];
+                if (!node.shouldGenerate())
+                    continue;
+                if (node.op() != SetLocal)
+                    continue;
+                Node& source = m_graph[node.child1()];
+                if (source.op() != CreateArguments)
+                    continue;
+                VariableAccessData* variableAccessData = node.variableAccessData();
+                if (variableAccessData->isCaptured()) {
+                    // The captured case would have already been taken care of in the
+                    // previous pass.
+                    continue;
+                }
+                
+                ArgumentsAliasingData& data =
+                    m_argumentsAliasing.find(variableAccessData)->second;
+                if (data.isValid())
+                    continue;
+                
+                m_createsArguments.add(source.codeOrigin.inlineCallFrame);
+            }
+        }
+        
+#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
+        dataLog("Arguments aliasing states:\n");
+        for (unsigned i = 0; i < m_graph.m_variableAccessData.size(); ++i) {
+            VariableAccessData* variableAccessData = &m_graph.m_variableAccessData[i];
+            if (!variableAccessData->isRoot())
+                continue;
+            dataLog("   r%d(%s): ", variableAccessData->local(), m_graph.nameOfVariableAccessData(variableAccessData));
+            if (variableAccessData->isCaptured())
+                dataLog("Captured");
+            else {
+                ArgumentsAliasingData& data =
+                    m_argumentsAliasing.find(variableAccessData)->second;
+                bool first = true;
+                if (data.callContextIsValid()) {
+                    if (!first)
+                        dataLog(", ");
+                    dataLog("Have Call Context: %p", data.callContext);
+                    first = false;
+                    if (!m_createsArguments.contains(data.callContext))
+                        dataLog(" (Does Not Create Arguments)");
+                }
+                if (data.argumentsAssignmentIsValid()) {
+                    if (!first)
+                        dataLog(", ");
+                    dataLog("Arguments Assignment Is Valid");
+                    first = false;
+                }
+                if (!data.escapes) {
+                    if (!first)
+                        dataLog(", ");
+                    dataLog("Does Not Escape");
+                    first = false;
+                }
+                if (!first)
+                    dataLog(", ");
+                if (data.isValid()) {
+                    if (m_createsArguments.contains(data.callContext))
+                        dataLog("VALID");
+                    else
+                        dataLog("INVALID (due to argument creation)");
+                } else
+                    dataLog("INVALID (due to bad variable use)");
+            }
+            dataLog("\n");
+        }
+#endif
+        
+        InsertionSet<NodeIndex> insertionSet;
+        
+        for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+            BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+            if (!block)
+                continue;
+            for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+                NodeIndex nodeIndex = block->at(indexInBlock);
+                Node& node = m_graph[nodeIndex];
+                if (!node.shouldGenerate())
+                    continue;
+                
+                switch (node.op()) {
+                case SetLocal: {
+                    Node& source = m_graph[node.child1()];
+                    if (source.op() != CreateArguments)
+                        break;
+                    
+                    VariableAccessData* variableAccessData = node.variableAccessData();
+                    
+                    // If this is a store into the arguments register for an InlineCallFrame*
+                    // that does not create arguments, then kill it.
+                    int argumentsRegister =
+                        m_graph.uncheckedArgumentsRegisterFor(node.codeOrigin);
+                    if ((variableAccessData->local() == argumentsRegister
+                         || variableAccessData->local()
+                             == unmodifiedArgumentsRegister(argumentsRegister))
+                        && !m_createsArguments.contains(source.codeOrigin.inlineCallFrame)) {
+                        // Find the Flush. It should be the next instruction.
+                        Node& flush = m_graph[block->at(indexInBlock + 1)];
+                        ASSERT(flush.op() == Flush);
+                        ASSERT(flush.variableAccessData() == variableAccessData);
+                        ASSERT(flush.child1() == nodeIndex);
+                        // Be defensive in release mode.
+                        if (flush.op() != Flush
+                            || flush.variableAccessData() != variableAccessData
+                            || flush.child1() != nodeIndex)
+                            break;
+                        flush.setOpAndDefaultFlags(Nop);
+                        m_graph.clearAndDerefChild1(flush);
+                        flush.setRefCount(0);
+                        changed = true;
+                        break;
+                    }
+                    
+                    if (variableAccessData->isCaptured())
+                        break;
+                    
+                    // If this is a store into a VariableAccessData* that is marked as
+                    // arguments aliasing for an InlineCallFrame* that does not create
+                    // arguments, then flag the VariableAccessData as being an
+                    // arguments-aliased. This'll let the OSR exit machinery do the right
+                    // things. Note also that the SetLocal should become dead as soon as
+                    // we replace all uses of this variable with GetMyArgumentsLength and
+                    // GetMyArgumentByVal.
+                    if (m_argumentsAliasing.find(variableAccessData)->second.isValid()
+                        && !m_createsArguments.contains(source.codeOrigin.inlineCallFrame)) {
+                        changed |= variableAccessData->mergeIsArgumentsAlias(true);
+                        break;
+                    }
+                    break;
+                }
+                    
+                case Phantom: {
+                    // It's highly likely that we will have a Phantom referencing either
+                    // CreateArguments, or a local op for the arguments register, or a
+                    // local op for an arguments-aliased variable. In any of those cases,
+                    // we should remote the phantom reference, since:
+                    // 1) Phantoms only exist to aid OSR exit. But arguments simplification
+                    //    has its own OSR exit story, which is to inform OSR exit to reify
+                    //    the arguments as necessary.
+                    // 2) The Phantom may keep the CreateArguments node alive, which is
+                    //    precisely what we don't want.
+                    for (unsigned i = 0; i < AdjacencyList::Size; ++i)
+                        removeArgumentsReferencingPhantomChild(node, i);
+                    break;
+                }
+                    
+                case GetByVal: {
+                    if (!node.prediction()
+                        || !m_graph[node.child1()].prediction()
+                        || !m_graph[node.child2()].prediction())
+                        break;
+                    
+                    if (!isActionableArrayPrediction(m_graph[node.child1()].prediction())
+                        || !m_graph[node.child2()].shouldSpeculateInteger())
+                        break;
+                    
+                    if (m_graph[node.child1()].shouldSpeculateArguments()) {
+                        // This can be simplified to GetMyArgumentByVal if we know that
+                        // it satisfies either condition (1) or (2):
+                        // 1) Its first child is a valid ArgumentsAliasingData and the
+                        //    InlineCallFrame* is not marked as creating arguments.
+                        // 2) Its first child is CreateArguments and its InlineCallFrame*
+                        //    is not marked as creating arguments.
+                        
+                        if (!isOKToOptimize(m_graph[node.child1()]))
+                            break;
+                        
+                        m_graph.deref(node.child1());
+                        node.children.child1() = node.children.child2();
+                        node.children.child2() = Edge();
+                        node.setOpAndDefaultFlags(GetMyArgumentByVal);
+                        changed = true;
+                        --indexInBlock; // Force reconsideration of this op now that it's a GetMyArgumentByVal.
+                        break;
+                    }
+                    break;
+                }
+                    
+                case GetArgumentsLength: {
+                    if (!isOKToOptimize(m_graph[node.child1()]))
+                        break;
+                    
+                    m_graph.deref(node.child1());
+                    node.children.child1() = Edge();
+                    node.setOpAndDefaultFlags(GetMyArgumentsLength);
+                    changed = true;
+                    --indexInBlock; // Force reconsideration of this op noew that it's a GetMyArgumentsLength.
+                    break;
+                }
+                    
+                case GetMyArgumentsLength:
+                case GetMyArgumentsLengthSafe: {
+                    if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame)) {
+                        ASSERT(node.op() == GetMyArgumentsLengthSafe);
+                        break;
+                    }
+                    if (node.op() == GetMyArgumentsLengthSafe) {
+                        node.setOp(GetMyArgumentsLength);
+                        changed = true;
+                    }
                     if (!node.codeOrigin.inlineCallFrame)
                         break;
@@ -83 +522 @@
                 }
                     
