Context Navigation

← Previous Changeset
Next Changeset →

Changeset 190220 in webkit

Timestamp:

Sep 24, 2015, 2:42:59 PM (10 years ago)

Author:

msaboff@apple.com

Message:

[ES6] Implement tail calls in the DFG
https://bugs.webkit.org/show_bug.cgi?id=148663

Reviewed by Filip Pizlo.

jsc-tailcall: Implement the tail call opcodes in the DFG
https://bugs.webkit.org/show_bug.cgi?id=146850

This patch adds support for tail calls in the DFG. This requires a slightly high number of nodes:

TailCall and TailCallVarargs are straightforward. They are terminal nodes and have the semantics of an actual tail call.

TailCallInlinedCaller and TailCallVarargsInlinedCaller are here to perform a tail call inside an inlined function. They are non terminal nodes, and are performing the call as a regular call after popping an appropriate number of inlined tail call frames.

TailCallForwardVarargs and TailCallForwardVarargsInlinedCaller are the extension of TailCallVarargs and TailCallVarargsInlinedCaller to enable the varargs forwarding optimization so that we don't lose performance with a tail call instead of a regular call.

This also required two broad kind of changes:

Changes in the JIT itself (DFGSpeculativeJIT) are pretty straightforward since they are just an extension of the baseline JIT changes introduced previously.

Changes in the runtime are mostly related with handling inline call frames. The idea here is that we have a special TailCall type for call frames that indicates to the various pieces of code walking the inline call frame that they should (recursively) skip the caller in their analysis.

bytecode/CallMode.h:

(JSC::specializationKindFor):

bytecode/CodeOrigin.cpp:

(JSC::CodeOrigin::inlineDepthForCallFrame):
(JSC::CodeOrigin::isApproximatelyEqualTo):
(JSC::CodeOrigin::approximateHash):
(JSC::CodeOrigin::inlineStack):

bytecode/CodeOrigin.h:
bytecode/InlineCallFrame.cpp:

(JSC::InlineCallFrame::dumpInContext):
(WTF::printInternal):

bytecode/InlineCallFrame.h:

(JSC::InlineCallFrame::callModeFor):
(JSC::InlineCallFrame::kindFor):
(JSC::InlineCallFrame::varargsKindFor):
(JSC::InlineCallFrame::specializationKindFor):
(JSC::InlineCallFrame::isVarargs):
(JSC::InlineCallFrame::isTail):
(JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
(JSC::InlineCallFrame::getCallerSkippingDeadFrames):
(JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames):

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

dfg/DFGArgumentsEliminationPhase.cpp:
dfg/DFGBasicBlock.h:

(JSC::DFG::BasicBlock::findTerminal):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::inlineCallFrame):
(JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
(JSC::DFG::ByteCodeParser::currentCodeOrigin):
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::getPrediction):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleVarargsCall):
(JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
(JSC::DFG::ByteCodeParser::inliningCost):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):

dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

dfg/DFGGraph.cpp:

(JSC::DFG::Graph::isLiveInBytecode):

dfg/DFGGraph.h:

(JSC::DFG::Graph::forAllLocalsLiveInBytecode):

dfg/DFGInPlaceAbstractState.cpp:

(JSC::DFG::InPlaceAbstractState::mergeToSuccessors):

dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::willCatchExceptionInMachineFrame):

dfg/DFGLiveCatchVariablePreservationPhase.cpp:

(JSC::DFG::FlushLiveCatchVariablesInsertionPhase::willCatchException):

dfg/DFGNode.h:

(JSC::DFG::Node::hasCallVarargsData):
(JSC::DFG::Node::isTerminal):
(JSC::DFG::Node::hasHeapPrediction):

dfg/DFGNodeType.h:
dfg/DFGOSRExitCompilerCommon.cpp:

(JSC::DFG::handleExitCounts):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::osrWriteBarrier):

dfg/DFGOSRExitPreparation.cpp:

(JSC::DFG::prepareCodeOriginForOSRExit):

dfg/DFGOperations.cpp:
dfg/DFGPreciseLocalClobberize.h:

(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):

dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGValidate.cpp:

(JSC::DFG::Validate::validateSSA):

dfg/DFGVarargsForwardingPhase.cpp:
interpreter/CallFrame.cpp:

(JSC::CallFrame::bytecodeOffset):

interpreter/StackVisitor.cpp:

(JSC::StackVisitor::gotoNextFrame):

Location:

trunk/Source/JavaScriptCore

Files:

: 33 edited

ChangeLog (modified) (1 diff)
bytecode/CallMode.h (modified) (2 diffs)
bytecode/CodeOrigin.cpp (modified) (4 diffs)
bytecode/CodeOrigin.h (modified) (1 diff)
bytecode/InlineCallFrame.cpp (modified) (3 diffs)
bytecode/InlineCallFrame.h (modified) (5 diffs)
dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
dfg/DFGArgumentsEliminationPhase.cpp (modified) (4 diffs)
dfg/DFGBasicBlock.h (modified) (1 diff)
dfg/DFGByteCodeParser.cpp (modified) (26 diffs)
dfg/DFGCapabilities.cpp (modified) (1 diff)
dfg/DFGClobberize.h (modified) (2 diffs)
dfg/DFGDoesGC.cpp (modified) (2 diffs)
dfg/DFGFixupPhase.cpp (modified) (2 diffs)
dfg/DFGGraph.cpp (modified) (3 diffs)
dfg/DFGGraph.h (modified) (3 diffs)
dfg/DFGInPlaceAbstractState.cpp (modified) (1 diff)
dfg/DFGJITCompiler.cpp (modified) (1 diff)
dfg/DFGLiveCatchVariablePreservationPhase.cpp (modified) (1 diff)
dfg/DFGNode.h (modified) (3 diffs)
dfg/DFGNodeType.h (modified) (2 diffs)
dfg/DFGOSRExitCompilerCommon.cpp (modified) (5 diffs)
dfg/DFGOSRExitPreparation.cpp (modified) (1 diff)
dfg/DFGOperations.cpp (modified) (1 diff)
dfg/DFGPreciseLocalClobberize.h (modified) (2 diffs)
dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
dfg/DFGSafeToExecute.h (modified) (2 diffs)
dfg/DFGSpeculativeJIT32_64.cpp (modified) (10 diffs)
dfg/DFGSpeculativeJIT64.cpp (modified) (7 diffs)
dfg/DFGValidate.cpp (modified) (1 diff)
dfg/DFGVarargsForwardingPhase.cpp (modified) (2 diffs)
interpreter/CallFrame.cpp (modified) (1 diff)
interpreter/StackVisitor.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-              r190217
+              r190220
+-09-24  Michael Saboff  <msaboff@apple.com>
+        [ES6] Implement tail calls in the DFG
+        https://bugs.webkit.org/show_bug.cgi?id=148663
+        Reviewed by Filip Pizlo.
+        jsc-tailcall: Implement the tail call opcodes in the DFG
+        https://bugs.webkit.org/show_bug.cgi?id=146850
+        This patch adds support for tail calls in the DFG. This requires a slightly high number of nodes:
+         - TailCall and TailCallVarargs are straightforward. They are terminal
+           nodes and have the semantics of an actual tail call.
+         - TailCallInlinedCaller and TailCallVarargsInlinedCaller are here to perform a
+           tail call inside an inlined function. They are non terminal nodes,
+           and are performing the call as a regular call after popping an
+           appropriate number of inlined tail call frames.
+         - TailCallForwardVarargs and TailCallForwardVarargsInlinedCaller are the
+           extension of TailCallVarargs and TailCallVarargsInlinedCaller to enable
+           the varargs forwarding optimization so that we don't lose
+           performance with a tail call instead of a regular call.
+        This also required two broad kind of changes:
+         - Changes in the JIT itself (DFGSpeculativeJIT) are pretty
+           straightforward since they are just an extension of the baseline JIT
+           changes introduced previously.
+         - Changes in the runtime are mostly related with handling inline call
+           frames. The idea here is that we have a special TailCall type for
+           call frames that indicates to the various pieces of code walking the
+           inline call frame that they should (recursively) skip the caller in
+           their analysis.
+        * bytecode/CallMode.h:
+        (JSC::specializationKindFor):
+        * bytecode/CodeOrigin.cpp:
+        (JSC::CodeOrigin::inlineDepthForCallFrame):
+        (JSC::CodeOrigin::isApproximatelyEqualTo):
+        (JSC::CodeOrigin::approximateHash):
+        (JSC::CodeOrigin::inlineStack):
+        * bytecode/CodeOrigin.h:
+        * bytecode/InlineCallFrame.cpp:
+        (JSC::InlineCallFrame::dumpInContext):
+        (WTF::printInternal):
+        * bytecode/InlineCallFrame.h:
+        (JSC::InlineCallFrame::callModeFor):
+        (JSC::InlineCallFrame::kindFor):
+        (JSC::InlineCallFrame::varargsKindFor):
+        (JSC::InlineCallFrame::specializationKindFor):
+        (JSC::InlineCallFrame::isVarargs):
+        (JSC::InlineCallFrame::isTail):
+        (JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
+        (JSC::InlineCallFrame::getCallerSkippingDeadFrames):
+        (JSC::InlineCallFrame::getCallerInlineFrameSkippingDeadFrames):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * dfg/DFGBasicBlock.h:
+        (JSC::DFG::BasicBlock::findTerminal):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::inlineCallFrame):
+        (JSC::DFG::ByteCodeParser::allInlineFramesAreTailCalls):
+        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
+        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
+        (JSC::DFG::ByteCodeParser::addCall):
+        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+        (JSC::DFG::ByteCodeParser::getPrediction):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleVarargsCall):
+        (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
+        (JSC::DFG::ByteCodeParser::inliningCost):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::isLiveInBytecode):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::willCatchExceptionInMachineFrame):
+        * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
+        (JSC::DFG::FlushLiveCatchVariablesInsertionPhase::willCatchException):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasCallVarargsData):
+        (JSC::DFG::Node::isTerminal):
+        (JSC::DFG::Node::hasHeapPrediction):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOSRExitCompilerCommon.cpp:
+        (JSC::DFG::handleExitCounts):
+        (JSC::DFG::reifyInlinedCallFrames):
+        (JSC::DFG::osrWriteBarrier):
+        * dfg/DFGOSRExitPreparation.cpp:
+        (JSC::DFG::prepareCodeOriginForOSRExit):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGPreciseLocalClobberize.h:
+        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        (JSC::DFG::Validate::validateSSA):
+        * dfg/DFGVarargsForwardingPhase.cpp:
+        * interpreter/CallFrame.cpp:
+        (JSC::CallFrame::bytecodeOffset):
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::gotoNextFrame):
 -09-23  Filip Pizlo  <fpizlo@apple.com>

trunk/Source/JavaScriptCore/bytecode/CallMode.h

-              r189774
+              r190220
 #define CallMode_h
+#include "CodeSpecializationKind.h"
 namespace JSC {
 …
 enum FrameAction { KeepTheFrame = 0, ReuseTheFrame };
+inline CodeSpecializationKind specializationKindFor(CallMode callMode)
+{
+    if (callMode == CallMode::Construct)
+        return CodeForConstruct;
+    return CodeForCall;
+}
 } // namespace JSC

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp

-              r188585
+              r190220
+{
     unsigned result = 1;
     for (InlineCallFrame* current = inlineCallFrame; current; current = current->caller.inlineCallFrame)
+    for (InlineCallFrame* current = inlineCallFrame; current; current = current->directCaller.inlineCallFrame)
         result++;
     return result;
 …
             return false;
         a = a.inlineCallFrame->caller;
         b = b.inlineCallFrame->caller;
+        a = a.inlineCallFrame->directCaller;
+        b = b.inlineCallFrame->directCaller;
+    }
+}
 …
         result += WTF::PtrHash<JSCell*>::hash(codeOrigin.inlineCallFrame->executable.get());
         codeOrigin = codeOrigin.inlineCallFrame->caller;
+        codeOrigin = codeOrigin.inlineCallFrame->directCaller;
+    }
+}
 …
     result.last() = *this;
     unsigned index = result.size() - 2;
     for (InlineCallFrame* current = inlineCallFrame; current; current = current->caller.inlineCallFrame)
         result[index--] = current->caller;
+    for (InlineCallFrame* current = inlineCallFrame; current; current = current->directCaller.inlineCallFrame)
+        result[index--] = current->directCaller;
     RELEASE_ASSERT(!result[0].inlineCallFrame);
     return result;