-                case GetMyArgumentByVal: {
-                    if (m_graph.m_executablesWhoseArgumentsEscaped.contains(
-                            m_graph.executableFor(node.codeOrigin)))
-                        break;
+                case GetMyArgumentByVal:
+                case GetMyArgumentByValSafe: {
+                    if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame)) {
+                        ASSERT(node.op() == GetMyArgumentByValSafe);
+                        break;
+                    }
+                    if (node.op() == GetMyArgumentByValSafe) {
+                        node.setOp(GetMyArgumentByVal);
+                        changed = true;
+                    }
                     if (!node.codeOrigin.inlineCallFrame)
                         break;
@@ -139 +584 @@
         }
         
+        if (changed)
+            m_graph.collectGarbage();
+        
         return changed;
+    }
+    
+private:
+    HashSet<InlineCallFrame*,
+            DefaultHash<InlineCallFrame*>::Hash,
+            NullableHashTraits<InlineCallFrame*> > m_createsArguments;
+    HashMap<VariableAccessData*, ArgumentsAliasingData,
+            DefaultHash<VariableAccessData*>::Hash,
+            NullableHashTraits<VariableAccessData*> > m_argumentsAliasing;
+
+    void observeBadArgumentsUse(Edge edge)
+    {
+        if (!edge)
+            return;
+        
+        Node& child = m_graph[edge];
+        if (child.op() != GetLocal)
+            return;
+        
+        if (child.local() == m_graph.uncheckedArgumentsRegisterFor(child.codeOrigin)) {
+            m_createsArguments.add(child.codeOrigin.inlineCallFrame);
+            return;
+        }
+        
+        VariableAccessData* variableAccessData = child.variableAccessData();
+        if (variableAccessData->isCaptured())
+            return;
+        
+        ArgumentsAliasingData& data = m_argumentsAliasing.find(variableAccessData)->second;
+        data.escapes = true;
+    }
+    
+    void observeBadArgumentsUses(Node& node)
+    {
+        for (unsigned i = m_graph.numChildren(node); i--;)
+            observeBadArgumentsUse(m_graph.child(node, i));
+    }
+    
+    void observeProperArgumentsUse(Node& node, Edge edge)
+    {
+        Node& child = m_graph[edge];
+        if (child.op() != GetLocal) {
+            // When can this happen? At least two cases that I can think
+            // of:
+            //
+            // 1) Aliased use of arguments in the same basic block,
+            //    like:
+            //
+            //    var a = arguments;
+            //    var x = arguments[i];
+            //
+            // 2) If we're accessing arguments we got from the heap!
+                            
+            if (child.op() == CreateArguments
+                && node.codeOrigin.inlineCallFrame
+                   != child.codeOrigin.inlineCallFrame)
+                m_createsArguments.add(child.codeOrigin.inlineCallFrame);
+            
+            return;
+        }
+                        
+        VariableAccessData* variableAccessData = child.variableAccessData();
+        if (variableAccessData->isCaptured())
+            return;
+                        
+        ArgumentsAliasingData& data = m_argumentsAliasing.find(variableAccessData)->second;
+        data.mergeCallContext(node.codeOrigin.inlineCallFrame);
+    }
+    
+    bool isOKToOptimize(Node& source)
+    {
+        switch (source.op()) {
+        case GetLocal: {
+            VariableAccessData* variableAccessData = source.variableAccessData();
+            if (variableAccessData->isCaptured())
+                break;
+            ArgumentsAliasingData& data =
+                m_argumentsAliasing.find(variableAccessData)->second;
+            if (!data.isValid())
+                break;
+            if (m_createsArguments.contains(source.codeOrigin.inlineCallFrame))
+                break;
+                            
+            return true;
+        }
+                            
+        case CreateArguments: {
+            if (m_createsArguments.contains(source.codeOrigin.inlineCallFrame))
+                break;
+                            
+            return true;
+        }
+                            
+        default:
+            break;
+        }
+        
+        return false;
+    }
+    
+    void removeArgumentsReferencingPhantomChild(Node& node, unsigned edgeIndex)
+    {
+        Edge edge = node.children.child(edgeIndex);
+        if (!edge)
+            return;
+        
+        Node& child = m_graph[edge];
+        switch (child.op()) {
+        case Phi: // Arises if we had CSE on a GetLocal of the arguments register.
+        case GetLocal: // Arises if we had CSE on an arguments access to a variable aliased to the arguments.
+        case SetLocal: { // Arises if we had CSE on a GetLocal of the arguments register.
+            VariableAccessData* variableAccessData = child.variableAccessData();
+            bool isDeadArgumentsRegister =
+                variableAccessData->local() ==
+                    m_graph.uncheckedArgumentsRegisterFor(child.codeOrigin)
+                && !m_createsArguments.contains(child.codeOrigin.inlineCallFrame);
+            bool isAliasedArgumentsRegister =
+                !variableAccessData->isCaptured()
+                && m_argumentsAliasing.find(variableAccessData)->second.isValid()
+                && !m_createsArguments.contains(child.codeOrigin.inlineCallFrame);
+            if (!isDeadArgumentsRegister && !isAliasedArgumentsRegister)
+                break;
+            m_graph.deref(edge);
+            node.children.removeEdgeFromBag(edgeIndex);
+            break;
+        }
+            
+        case CreateArguments: { // Arises if we CSE two GetLocals to the arguments register and then CSE the second use of the GetLocal to the first.
+            if (m_createsArguments.contains(child.codeOrigin.inlineCallFrame))
+                break;
+            m_graph.deref(edge);
+            node.children.removeEdgeFromBag(edgeIndex);
+            break;
+        }
+            
+        default:
+            break;
+        }
     }
 };