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h

r190073	r190220
27	27	#define CodeOrigin_h
28	28
	29	#include "CallMode.h"
29	30	#include "CodeBlockHash.h"
30	31	#include "CodeSpecializationKind.h"

trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.cpp

-              r189518
+              r190220
     if (executable->isStrictMode())
         out.print(" (StrictMode)");
     out.print(", bc#", caller.bytecodeIndex, ", ", kind);
+    out.print(", bc#", directCaller.bytecodeIndex, ", ", static_cast<Kind>(kind));
     if (isClosureCall)
         out.print(", closure call");
 …
         out.print("Construct");
         return;
+    case JSC::InlineCallFrame::TailCall:
+        out.print("TailCall");
+        return;
     case JSC::InlineCallFrame::CallVarargs:
         out.print("CallVarargs");
 …
     case JSC::InlineCallFrame::ConstructVarargs:
         out.print("ConstructVarargs");
+        return;
+    case JSC::InlineCallFrame::TailCallVarargs:
+        out.print("TailCallVarargs");
         return;
     case JSC::InlineCallFrame::GetterCall:

trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.h

-              r189518
+              r190220
         Call,
         Construct,
+        TailCall,
         CallVarargs,
         ConstructVarargs,
+        TailCallVarargs,
         // For these, the stackOffset incorporates the argument count plus the true return PC
 …
         SetterCall
     };
+    static Kind kindFor(CodeSpecializationKind kind)
+    {
+        switch (kind) {
+        case CodeForCall:
+            return Call;
+        case CodeForConstruct:
+            return Construct;
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+        return Call;
+    }
+    static Kind varargsKindFor(CodeSpecializationKind kind)
+    {
+        switch (kind) {
+        case CodeForCall:
+            return CallVarargs;
+        case CodeForConstruct:
+            return ConstructVarargs;
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+        return Call;
+    }
+    static CodeSpecializationKind specializationKindFor(Kind kind)
+    static CallMode callModeFor(Kind kind)
+    {
         switch (kind) {
         case Call:
         case CallVarargs:
+        case GetterCall:
+        case SetterCall:
+            return CallMode::Regular;
+        case TailCall:
+        case TailCallVarargs:
+            return CallMode::Tail;
+        case Construct:
+        case ConstructVarargs:
+            return CallMode::Construct;
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+    static Kind kindFor(CallMode callMode)
+    {
+        switch (callMode) {
+        case CallMode::Regular:
+            return Call;
+        case CallMode::Construct:
+            return Construct;
+        case CallMode::Tail:
+            return TailCall;
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+    static Kind varargsKindFor(CallMode callMode)
+    {
+        switch (callMode) {
+        case CallMode::Regular:
+            return CallVarargs;
+        case CallMode::Construct:
+            return ConstructVarargs;
+        case CallMode::Tail:
+            return TailCallVarargs;
+        }
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+    static CodeSpecializationKind specializationKindFor(Kind kind)
+    {
+        switch (kind) {
+        case Call:
+        case CallVarargs:
+        case TailCall:
+        case TailCallVarargs:
         case GetterCall:
         case SetterCall:
 …
+        }
         RELEASE_ASSERT_NOT_REACHED();
-        return CodeForCall;
+    }
 …
         switch (kind) {
         case CallVarargs:
+        case TailCallVarargs:
         case ConstructVarargs:
             return true;
 …
+        }
+    }
+    static bool isTail(Kind kind)
+    {
+        switch (kind) {
+        case TailCall:
+        case TailCallVarargs:
+            return true;
+        default:
+            return false;
+        }
+    }
+    bool isTail() const
+    {
+        return isTail(static_cast<Kind>(kind));
+    }
+    static CodeOrigin* computeCallerSkippingDeadFrames(InlineCallFrame* inlineCallFrame)
+    {
+        CodeOrigin* codeOrigin;
+        bool tailCallee;
+        do {
+            tailCallee = inlineCallFrame->isTail();
+            codeOrigin = &inlineCallFrame->directCaller;
+            inlineCallFrame = codeOrigin->inlineCallFrame;
+        } while (inlineCallFrame && tailCallee);
+        if (tailCallee)
+            return nullptr;
+        return codeOrigin;
+    }
+    CodeOrigin* getCallerSkippingDeadFrames()
+    {
+        return computeCallerSkippingDeadFrames(this);
+    }
+    InlineCallFrame* getCallerInlineFrameSkippingDeadFrames()
+    {
+        CodeOrigin* caller = getCallerSkippingDeadFrames();
+        return caller ? caller->inlineCallFrame : nullptr;
+    }
     Vector<ValueRecovery> arguments; // Includes 'this'.
     WriteBarrier<ScriptExecutable> executable;
     ValueRecovery calleeRecovery;
     CodeOrigin caller;
+    CodeOrigin directCaller;
     signed stackOffset : 28;

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

-              r190076
+              r190220
     case Return:
+        m_state.setIsValid(false);
+        break;
+    case TailCall:
+    case TailCallVarargs:
+    case TailCallForwardVarargs:
+        clobberWorld(node->origin.semantic, clobberLimit);
         m_state.setIsValid(false);
         break;
 …
     case Call:
+    case TailCallInlinedCaller:
     case Construct:
     case CallVarargs:
     case CallForwardVarargs:
+    case TailCallVarargsInlinedCaller:
     case ConstructVarargs:
     case ConstructForwardVarargs:
+    case TailCallForwardVarargsInlinedCaller:
         clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).makeHeapTop();

trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp

-              r188979
+              r190220
                 case CallVarargs:
                 case ConstructVarargs:
+                case TailCallVarargs:
+                case TailCallVarargsInlinedCaller:
                     escape(node->child1());
                     escape(node->child3());
 …
                 case CallVarargs:
+                case ConstructVarargs: {
+                case ConstructVarargs:
+                case TailCallVarargs:
+                case TailCallVarargsInlinedCaller: {
                     Node* candidate = node->child2().node();
                     if (!m_candidates.contains(candidate))
 …
                         for (Node* argument : arguments)
                             m_graph.m_varArgChildren.append(Edge(argument));
+                        node->setOpAndDefaultFlags(
+                            node->op() == CallVarargs ? Call : Construct);
+                        switch (node->op()) {
+                        case CallVarargs:
+                            node->setOpAndDefaultFlags(Call);
+                            break;
+                        case ConstructVarargs:
+                            node->setOpAndDefaultFlags(Construct);
+                            break;
+                        case TailCallVarargs:
+                            node->setOpAndDefaultFlags(TailCall);
+                            break;
+                        case TailCallVarargsInlinedCaller:
+                            node->setOpAndDefaultFlags(TailCallInlinedCaller);
+                            break;
+                        default:
+                            RELEASE_ASSERT_NOT_REACHED();
+                        }
                         node->children = AdjacencyList(
                             AdjacencyList::Variable,
 …
+                    }
+                    node->setOpAndDefaultFlags(
+                        node->op() == CallVarargs ? CallForwardVarargs : ConstructForwardVarargs);
+                    switch (node->op()) {
+                    case CallVarargs:
+                        node->setOpAndDefaultFlags(CallForwardVarargs);
+                        break;
+                    case ConstructVarargs:
+                        node->setOpAndDefaultFlags(ConstructForwardVarargs);
+                        break;
+                    case TailCallVarargs:
+                        node->setOpAndDefaultFlags(TailCallForwardVarargs);
+                        break;
+                    case TailCallVarargsInlinedCaller:
+                        node->setOpAndDefaultFlags(TailCallForwardVarargsInlinedCaller);
+                        break;
+                    default:
+                        RELEASE_ASSERT_NOT_REACHED();
+                    }
                     break;
+                }

trunk/Source/JavaScriptCore/dfg/DFGBasicBlock.h

-              r189531
+              r190220
             case Switch:
             case Return:
+            case TailCall:
+            case TailCallVarargs:
+            case TailCallForwardVarargs:
             case Unreachable:
                 return NodeAndIndex(node, i);