branches/dfgopt/Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h

@@ -312 +312 @@
     }
     
-    int argumentsRegisterFor(const CodeOrigin& codeOrigin)
-    {
-        if (!codeOrigin.inlineCallFrame)
+    int argumentsRegisterFor(InlineCallFrame* inlineCallFrame)
+    {
+        if (!inlineCallFrame)
             return codeBlock()->argumentsRegister();
         
         return baselineCodeBlockForInlineCallFrame(
-            codeOrigin.inlineCallFrame)->argumentsRegister() +
-            codeOrigin.inlineCallFrame->stackOffset;
+            inlineCallFrame)->argumentsRegister() + inlineCallFrame->stackOffset;
+    }
+    
+    int argumentsRegisterFor(const CodeOrigin& codeOrigin)
+    {
+        return argumentsRegisterFor(codeOrigin.inlineCallFrame);
     }
     

branches/dfgopt/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2454 +2454 @@
         case op_create_arguments: {
             m_graph.m_hasArguments = true;
-            m_graph.m_executablesWhoseArgumentsEscaped.add(m_inlineStackTop->executable());
             NodeIndex createArguments = addToGraph(CreateArguments, get(currentInstruction[1].u.operand));
             set(currentInstruction[1].u.operand, createArguments);
@@ -2474 +2473 @@
         case op_get_arguments_length: {
             m_graph.m_hasArguments = true;
-            set(currentInstruction[1].u.operand, addToGraph(GetMyArgumentsLength));
+            set(currentInstruction[1].u.operand, addToGraph(GetMyArgumentsLengthSafe));
             NEXT_OPCODE(op_get_arguments_length);
         }
@@ -2482 +2481 @@
             set(currentInstruction[1].u.operand,
                 addToGraph(
-                    GetMyArgumentByVal, OpInfo(0), OpInfo(getPrediction()),
+                    GetMyArgumentByValSafe, OpInfo(0), OpInfo(getPrediction()),
                     get(currentInstruction[3].u.operand)));
             NEXT_OPCODE(op_get_argument_by_val);

branches/dfgopt/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp

@@ -396 +396 @@
         if (phiNode.shouldGenerate())
             m_graph.deref(myNodeIndex);
-        for (unsigned i = edgeIndex; i < AdjacencyList::Size - 1; ++i)
-            phiNode.children.setChild(i, phiNode.children.child(i + 1));
-        phiNode.children.setChild(AdjacencyList::Size - 1, Edge());
+        phiNode.children.removeEdgeFromBag(edgeIndex);
     }
     

branches/dfgopt/Source/JavaScriptCore/dfg/DFGGPRInfo.h

@@ -272 +272 @@
     static const GPRReg argumentGPR0 = X86Registers::ecx; // regT2
     static const GPRReg argumentGPR1 = X86Registers::edx; // regT1
+    static const GPRReg nonArgGPR0 = X86Registers::eax; // regT0
+    static const GPRReg nonArgGPR1 = X86Registers::ebx; // regT3
     static const GPRReg returnValueGPR = X86Registers::eax; // regT0
     static const GPRReg returnValueGPR2 = X86Registers::edx; // regT1
@@ -341 +343 @@
     static const GPRReg argumentGPR4 = X86Registers::r8;  // regT6
     static const GPRReg argumentGPR5 = X86Registers::r9;  // regT7
+    static const GPRReg nonArgGPR0 = X86Registers::eax; // regT0
+    static const GPRReg nonArgGPR1 = X86Registers::ebx; // regT3
     static const GPRReg returnValueGPR = X86Registers::eax; // regT0
     static const GPRReg returnValueGPR2 = X86Registers::edx; // regT1
@@ -411 +415 @@
     // any change introducing a problem here is likely to be immediately apparent!
     static const GPRReg argumentGPR3 = ARMRegisters::r3; // FIXME!
+    static const GPRReg nonArgGPR0 = X86Registers::r4; // regT3
+    static const GPRReg nonArgGPR1 = X86Registers::r8; // regT4
     static const GPRReg returnValueGPR = ARMRegisters::r0; // regT0
     static const GPRReg returnValueGPR2 = ARMRegisters::r1; // regT1

branches/dfgopt/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -403 +403 @@
 }
 
+void Graph::collectGarbage()
+{
+    // First reset the counts to 0 for all nodes.
+    for (unsigned i = size(); i--;)
+        at(i).setRefCount(0);
+    
+    // Now find the roots: the nodes that are must-generate. Set their ref counts to
+    // 1 and put them on the worklist.
+    Vector<NodeIndex, 128> worklist;
+    for (BlockIndex blockIndex = 0; blockIndex < m_blocks.size(); ++blockIndex) {
+        BasicBlock* block = m_blocks[blockIndex].get();
+        if (!block)
+            continue;
+        for (unsigned indexInBlock = block->size(); indexInBlock--;) {
+            NodeIndex nodeIndex = block->at(indexInBlock);
+            Node& node = at(nodeIndex);
+            if (!(node.flags() & NodeMustGenerate))
+                continue;
+            node.setRefCount(1);
+            worklist.append(nodeIndex);
+        }
+    }
+    
+    while (!worklist.isEmpty()) {
+        NodeIndex nodeIndex = worklist.last();
+        worklist.removeLast();
+        Node& node = at(nodeIndex);
+        ASSERT(node.shouldGenerate()); // It should not be on the worklist unless it's ref'ed.
+        if (node.flags() & NodeHasVarArgs) {
+            for (unsigned childIdx = node.firstChild();
+                 childIdx < node.firstChild() + node.numChildren();
+                 ++childIdx) {
+                NodeIndex childNodeIndex = m_varArgChildren[childIdx].index();
+                if (!at(childNodeIndex).ref())
+                    continue;
+                worklist.append(childNodeIndex);
+            }
+        } else if (node.child1()) {
+            if (at(node.child1()).ref())
+                worklist.append(node.child1().index());
+            if (node.child2()) {
+                if (at(node.child2()).ref())
+                    worklist.append(node.child2().index());
+                if (node.child3()) {
+                    if (at(node.child3()).ref())
+                        worklist.append(node.child3().index());
+                }
+            }
+        }
+    }
+}
+
 void Graph::determineReachability()
 {

branches/dfgopt/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -162 +162 @@
     }
     
+    // Call this if you've modified the reference counts of nodes that deal with
+    // local variables. This is necessary because local variable references can form
+    // cycles, and hence reference counting is not enough. This will reset the
+    // reference counts according to reachability.
+    void collectGarbage();
+    
     void convertToConstant(NodeIndex nodeIndex, unsigned constantNumber)
     {
@@ -305 +311 @@
     }
     
+    ExecutableBase* executableFor(InlineCallFrame* inlineCallFrame)
+    {
+        if (!inlineCallFrame)
+            return m_codeBlock->ownerExecutable();
+        
+        return inlineCallFrame->executable.get();
+    }
+    
     ExecutableBase* executableFor(const CodeOrigin& codeOrigin)
     {
+        return executableFor(codeOrigin.inlineCallFrame);
+    }
+    
+    CodeBlock* baselineCodeBlockFor(const CodeOrigin& codeOrigin)
+    {
+        return baselineCodeBlockForOriginAndBaselineCodeBlock(codeOrigin, m_profiledBlock);
+    }
+    
+    int argumentsRegisterFor(const CodeOrigin& codeOrigin)
+    {
         if (!codeOrigin.inlineCallFrame)
-            return m_codeBlock->ownerExecutable();
-        
-        return codeOrigin.inlineCallFrame->executable.get();
-    }
-    
-    CodeBlock* baselineCodeBlockFor(const CodeOrigin& codeOrigin)
-    {
-        return baselineCodeBlockForOriginAndBaselineCodeBlock(codeOrigin, m_profiledBlock);
+            return m_codeBlock->argumentsRegister();
+        
+        return baselineCodeBlockForInlineCallFrame(
+            codeOrigin.inlineCallFrame)->argumentsRegister() +
+            codeOrigin.inlineCallFrame->stackOffset;
+    }
+    
+    int uncheckedArgumentsRegisterFor(const CodeOrigin& codeOrigin)
+    {
+        if (!codeOrigin.inlineCallFrame)
+            return m_codeBlock->uncheckedArgumentsRegister();
+        
+        CodeBlock* codeBlock = baselineCodeBlockForInlineCallFrame(
+            codeOrigin.inlineCallFrame);
+        if (!codeBlock->usesArguments())
+            return InvalidVirtualRegister;
+        
+        return codeBlock->argumentsRegister() +
+            codeOrigin.inlineCallFrame->stackOffset;
     }
     
@@ -413 +448 @@
         case GetByVal:
             return !byValIsPure(node);
-        case GetMyArgumentByVal:
-            return m_executablesWhoseArgumentsEscaped.contains(
-                executableFor(node.codeOrigin));
         default:
             ASSERT_NOT_REACHED();

branches/dfgopt/Source/JavaScriptCore/dfg/DFGNode.h

@@ -529 +529 @@
         case GetByVal:
         case GetMyArgumentByVal:
+        case GetMyArgumentByValSafe:
         case Call:
         case Construct:

branches/dfgopt/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -64 +64 @@
     macro(GetLocalUnlinked, NodeResultJS) \
     \
-    /* Marker for arguments being set. */\
+    /* Marker for an argument being set at the prologue of a function. */\
     macro(SetArgument, 0) \
     \
@@ -199 +199 @@
     macro(CreateArguments, NodeResultJS) \
     macro(TearOffArguments, NodeMustGenerate) \
-    macro(GetMyArgumentsLength, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
-    macro(GetMyArgumentByVal, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
+    macro(GetMyArgumentsLength, NodeResultJS | NodeMustGenerate) \
+    macro(GetMyArgumentByVal, NodeResultJS | NodeMustGenerate) \
+    macro(GetMyArgumentsLengthSafe, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
+    macro(GetMyArgumentByValSafe, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
     macro(CheckArgumentsNotCreated, NodeMustGenerate) \
     \

branches/dfgopt/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.cpp

@@ -73 +73 @@
 
     {
-        AssemblyHelpers jit(globalData, codeBlock);
+        CCallHelpers jit(globalData, codeBlock);
         OSRExitCompiler exitCompiler(jit);
         

branches/dfgopt/Source/JavaScriptCore/dfg/DFGOSRExitCompiler.h

@@ -32 +32 @@
 
 #include "DFGAssemblyHelpers.h"
+#include "DFGCCallHelpers.h"
 #include "DFGOSRExit.h"
 #include "DFGOperations.h"
@@ -43 +44 @@
 class OSRExitCompiler {
 public:
-    OSRExitCompiler(AssemblyHelpers& jit)
+    OSRExitCompiler(CCallHelpers& jit)
         : m_jit(jit)
     {
@@ -73 +74 @@
     void handleExitCounts(const OSRExit&);
     
-    AssemblyHelpers& m_jit;
+    CCallHelpers& m_jit;
     Vector<unsigned> m_poisonScratchIndices;
 };

branches/dfgopt/Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp

@@ -131 +131 @@
     bool haveConstants = false;
     bool haveUndefined = false;
+    bool haveArguments = false;
     
     for (int index = 0; index < exit.numberOfRecoveries(); ++index) {
@@ -192 +193 @@
             if (recovery.constant().isUndefined())
                 haveUndefined = true;
+            break;
+            
+        case ArgumentsThatWereNotCreated:
+            haveArguments = true;
             break;
             