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

-              r190076
+              r190220
         SpeculatedType prediction);
     void handleCall(
         int result, NodeType op, InlineCallFrame::Kind, unsigned instructionSize,
+        int result, NodeType op, CallMode, unsigned instructionSize,
         Node* callTarget, int argCount, int registerOffset, CallLinkStatus);
     void handleCall(int result, NodeType op, CodeSpecializationKind, unsigned instructionSize, int callee, int argCount, int registerOffset);
     void handleCall(Instruction* pc, NodeType op, CodeSpecializationKind);
     void handleVarargsCall(Instruction* pc, NodeType op, CodeSpecializationKind);
+    void handleCall(int result, NodeType op, CallMode, unsigned instructionSize, int callee, int argCount, int registerOffset);
+    void handleCall(Instruction* pc, NodeType op, CallMode);
+    void handleVarargsCall(Instruction* pc, NodeType op, CallMode);
     void emitFunctionChecks(CallVariant, Node* callTarget, VirtualRegister thisArgumnt);
     void emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis);
     unsigned inliningCost(CallVariant, int argumentCountIncludingThis, CodeSpecializationKind); // Return UINT_MAX if it's not an inlining candidate. By convention, intrinsics have a cost of 1.
+    unsigned inliningCost(CallVariant, int argumentCountIncludingThis, CallMode); // Return UINT_MAX if it's not an inlining candidate. By convention, intrinsics have a cost of 1.
     // Handle inlining. Return true if it succeeded, false if we need to plant a call.
     bool handleInlining(Node* callTargetNode, int resultOperand, const CallLinkStatus&, int registerOffset, VirtualRegister thisArgument, VirtualRegister argumentsArgument, unsigned argumentsOffset, int argumentCountIncludingThis, unsigned nextOffset, NodeType callOp, InlineCallFrame::Kind, SpeculatedType prediction);
 …
+    }
+    bool allInlineFramesAreTailCalls()
+    {
+        return !inlineCallFrame() || !inlineCallFrame()->getCallerSkippingDeadFrames();
+    }
     CodeOrigin currentCodeOrigin()
+    {
 …
     Node* addCallWithoutSettingResult(
         NodeType op, OpInfo opInfo, Node* callee, int argCount, int registerOffset,
         SpeculatedType prediction)
+        OpInfo prediction)
+    {
         addVarArgChild(callee);
 …
             addVarArgChild(get(virtualRegisterForArgument(i, registerOffset)));
         return addToGraph(Node::VarArg, op, opInfo, OpInfo(prediction));
+        return addToGraph(Node::VarArg, op, opInfo, prediction);
+    }
 …
         SpeculatedType prediction)
+    {
+        if (op == TailCall) {
+            if (allInlineFramesAreTailCalls())
+                return addCallWithoutSettingResult(op, OpInfo(), callee, argCount, registerOffset, OpInfo());
+            op = TailCallInlinedCaller;
+        }
         Node* call = addCallWithoutSettingResult(
             op, opInfo, callee, argCount, registerOffset, prediction);
+            op, opInfo, callee, argCount, registerOffset, OpInfo(prediction));
         VirtualRegister resultReg(result);
         if (resultReg.isValid())
 …
     SpeculatedType getPredictionWithoutOSRExit(unsigned bytecodeIndex)
+    {
+        ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
+        return m_inlineStackTop->m_profiledBlock->valueProfilePredictionForBytecodeOffset(locker, bytecodeIndex);
+        SpeculatedType prediction;
+        CodeBlock* profiledBlock = nullptr;
+        {
+            ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
+            prediction = m_inlineStackTop->m_profiledBlock->valueProfilePredictionForBytecodeOffset(locker, bytecodeIndex);
+            if (prediction == SpecNone) {
+                // If we have no information about the values this
+                // node generates, we check if by any chance it is
+                // a tail call opcode. In that case, we walk up the
+                // inline frames to find a call higher in the call
+                // chain and use its prediction. If we only have
+                // inlined tail call frames, we use SpecFullTop
+                // to avoid a spurious OSR exit.
+                Instruction* instruction = m_inlineStackTop->m_profiledBlock->instructions().begin() + bytecodeIndex;
+                OpcodeID opcodeID = m_vm->interpreter->getOpcodeID(instruction->u.opcode);
+                switch (opcodeID) {
+                case op_tail_call:
+                case op_tail_call_varargs: {
+                    if (!inlineCallFrame()) {
+                        prediction = SpecFullTop;
+                        break;
+                    }
+                    CodeOrigin* codeOrigin = inlineCallFrame()->getCallerSkippingDeadFrames();
+                    if (!codeOrigin) {
+                        prediction = SpecFullTop;
+                        break;
+                    }
+                    InlineStackEntry* stack = m_inlineStackTop;
+                    while (stack->m_inlineCallFrame != codeOrigin->inlineCallFrame)
+                        stack = stack->m_caller;
+                    bytecodeIndex = codeOrigin->bytecodeIndex;
+                    profiledBlock = stack->m_profiledBlock;
+                    break;
+                }
+                default:
+                    break;
+                }
+            }
+        }
+        if (profiledBlock) {
+            ConcurrentJITLocker locker(profiledBlock->m_lock);
+            prediction = profiledBlock->valueProfilePredictionForBytecodeOffset(locker, bytecodeIndex);
+        }
+        return prediction;
+    }
 …
+    {
         SpeculatedType prediction = getPredictionWithoutOSRExit(bytecodeIndex);
         if (prediction == SpecNone) {
             // We have no information about what values this node generates. Give up
 …
     return shouldContinueParsing
 void ByteCodeParser::handleCall(Instruction* pc, NodeType op, CodeSpecializationKind kind)
+void ByteCodeParser::handleCall(Instruction* pc, NodeType op, CallMode callMode)
+{
     ASSERT(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_construct));
+    ASSERT(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_tail_call));
     handleCall(
         pc[1].u.operand, op, kind, OPCODE_LENGTH(op_call),
+        pc[1].u.operand, op, callMode, OPCODE_LENGTH(op_call),
         pc[2].u.operand, pc[3].u.operand, -pc[4].u.operand);
+}
 void ByteCodeParser::handleCall(
     int result, NodeType op, CodeSpecializationKind kind, unsigned instructionSize,
+    int result, NodeType op, CallMode callMode, unsigned instructionSize,
     int callee, int argumentCountIncludingThis, int registerOffset)
+{
 …
     handleCall(
         result, op, InlineCallFrame::kindFor(kind), instructionSize, callTarget,
+        result, op, callMode, instructionSize, callTarget,
         argumentCountIncludingThis, registerOffset, callLinkStatus);
+}
 void ByteCodeParser::handleCall(
     int result, NodeType op, InlineCallFrame::Kind kind, unsigned instructionSize,
+    int result, NodeType op, CallMode callMode, unsigned instructionSize,
     Node* callTarget, int argumentCountIncludingThis, int registerOffset,
     CallLinkStatus callLinkStatus)
+{
     handleCall(
         result, op, kind, instructionSize, callTarget, argumentCountIncludingThis,
+        result, op, InlineCallFrame::kindFor(callMode), instructionSize, callTarget, argumentCountIncludingThis,
         registerOffset, callLinkStatus, getPrediction());
+}
 …
         // Oddly, this conflates calls that haven't executed with calls that behaved sufficiently polymorphically
         // that we cannot optimize them.
         addCall(result, op, OpInfo(), callTarget, argumentCountIncludingThis, registerOffset, prediction);
         return;
 …
+}
 void ByteCodeParser::handleVarargsCall(Instruction* pc, NodeType op, CodeSpecializationKind kind)
+void ByteCodeParser::handleVarargsCall(Instruction* pc, NodeType op, CallMode callMode)
+{
     ASSERT(OPCODE_LENGTH(op_call_varargs) == OPCODE_LENGTH(op_construct_varargs));
+    ASSERT(OPCODE_LENGTH(op_call_varargs) == OPCODE_LENGTH(op_tail_call_varargs));
     int result = pc[1].u.operand;
 …
     if (callLinkStatus.canOptimize()
         && handleInlining(callTarget, result, callLinkStatus, firstFreeReg, VirtualRegister(thisReg), VirtualRegister(arguments), firstVarArgOffset, 0, m_currentIndex + OPCODE_LENGTH(op_call_varargs), op, InlineCallFrame::varargsKindFor(kind), prediction)) {
+        && handleInlining(callTarget, result, callLinkStatus, firstFreeReg, VirtualRegister(thisReg), VirtualRegister(arguments), firstVarArgOffset, 0, m_currentIndex + OPCODE_LENGTH(op_call_varargs), op, InlineCallFrame::varargsKindFor(callMode), prediction)) {
         if (m_graph.compilation())
             m_graph.compilation()->noticeInlinedCall();
 …
     Node* thisChild = get(VirtualRegister(thisReg));
+    if (op == TailCallVarargs) {
+        if (allInlineFramesAreTailCalls()) {
+            addToGraph(op, OpInfo(data), OpInfo(), callTarget, get(VirtualRegister(arguments)), thisChild);
+            return;
+        }
+        op = TailCallVarargsInlinedCaller;
+    }
     Node* call = addToGraph(op, OpInfo(data), OpInfo(prediction), callTarget, get(VirtualRegister(arguments)), thisChild);
     VirtualRegister resultReg(result);
 …
+}
 unsigned ByteCodeParser::inliningCost(CallVariant callee, int argumentCountIncludingThis, CodeSpecializationKind kind)
+unsigned ByteCodeParser::inliningCost(CallVariant callee, int argumentCountIncludingThis, CallMode callMode)
+{
+    CodeSpecializationKind kind = specializationKindFor(callMode);
     if (verbose)
         dataLog("Considering inlining ", callee, " into ", currentCodeOrigin(), "\n");
 …
         codeBlock, kind, callee.isClosureCall());
     if (verbose) {
         dataLog("    Kind: ", kind, "\n");
+        dataLog("    Call mode: ", callMode, "\n");
         dataLog("    Is closure call: ", callee.isClosureCall(), "\n");
         dataLog("    Capability level: ", capabilityLevel, "\n");
 …
     CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);
     ASSERT(inliningCost(callee, argumentCountIncludingThis, specializationKind) != UINT_MAX);
+    ASSERT(inliningCost(callee, argumentCountIncludingThis, InlineCallFrame::callModeFor(kind)) != UINT_MAX);
     CodeBlock* codeBlock = callee.functionExecutable()->baselineCodeBlockFor(specializationKind);
 …
         return;
+    }
     if (Options::verboseDFGByteCodeParsing())
         dataLog("    Creating new block after inlining.\n");
 …
+    }
     unsigned myInliningCost = inliningCost(callee, argumentCountIncludingThis, specializationKind);
+    unsigned myInliningCost = inliningCost(callee, argumentCountIncludingThis, InlineCallFrame::callModeFor(kind));
     if (myInliningCost > inliningBalance)
         return false;
 …
             // be true anyway except for op_loop_hint, which emits a Phantom to force this
             // to be true.
+            if (!m_currentBlock->isEmpty())
+            // We also don't insert a jump if the block already has a terminal,
+            // which could happen after a tail call.
+            ASSERT(m_currentBlock->isEmpty() || !m_currentBlock->terminal()
+                || m_currentBlock->terminal()->op() == TailCall || m_currentBlock->terminal()->op() == TailCallVarargs);
+            if (!m_currentBlock->isEmpty() && !m_currentBlock->terminal())
                 addToGraph(Jump, OpInfo(m_currentIndex));
             return shouldContinueParsing;
 …
         case op_jmp: {
+            if (m_currentBlock->terminal()) {
+                // We could be the dummy jump to a return after a non-inlined, non-emulated tail call in a ternary operator
+                Node* terminal = m_currentBlock->terminal();
+                ASSERT_UNUSED(terminal, terminal->op() == TailCall || terminal->op() == TailCallVarargs);
+                LAST_OPCODE(op_ret);
+            }
             int relativeOffset = currentInstruction[1].u.operand;
             addToGraph(Jump, OpInfo(m_currentIndex + relativeOffset));
 …
         case op_ret:
+            if (m_currentBlock->terminal()) {
+                // We could be the dummy return after a non-inlined, non-emulated tail call
+                Node* terminal = m_currentBlock->terminal();
+                ASSERT_UNUSED(terminal, terminal->op() == TailCall || terminal->op() == TailCallVarargs);
+                LAST_OPCODE(op_ret);
+            }
             if (inlineCallFrame()) {
                 flushForReturn();
 …
         case op_call:
             handleCall(currentInstruction, Call, CodeForCall);
+            handleCall(currentInstruction, Call, CallMode::Regular);
             // Verify that handleCall(), which could have inlined the callee, didn't trash m_currentInstruction
             ASSERT(m_currentInstruction == currentInstruction);
             NEXT_OPCODE(op_call);
+        case op_tail_call:
+            flushForReturn();
+            handleCall(currentInstruction, TailCall, CallMode::Tail);
+            // Verify that handleCall(), which could have inlined the callee, didn't trash m_currentInstruction
+            ASSERT(m_currentInstruction == currentInstruction);
+            // We let the following op_ret handle cases related to
+            // inlining to keep things simple.
+            NEXT_OPCODE(op_tail_call);
         case op_construct:
             handleCall(currentInstruction, Construct, CodeForConstruct);
+            handleCall(currentInstruction, Construct, CallMode::Construct);
             NEXT_OPCODE(op_construct);
         case op_call_varargs: {
             handleVarargsCall(currentInstruction, CallVarargs, CodeForCall);
+            handleVarargsCall(currentInstruction, CallVarargs, CallMode::Regular);
             NEXT_OPCODE(op_call_varargs);
+        }
+        case op_tail_call_varargs: {
+            flushForReturn();
+            handleVarargsCall(currentInstruction, TailCallVarargs, CallMode::Tail);
+            NEXT_OPCODE(op_tail_call_varargs);
+        }
         case op_construct_varargs: {
             handleVarargsCall(currentInstruction, ConstructVarargs, CodeForConstruct);
+            handleVarargsCall(currentInstruction, ConstructVarargs, CallMode::Construct);
             NEXT_OPCODE(op_construct_varargs);
+        }
 …
         } else
             m_inlineCallFrame->isClosureCall = true;
         m_inlineCallFrame->caller = byteCodeParser->currentCodeOrigin();
+        m_inlineCallFrame->directCaller = byteCodeParser->currentCodeOrigin();
         m_inlineCallFrame->arguments.resizeToFit(argumentCountIncludingThis); // Set the number of arguments including this, but don't configure the value recoveries, yet.
         m_inlineCallFrame->kind = kind;
 …
         Vector<DeferredSourceDump>& deferredSourceDump = m_graph.m_plan.callback->ensureDeferredSourceDump();
         if (inlineCallFrame()) {
             DeferredSourceDump dump(codeBlock->baselineVersion(), m_codeBlock, JITCode::DFGJIT, inlineCallFrame()->caller);
+            DeferredSourceDump dump(codeBlock->baselineVersion(), m_codeBlock, JITCode::DFGJIT, inlineCallFrame()->directCaller);
             deferredSourceDump.append(dump);
         } else
 …
             dataLog(
                 " for inlining at ", CodeBlockWithJITType(m_codeBlock, JITCode::DFGJIT),
                 " ", inlineCallFrame()->caller);
+                " ", inlineCallFrame()->directCaller);
+        }
         dataLog(
 …
+            }
             m_currentBlock = 0;
+            m_currentBlock = nullptr;
         } while (m_currentIndex < limit);
+    }