@@ -527 +532 @@
     }
     
-    // 11) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
+    // 11) Create arguments if necessary and place them into the appropriate aliased
+    //     registers.
+    
+    if (haveArguments) {
+        for (int index = 0; index < exit.numberOfRecoveries(); ++index) {
+            const ValueRecovery& recovery = exit.valueRecovery(index);
+            if (recovery.technique() != ArgumentsThatWereNotCreated)
+                continue;
+            int operand = exit.operandForIndex(index);
+            // Find the right inline call frame.
+            InlineCallFrame* inlineCallFrame = 0;
+            for (InlineCallFrame* current = exit.m_codeOrigin.inlineCallFrame;
+                 current;
+                 current = current->caller.inlineCallFrame) {
+                if (current->stackOffset <= operand) {
+                    inlineCallFrame = current;
+                    break;
+                }
+            }
+            int argumentsRegister = m_jit.argumentsRegisterFor(inlineCallFrame);
+            
+            m_jit.load32(AssemblyHelpers::payloadFor(argumentsRegister), GPRInfo::regT0);
+            AssemblyHelpers::Jump haveArguments = m_jit.branch32(
+                AssemblyHelpers::NotEqual,
+                AssemblyHelpers::tagFor(argumentsRegister),
+                AssemblyHelpers::TrustedImm32(JSValue::EmptyValueTag));
+            
+            if (inlineCallFrame) {
+                m_jit.setupArgumentsWithExecState(
+                    AssemblyHelpers::TrustedImmPtr(inlineCallFrame));
+                m_jit.move(
+                    AssemblyHelpers::TrustedImmPtr(
+                        bitwise_cast<void*>(operationCreateInlinedArguments)),
+                    GPRInfo::nonArgGPR0);
+            } else {
+                m_jit.setupArgumentsExecState();
+                m_jit.move(
+                    AssemblyHelpers::TrustedImmPtr(
+                        bitwise_cast<void*>(operationCreateArguments)),
+                    GPRInfo::nonArgGPR0);
+            }
+            m_jit.call(GPRInfo::nonArgGPR0);
+            m_jit.store32(
+                AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+                AssemblyHelpers::tagFor(argumentsRegister));
+            m_jit.store32(
+                GPRInfo::returnValueGPR,
+                AssemblyHelpers::payloadFor(argumentsRegister));
+            m_jit.store32(
+                AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+                AssemblyHelpers::tagFor(unmodifiedArgumentsRegister(argumentsRegister)));
+            m_jit.store32(
+                GPRInfo::returnValueGPR,
+                AssemblyHelpers::payloadFor(unmodifiedArgumentsRegister(argumentsRegister)));
+            m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
+            
+            haveArguments.link(&m_jit);
+            m_jit.store32(
+                AssemblyHelpers::TrustedImm32(JSValue::CellTag),
+                AssemblyHelpers::tagFor(operand));
+            m_jit.store32(GPRInfo::regT0, AssemblyHelpers::payloadFor(operand));
+        }
+    }
+    
+    // 12) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
     //     that all new calls into this code will go to the new JIT, so the execute
     //     counter only affects call frames that performed OSR exit and call frames
@@ -565 +634 @@
     handleExitCounts(exit);
     
-    // 12) Load the result of the last bytecode operation into regT0.
+    // 13) Load the result of the last bytecode operation into regT0.
     
     if (exit.m_lastSetOperand != std::numeric_limits<int>::max()) {
@@ -572 +641 @@
     }
     
-    // 13) Fix call frame (s).
+    // 14) Fix call frame (s).
     
     ASSERT(m_jit.baselineCodeBlock()->getJITType() == JITCode::BaselineJIT);
@@ -611 +680 @@
         m_jit.addPtr(AssemblyHelpers::TrustedImm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);
 
-    // 14) Jump into the corresponding baseline JIT code.
+    // 15) Jump into the corresponding baseline JIT code.
     
     CodeBlock* baselineCodeBlock = m_jit.baselineCodeBlockFor(exit.m_codeOrigin);

branches/dfgopt/Source/JavaScriptCore/dfg/DFGOSRExitCompiler64.cpp

@@ -128 +128 @@
     bool haveUndefined = false;
     bool haveUInt32s = false;
+    bool haveArguments = false;
     
     for (int index = 0; index < exit.numberOfRecoveries(); ++index) {
@@ -183 +184 @@
             if (recovery.constant().isUndefined())
                 haveUndefined = true;
+            break;
+            
+        case ArgumentsThatWereNotCreated:
+            haveArguments = true;
             break;
             
@@ -506 +511 @@
     }
     
-    // 13) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
+    // 13) Create arguments if necessary and place them into the appropriate aliased
+    //     registers.
+    
+    if (haveArguments) {
+        for (int index = 0; index < exit.numberOfRecoveries(); ++index) {
+            const ValueRecovery& recovery = exit.valueRecovery(index);
+            if (recovery.technique() != ArgumentsThatWereNotCreated)
+                continue;
+            int operand = exit.operandForIndex(index);
+            // Find the right inline call frame.
+            InlineCallFrame* inlineCallFrame = 0;
+            for (InlineCallFrame* current = exit.m_codeOrigin.inlineCallFrame;
+                 current;
+                 current = current->caller.inlineCallFrame) {
+                if (current->stackOffset <= operand) {
+                    inlineCallFrame = current;
+                    break;
+                }
+            }
+            int argumentsRegister = m_jit.argumentsRegisterFor(inlineCallFrame);
+            
+            m_jit.loadPtr(AssemblyHelpers::addressFor(argumentsRegister), GPRInfo::regT0);
+            AssemblyHelpers::Jump haveArguments = m_jit.branchTestPtr(
+                AssemblyHelpers::NonZero, GPRInfo::regT0);
+            
+            if (inlineCallFrame) {
+                m_jit.setupArgumentsWithExecState(
+                    AssemblyHelpers::TrustedImmPtr(inlineCallFrame));
+                m_jit.move(
+                    AssemblyHelpers::TrustedImmPtr(
+                        bitwise_cast<void*>(operationCreateInlinedArguments)),
+                    GPRInfo::nonArgGPR0);
+            } else {
+                m_jit.setupArgumentsExecState();
+                m_jit.move(
+                    AssemblyHelpers::TrustedImmPtr(
+                        bitwise_cast<void*>(operationCreateArguments)),
+                    GPRInfo::nonArgGPR0);
+            }
+            m_jit.call(GPRInfo::nonArgGPR0);
+            m_jit.storePtr(GPRInfo::returnValueGPR, AssemblyHelpers::addressFor(argumentsRegister));
+            m_jit.storePtr(
+                GPRInfo::returnValueGPR,
+                AssemblyHelpers::addressFor(unmodifiedArgumentsRegister(argumentsRegister)));
+            m_jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0); // no-op move on almost all platforms.
+            
+            haveArguments.link(&m_jit);
+            m_jit.storePtr(GPRInfo::regT0, AssemblyHelpers::addressFor(operand));
+        }
+    }
+    
+    // 14) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
     //     that all new calls into this code will go to the new JIT, so the execute
     //     counter only affects call frames that performed OSR exit and call frames
@@ -544 +600 @@
     handleExitCounts(exit);
     
-    // 14) Load the result of the last bytecode operation into regT0.
+    // 15) Load the result of the last bytecode operation into regT0.
     
     if (exit.m_lastSetOperand != std::numeric_limits<int>::max())
         m_jit.loadPtr(AssemblyHelpers::addressFor((VirtualRegister)exit.m_lastSetOperand), GPRInfo::cachedResultRegister);
     
-    // 15) Fix call frame(s).
+    // 16) Fix call frame(s).
     
     ASSERT(m_jit.baselineCodeBlock()->getJITType() == JITCode::BaselineJIT);
@@ -585 +641 @@
         m_jit.addPtr(AssemblyHelpers::TrustedImm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);
     
-    // 16) Jump into the corresponding baseline JIT code.
+    // 17) Jump into the corresponding baseline JIT code.
     
     CodeBlock* baselineCodeBlock = m_jit.baselineCodeBlockFor(exit.m_codeOrigin);

branches/dfgopt/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1025 +1025 @@
 JSCell* DFG_OPERATION operationCreateArguments(ExecState* exec)
 {
-    return Arguments::create(exec->globalData(), exec);
+    // NB: This needs to be exceedingly careful with top call frame tracking, since it
+    // may be called from OSR exit, while the state of the call stack is bizarre.
+    Arguments* result = Arguments::create(exec->globalData(), exec);
+    ASSERT(!exec->globalData().exception);
+    return result;
 }
 
@@ -1031 +1035 @@
     ExecState* exec, InlineCallFrame* inlineCallFrame)
 {
-    return Arguments::create(exec->globalData(), exec, inlineCallFrame);
+    // NB: This needs to be exceedingly careful with top call frame tracking, since it
+    // may be called from OSR exit, while the state of the call stack is bizarre.
+    Arguments* result = Arguments::create(exec->globalData(), exec, inlineCallFrame);
+    ASSERT(!exec->globalData().exception);
+    return result;
 }
 

branches/dfgopt/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -438 +438 @@
         }
             
-        case GetMyArgumentByVal: {
+        case GetMyArgumentByValSafe: {
             changed |= mergePrediction(node.getHeapPrediction());
             changed |= m_graph[node.child1()].mergeFlags(NodeUsedAsNumber | NodeUsedAsInt);
@@ -444 +444 @@
         }
             
-        case GetMyArgumentsLength: {
+        case GetMyArgumentsLengthSafe: {
             changed |= setPrediction(PredictInt32);
             break;
@@ -617 +617 @@
         case GetStringLength:
         case Int32ToDouble:
-        case GetLocalUnlinked: {
+        case GetLocalUnlinked:
+        case GetMyArgumentsLength:
+        case GetMyArgumentByVal: {
             // This node should never be visible at this stage of compilation. It is
             // inserted by fixup(), which follows this phase.

branches/dfgopt/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -801 +801 @@
     case DoubleInRegisterFile:
         fprintf(out, "Double");
+        break;
+    case ArgumentsSource:
+        fprintf(out, "Arguments");
         break;
     case HaveNode:
@@ -987 +990 @@
         else if (at(nodeIndex).variableAccessData()->shouldUseDoubleFormat())
             m_variables[i] = ValueSource(DoubleInRegisterFile);
+        else if (at(nodeIndex).variableAccessData()->isArgumentsAlias())
+            m_variables[i] = ValueSource(ArgumentsSource);
         else
             m_variables[i] = ValueSource::forPrediction(at(nodeIndex).variableAccessData()->prediction());
@@ -1346 +1351 @@
     case DoubleInRegisterFile:
         return ValueRecovery::alreadyInRegisterFileAsUnboxedDouble();
+        
+    case ArgumentsSource:
+        return ValueRecovery::argumentsThatWereNotCreated();
 
     case HaveNode: {
         if (isConstant(valueSource.nodeIndex()))
             return ValueRecovery::constant(valueOfJSConstant(valueSource.nodeIndex()));
-    
+        
         Node* nodePtr = &at(valueSource.nodeIndex());
         if (!nodePtr->shouldGenerate()) {
+            if (nodePtr->op() == CreateArguments)
+                return ValueRecovery::argumentsThatWereNotCreated();
             // It's legitimately dead. As in, nobody will ever use this node, or operand,
             // ever. Set it to Undefined to make the GC happy after the OSR.

branches/dfgopt/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -57 +57 @@
     BooleanInRegisterFile,
     DoubleInRegisterFile,
+    ArgumentsSource,
     HaveNode
 };

branches/dfgopt/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3910 +3910 @@
         
     case GetMyArgumentsLength: {
-        if (!m_jit.graph().m_executablesWhoseArgumentsEscaped.contains(
-                m_jit.graph().executableFor(node.codeOrigin))) {
-            GPRTemporary result(this);
-            GPRReg resultGPR = result.gpr();
-            
-            speculationCheck(
-                ArgumentsEscaped, JSValueRegs(), NoNode,
-                m_jit.branch32(
-                    JITCompiler::NotEqual,
-                    JITCompiler::tagFor(m_jit.argumentsRegisterFor(node.codeOrigin)),
-                    TrustedImm32(JSValue::EmptyValueTag)));
-            
-            ASSERT(!node.codeOrigin.inlineCallFrame);
-            m_jit.load32(JITCompiler::payloadFor(RegisterFile::ArgumentCount), resultGPR);
-            m_jit.sub32(TrustedImm32(1), resultGPR);
-            integerResult(resultGPR, m_compileIndex);
-            break;
-        }
-        
+        GPRTemporary result(this);
+        GPRReg resultGPR = result.gpr();
+        
+        speculationCheck(
+            ArgumentsEscaped, JSValueRegs(), NoNode,
+            m_jit.branch32(
+                JITCompiler::NotEqual,
+                JITCompiler::tagFor(m_jit.argumentsRegisterFor(node.codeOrigin)),
+                TrustedImm32(JSValue::EmptyValueTag)));
+        
+        ASSERT(!node.codeOrigin.inlineCallFrame);
+        m_jit.load32(JITCompiler::payloadFor(RegisterFile::ArgumentCount), resultGPR);
+        m_jit.sub32(TrustedImm32(1), resultGPR);
+        integerResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case GetMyArgumentsLengthSafe: {
         GPRTemporary resultPayload(this);
         GPRTemporary resultTag(this);
@@ -3971 +3970 @@
         GPRReg resultTagGPR = resultTag.gpr();
         