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

-              r189995
+              r190220
     case op_throw_static_error:
     case op_call:
+    case op_tail_call:
     case op_construct:
     case op_call_varargs:
+    case op_tail_call_varargs:
     case op_construct_varargs:
     case op_create_direct_arguments:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

-              r189279
+              r190220
     case ArrayPop:
     case Call:
+    case TailCallInlinedCaller:
     case Construct:
     case CallVarargs:
     case CallForwardVarargs:
+    case TailCallVarargsInlinedCaller:
+    case TailCallForwardVarargsInlinedCaller:
     case ConstructVarargs:
     case ConstructForwardVarargs:
 …
         read(World);
         write(Heap);
+        return;
+    case TailCall:
+    case TailCallVarargs:
+    case TailCallForwardVarargs:
+        read(World);
+        write(SideState);
         return;

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

-              r189279
+              r190220
     case CompareStrictEq:
     case Call:
+    case TailCallInlinedCaller:
     case Construct:
     case CallVarargs:
+    case TailCallVarargsInlinedCaller:
     case ConstructVarargs:
     case LoadVarargs:
     case CallForwardVarargs:
     case ConstructForwardVarargs:
+    case TailCallForwardVarargs:
+    case TailCallForwardVarargsInlinedCaller:
     case Breakpoint:
     case ProfileWillCall:
 …
     case Switch:
     case Return:
+    case TailCall:
+    case TailCallVarargs:
     case Throw:
     case CountExecution:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

-              r190076
+              r190220
         case VarInjectionWatchpoint:
         case Call:
+        case TailCallInlinedCaller:
         case Construct:
         case CallVarargs:
+        case TailCallVarargsInlinedCaller:
         case ConstructVarargs:
         case CallForwardVarargs:
         case ConstructForwardVarargs:
+        case TailCallForwardVarargs:
+        case TailCallForwardVarargsInlinedCaller:
         case LoadVarargs:
         case ProfileControlFlow:
 …
         case Jump:
         case Return:
+        case TailCall:
+        case TailCallVarargs:
         case Throw:
         case ThrowReferenceError:

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

-              r190076
+              r190220
 bool Graph::isLiveInBytecode(VirtualRegister operand, CodeOrigin codeOrigin)
+{
+    CodeOrigin* codeOriginPtr = &codeOrigin;
     for (;;) {
         VirtualRegister reg = VirtualRegister(
             operand.offset() - codeOrigin.stackOffset());
         if (operand.offset() < codeOrigin.stackOffset() + JSStack::CallFrameHeaderSize) {
+            operand.offset() - codeOriginPtr->stackOffset());
+        if (operand.offset() < codeOriginPtr->stackOffset() + JSStack::CallFrameHeaderSize) {
             if (reg.isArgument()) {
                 RELEASE_ASSERT(reg.offset() < JSStack::CallFrameHeaderSize);
                 if (codeOrigin.inlineCallFrame->isClosureCall
+                if (codeOriginPtr->inlineCallFrame->isClosureCall
                     && reg.offset() == JSStack::Callee)
                     return true;
                 if (codeOrigin.inlineCallFrame->isVarargs()
+                if (codeOriginPtr->inlineCallFrame->isVarargs()
                     && reg.offset() == JSStack::ArgumentCount)
                     return true;
 …
+            }
             return livenessFor(codeOrigin.inlineCallFrame).operandIsLive(
                 reg.offset(), codeOrigin.bytecodeIndex);
+        }
         InlineCallFrame* inlineCallFrame = codeOrigin.inlineCallFrame;
+            return livenessFor(codeOriginPtr->inlineCallFrame).operandIsLive(
+                reg.offset(), codeOriginPtr->bytecodeIndex);
+        }
+        InlineCallFrame* inlineCallFrame = codeOriginPtr->inlineCallFrame;
         if (!inlineCallFrame)
             break;
 …
             return true;
+        codeOrigin = inlineCallFrame->caller;
+        codeOriginPtr = inlineCallFrame->getCallerSkippingDeadFrames();
+        // The first inline call frame could be an inline tail call
+        if (!codeOriginPtr)
+            break;
+    }

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

-              r190076
+              r190220
         VirtualRegister exclusionStart;
         VirtualRegister exclusionEnd;
+        CodeOrigin* codeOriginPtr = &codeOrigin;
         for (;;) {
             InlineCallFrame* inlineCallFrame = codeOrigin.inlineCallFrame;
+            InlineCallFrame* inlineCallFrame = codeOriginPtr->inlineCallFrame;
             VirtualRegister stackOffset(inlineCallFrame ? inlineCallFrame->stackOffset : 0);
 …
             CodeBlock* codeBlock = baselineCodeBlockFor(inlineCallFrame);
             FullBytecodeLiveness& fullLiveness = livenessFor(codeBlock);
             const FastBitVector& liveness = fullLiveness.getLiveness(codeOrigin.bytecodeIndex);
+            const FastBitVector& liveness = fullLiveness.getLiveness(codeOriginPtr->bytecodeIndex);
             for (unsigned relativeLocal = codeBlock->m_numCalleeRegisters; relativeLocal--;) {
                 VirtualRegister reg = stackOffset + virtualRegisterForLocal(relativeLocal);
 …
                 functor(reg);
+            codeOrigin = inlineCallFrame->caller;
+            codeOriginPtr = inlineCallFrame->getCallerSkippingDeadFrames();
+            // The first inline call frame could be an inline tail call
+            if (!codeOriginPtr)
+                break;
+        }
+    }

trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp

-              r189138
+              r190220
     case Return:
+    case TailCall:
+    case TailCallVarargs:
+    case TailCallForwardVarargs:
     case Unreachable:
         ASSERT(basicBlock->cfaBranchDirection == InvalidBranchDirection);

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

-              r189995
+              r190220
             return false;
         bytecodeIndexToCheck = inlineCallFrame->caller.bytecodeIndex;
         codeOrigin = codeOrigin.inlineCallFrame->caller;
+        bytecodeIndexToCheck = inlineCallFrame->directCaller.bytecodeIndex;
+        codeOrigin = codeOrigin.inlineCallFrame->directCaller;
+    }

trunk/Source/JavaScriptCore/dfg/DFGLiveCatchVariablePreservationPhase.cpp

r189995	r190220
82	82	return false;
83	83
84		bytecodeIndexToCheck = inlineCallFrame->caller.bytecodeIndex;
85		origin = inlineCallFrame->caller;
	84	bytecodeIndexToCheck = inlineCallFrame->directCaller.bytecodeIndex;
	85	origin = inlineCallFrame->directCaller;
86	86	}
87	87	}

trunk/Source/JavaScriptCore/dfg/DFGNode.h

-              r190076
+              r190220
         case CallVarargs:
         case CallForwardVarargs:
+        case TailCallVarargs:
+        case TailCallForwardVarargs:
+        case TailCallVarargsInlinedCaller:
+        case TailCallForwardVarargsInlinedCaller:
         case ConstructVarargs:
         case ConstructForwardVarargs:
 …
         case Switch:
         case Return:
+        case TailCall:
+        case TailCallVarargs:
+        case TailCallForwardVarargs:
         case Unreachable:
             return true;
 …
         case GetByVal:
         case Call:
+        case TailCallInlinedCaller:
         case Construct:
         case CallVarargs:
+        case TailCallVarargsInlinedCaller:
         case ConstructVarargs:
         case CallForwardVarargs:
+        case TailCallForwardVarargsInlinedCaller:
         case GetByOffset:
         case MultiGetByOffset:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