-        if (!m_jit.graph().m_executablesWhoseArgumentsEscaped.contains(
-                m_jit.graph().executableFor(node.codeOrigin))) {
-            speculationCheck(
-                ArgumentsEscaped, JSValueRegs(), NoNode,
-                m_jit.branch32(
-                    JITCompiler::NotEqual,
-                    JITCompiler::tagFor(m_jit.argumentsRegisterFor(node.codeOrigin)),
-                    TrustedImm32(JSValue::EmptyValueTag)));
-            
-            m_jit.add32(TrustedImm32(1), indexGPR, resultPayloadGPR);
-            
-            if (node.codeOrigin.inlineCallFrame) {
-                speculationCheck(
-                    Uncountable, JSValueRegs(), NoNode,
-                    m_jit.branch32(
-                        JITCompiler::AboveOrEqual,
-                        resultPayloadGPR,
-                        Imm32(node.codeOrigin.inlineCallFrame->arguments.size())));
-            } else {
-                speculationCheck(
-                    Uncountable, JSValueRegs(), NoNode,
-                    m_jit.branch32(
-                        JITCompiler::AboveOrEqual,
-                        resultPayloadGPR,
-                        JITCompiler::payloadFor(RegisterFile::ArgumentCount)));
-            }
-        
-            m_jit.neg32(resultPayloadGPR);
-        
-            size_t baseOffset =
-                ((node.codeOrigin.inlineCallFrame
-                  ? node.codeOrigin.inlineCallFrame->stackOffset
-                  : 0) + CallFrame::argumentOffsetIncludingThis(0)) * sizeof(Register);
-            m_jit.load32(
-                JITCompiler::BaseIndex(
-                    GPRInfo::callFrameRegister, resultPayloadGPR, JITCompiler::TimesEight,
-                    baseOffset + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)),
-                resultTagGPR);
-            m_jit.load32(
-                JITCompiler::BaseIndex(
-                    GPRInfo::callFrameRegister, resultPayloadGPR, JITCompiler::TimesEight,
-                    baseOffset + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)),
-                resultPayloadGPR);
-            
-            jsValueResult(resultTagGPR, resultPayloadGPR, m_compileIndex);
-            break;
-        }
-        
-        JITCompiler::JumpList slowPath;
-        slowPath.append(
+        speculationCheck(
+            ArgumentsEscaped, JSValueRegs(), NoNode,
             m_jit.branch32(
                 JITCompiler::NotEqual,
                 JITCompiler::tagFor(m_jit.argumentsRegisterFor(node.codeOrigin)),
                 TrustedImm32(JSValue::EmptyValueTag)));
-        
+            
         m_jit.add32(TrustedImm32(1), indexGPR, resultPayloadGPR);
+            
         if (node.codeOrigin.inlineCallFrame) {
-            slowPath.append(
+            speculationCheck(
+                Uncountable, JSValueRegs(), NoNode,
                 m_jit.branch32(
                     JITCompiler::AboveOrEqual,
@@ -4034 +3987 @@
                     Imm32(node.codeOrigin.inlineCallFrame->arguments.size())));
         } else {
-            slowPath.append(
+            speculationCheck(
+                Uncountable, JSValueRegs(), NoNode,
                 m_jit.branch32(
                     JITCompiler::AboveOrEqual,
@@ -4057 +4011 @@
                 baseOffset + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)),
             resultPayloadGPR);
+            
+        jsValueResult(resultTagGPR, resultPayloadGPR, m_compileIndex);
+        break;
+    }
+    case GetMyArgumentByValSafe: {
+        SpeculateStrictInt32Operand index(this, node.child1());
+        GPRTemporary resultPayload(this);
+        GPRTemporary resultTag(this);
+        GPRReg indexGPR = index.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        GPRReg resultTagGPR = resultTag.gpr();
+        
+        JITCompiler::JumpList slowPath;
+        slowPath.append(
+            m_jit.branch32(
+                JITCompiler::NotEqual,
+                JITCompiler::tagFor(m_jit.argumentsRegisterFor(node.codeOrigin)),
+                TrustedImm32(JSValue::EmptyValueTag)));
+        
+        m_jit.add32(TrustedImm32(1), indexGPR, resultPayloadGPR);
+        if (node.codeOrigin.inlineCallFrame) {
+            slowPath.append(
+                m_jit.branch32(
+                    JITCompiler::AboveOrEqual,
+                    resultPayloadGPR,
+                    Imm32(node.codeOrigin.inlineCallFrame->arguments.size())));
+        } else {
+            slowPath.append(
+                m_jit.branch32(
+                    JITCompiler::AboveOrEqual,
+                    resultPayloadGPR,
+                    JITCompiler::payloadFor(RegisterFile::ArgumentCount)));
+        }
+        
+        m_jit.neg32(resultPayloadGPR);
+        
+        size_t baseOffset =
+            ((node.codeOrigin.inlineCallFrame
+              ? node.codeOrigin.inlineCallFrame->stackOffset
+              : 0) + CallFrame::argumentOffsetIncludingThis(0)) * sizeof(Register);
+        m_jit.load32(
+            JITCompiler::BaseIndex(
+                GPRInfo::callFrameRegister, resultPayloadGPR, JITCompiler::TimesEight,
+                baseOffset + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)),
+            resultTagGPR);
+        m_jit.load32(
+            JITCompiler::BaseIndex(
+                GPRInfo::callFrameRegister, resultPayloadGPR, JITCompiler::TimesEight,
+                baseOffset + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)),
+            resultPayloadGPR);
         
         addSlowPathGenerator(

branches/dfgopt/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3891 +3891 @@
         GPRReg resultGPR = result.gpr();
         
-        if (!m_jit.graph().m_executablesWhoseArgumentsEscaped.contains(
-                m_jit.graph().executableFor(node.codeOrigin))) {
-            speculationCheck(
-                ArgumentsEscaped, JSValueRegs(), NoNode,
-                m_jit.branchTestPtr(
-                    JITCompiler::NonZero,
-                    JITCompiler::addressFor(
-                        m_jit.argumentsRegisterFor(node.codeOrigin))));
-            
-            ASSERT(!node.codeOrigin.inlineCallFrame);
-            m_jit.load32(JITCompiler::payloadFor(RegisterFile::ArgumentCount), resultGPR);
-            m_jit.sub32(TrustedImm32(1), resultGPR);
-            integerResult(resultGPR, m_compileIndex);
-            break;
-        }
+        speculationCheck(
+            ArgumentsEscaped, JSValueRegs(), NoNode,
+            m_jit.branchTestPtr(
+                JITCompiler::NonZero,
+                JITCompiler::addressFor(
+                    m_jit.argumentsRegisterFor(node.codeOrigin))));
+        
+        ASSERT(!node.codeOrigin.inlineCallFrame);
+        m_jit.load32(JITCompiler::payloadFor(RegisterFile::ArgumentCount), resultGPR);
+        m_jit.sub32(TrustedImm32(1), resultGPR);
+        integerResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case GetMyArgumentsLengthSafe: {
+        GPRTemporary result(this);
+        GPRReg resultGPR = result.gpr();
         
         JITCompiler::Jump created = m_jit.branchTestPtr(
@@ -3944 +3946 @@
         GPRReg resultGPR = result.gpr();
         
-        if (!m_jit.graph().m_executablesWhoseArgumentsEscaped.contains(
-                m_jit.graph().executableFor(node.codeOrigin))) {
+        speculationCheck(
+            ArgumentsEscaped, JSValueRegs(), NoNode,
+            m_jit.branchTestPtr(
+                JITCompiler::NonZero,
+                JITCompiler::addressFor(
+                    m_jit.argumentsRegisterFor(node.codeOrigin))));
+
+        m_jit.add32(TrustedImm32(1), indexGPR, resultGPR);
+        if (node.codeOrigin.inlineCallFrame) {
             speculationCheck(
-                ArgumentsEscaped, JSValueRegs(), NoNode,
-                m_jit.branchTestPtr(
-                    JITCompiler::NonZero,
-                    JITCompiler::addressFor(
-                        m_jit.argumentsRegisterFor(node.codeOrigin))));
-
-            m_jit.add32(TrustedImm32(1), indexGPR, resultGPR);
-            if (node.codeOrigin.inlineCallFrame) {
-                speculationCheck(
-                    Uncountable, JSValueRegs(), NoNode,
-                    m_jit.branch32(
-                        JITCompiler::AboveOrEqual,
-                        resultGPR,
-                        Imm32(node.codeOrigin.inlineCallFrame->arguments.size())));
-            } else {
-                speculationCheck(
-                    Uncountable, JSValueRegs(), NoNode,
-                    m_jit.branch32(
-                        JITCompiler::AboveOrEqual,
-                        resultGPR,
-                        JITCompiler::payloadFor(RegisterFile::ArgumentCount)));
-            }
-            
-            m_jit.neg32(resultGPR);
-            m_jit.signExtend32ToPtr(resultGPR, resultGPR);
-            
-            m_jit.loadPtr(
-                JITCompiler::BaseIndex(
-                    GPRInfo::callFrameRegister, resultGPR, JITCompiler::TimesEight,
-                    ((node.codeOrigin.inlineCallFrame
-                      ? node.codeOrigin.inlineCallFrame->stackOffset
-                      : 0) + CallFrame::argumentOffsetIncludingThis(0)) * sizeof(Register)),
-                resultGPR);
-
-            jsValueResult(resultGPR, m_compileIndex);
-            break;
-        }
+                Uncountable, JSValueRegs(), NoNode,
+                m_jit.branch32(
+                    JITCompiler::AboveOrEqual,
+                    resultGPR,
+                    Imm32(node.codeOrigin.inlineCallFrame->arguments.size())));
+        } else {
+            speculationCheck(
+                Uncountable, JSValueRegs(), NoNode,
+                m_jit.branch32(
+                    JITCompiler::AboveOrEqual,
+                    resultGPR,
+                    JITCompiler::payloadFor(RegisterFile::ArgumentCount)));
+        }
+            
+        m_jit.neg32(resultGPR);
+        m_jit.signExtend32ToPtr(resultGPR, resultGPR);
+            
+        m_jit.loadPtr(
+            JITCompiler::BaseIndex(
+                GPRInfo::callFrameRegister, resultGPR, JITCompiler::TimesEight,
+                ((node.codeOrigin.inlineCallFrame
+                  ? node.codeOrigin.inlineCallFrame->stackOffset
+                  : 0) + CallFrame::argumentOffsetIncludingThis(0)) * sizeof(Register)),
+            resultGPR);
+
+        jsValueResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case GetMyArgumentByValSafe: {
+        SpeculateStrictInt32Operand index(this, node.child1());
+        GPRTemporary result(this);
+        GPRReg indexGPR = index.gpr();
+        GPRReg resultGPR = result.gpr();
         
         JITCompiler::JumpList slowPath;

branches/dfgopt/Source/JavaScriptCore/dfg/DFGVariableAccessData.h

@@ -48 +48 @@
         , m_flags(0)
         , m_doubleFormatState(EmptyDoubleFormatState)
+        , m_isCaptured(false)
+        , m_isArgumentsAlias(false)
     {
         clearVotes();
@@ -59 +61 @@
         , m_doubleFormatState(EmptyDoubleFormatState)
         , m_isCaptured(isCaptured)
+        , m_isArgumentsAlias(false)
     {
         clearVotes();
@@ -86 +89 @@
     {
         return m_isCaptured;
+    }
+    
+    bool mergeIsArgumentsAlias(bool isArgumentsAlias)
+    {
+        bool newIsArgumentsAlias = m_isArgumentsAlias | isArgumentsAlias;
+        if (newIsArgumentsAlias == m_isArgumentsAlias)
+            return false;
+        m_isArgumentsAlias = newIsArgumentsAlias;
+        return true;
+    }
+    
+    bool isArgumentsAlias()
+    {
+        return m_isArgumentsAlias;
     }
     
@@ -238 +255 @@
     
     bool m_isCaptured;
+    bool m_isArgumentsAlias;
 };
 

branches/dfgopt/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1567 +1567 @@
     stubCall.addArgument(arguments, regT2);
     stubCall.addArgument(property, regT2);
-    stubCall.call(dst);
+    stubCall.callWithValueProfiling(dst);
 }