-              r189279
+              r190220
     macro(ConstructVarargs, NodeResultJS | NodeMustGenerate) \
     macro(ConstructForwardVarargs, NodeResultJS | NodeMustGenerate) \
+    macro(TailCallInlinedCaller, NodeResultJS | NodeMustGenerate | NodeHasVarArgs) \
+    macro(TailCallVarargsInlinedCaller, NodeResultJS | NodeMustGenerate) \
+    macro(TailCallForwardVarargsInlinedCaller, NodeResultJS | NodeMustGenerate) \
+    \
     /* Allocations. */\
 …
     macro(Switch, NodeMustGenerate) \
     macro(Return, NodeMustGenerate) \
+    macro(TailCall, NodeMustGenerate | NodeHasVarArgs) \
+    macro(TailCallVarargs, NodeMustGenerate) \
+    macro(TailCallForwardVarargs, NodeMustGenerate) \
     macro(Unreachable, NodeMustGenerate) \
+    \

trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp

-              r190129
+              r190220
     AssemblyHelpers::JumpList loopThreshold;
     for (InlineCallFrame* inlineCallFrame = exit.m_codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->caller.inlineCallFrame) {
+    for (InlineCallFrame* inlineCallFrame = exit.m_codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->directCaller.inlineCallFrame) {
         loopThreshold.append(
             jit.branchTest8(
 …
 void reifyInlinedCallFrames(CCallHelpers& jit, const OSRExitBase& exit)
+{
+    // FIXME: We shouldn't leave holes on the stack when performing an OSR exit
+    // in presence of inlined tail calls.
+    // https://bugs.webkit.org/show_bug.cgi?id=147511
     ASSERT(jit.baselineCodeBlock()->jitType() == JITCode::BaselineJIT);
     jit.storePtr(AssemblyHelpers::TrustedImmPtr(jit.baselineCodeBlock()), AssemblyHelpers::addressFor((VirtualRegister)JSStack::CodeBlock));
+    CodeOrigin codeOrigin;
+    for (codeOrigin = exit.m_codeOrigin; codeOrigin.inlineCallFrame; codeOrigin = codeOrigin.inlineCallFrame->caller) {
+        InlineCallFrame* inlineCallFrame = codeOrigin.inlineCallFrame;
+        CodeBlock* baselineCodeBlock = jit.baselineCodeBlockFor(codeOrigin);
+        CodeBlock* baselineCodeBlockForCaller = jit.baselineCodeBlockFor(inlineCallFrame->caller);
+        void* jumpTarget = nullptr;
+    const CodeOrigin* codeOrigin;
+    for (codeOrigin = &exit.m_codeOrigin; codeOrigin && codeOrigin->inlineCallFrame; codeOrigin = codeOrigin->inlineCallFrame->getCallerSkippingDeadFrames()) {
+        InlineCallFrame* inlineCallFrame = codeOrigin->inlineCallFrame;
+        CodeBlock* baselineCodeBlock = jit.baselineCodeBlockFor(*codeOrigin);
+        CodeOrigin* trueCaller = inlineCallFrame->getCallerSkippingDeadFrames();
         void* trueReturnPC = nullptr;
+        unsigned callBytecodeIndex = inlineCallFrame->caller.bytecodeIndex;
+        switch (inlineCallFrame->kind) {
+        case InlineCallFrame::Call:
+        case InlineCallFrame::Construct:
+        case InlineCallFrame::CallVarargs:
+        case InlineCallFrame::ConstructVarargs: {
+            CallLinkInfo* callLinkInfo =
+                baselineCodeBlockForCaller->getCallLinkInfoForBytecodeIndex(callBytecodeIndex);
+            RELEASE_ASSERT(callLinkInfo);
+            jumpTarget = callLinkInfo->callReturnLocation().executableAddress();
+            break;
+        }
+        case InlineCallFrame::GetterCall:
+        case InlineCallFrame::SetterCall: {
+            StructureStubInfo* stubInfo =
+                baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
+            RELEASE_ASSERT(stubInfo);
+        GPRReg callerFrameGPR = GPRInfo::callFrameRegister;
+        if (!trueCaller) {
+            ASSERT(inlineCallFrame->isTail());
+            jit.loadPtr(AssemblyHelpers::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()), GPRInfo::regT3);
+            jit.storePtr(GPRInfo::regT3, AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
+            jit.loadPtr(AssemblyHelpers::Address(GPRInfo::callFrameRegister, CallFrame::callerFrameOffset()), GPRInfo::regT3);
+            callerFrameGPR = GPRInfo::regT3;
+        } else {
+            CodeBlock* baselineCodeBlockForCaller = jit.baselineCodeBlockFor(*trueCaller);
+            unsigned callBytecodeIndex = trueCaller->bytecodeIndex;
+            void* jumpTarget = nullptr;
             switch (inlineCallFrame->kind) {
+            case InlineCallFrame::GetterCall:
+                jumpTarget = jit.vm()->getCTIStub(baselineGetterReturnThunkGenerator).code().executableAddress();
+                break;
+            case InlineCallFrame::SetterCall:
+                jumpTarget = jit.vm()->getCTIStub(baselineSetterReturnThunkGenerator).code().executableAddress();
+                break;
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+            case InlineCallFrame::Call:
+            case InlineCallFrame::Construct:
+            case InlineCallFrame::CallVarargs:
+            case InlineCallFrame::ConstructVarargs:
+            case InlineCallFrame::TailCall:
+            case InlineCallFrame::TailCallVarargs: {
+                CallLinkInfo* callLinkInfo =
+                    baselineCodeBlockForCaller->getCallLinkInfoForBytecodeIndex(callBytecodeIndex);
+                RELEASE_ASSERT(callLinkInfo);
+                jumpTarget = callLinkInfo->callReturnLocation().executableAddress();
                 break;
+            }
+            trueReturnPC = stubInfo->callReturnLocation.labelAtOffset(
+                stubInfo->patch.deltaCallToDone).executableAddress();
+            break;
+        } }
+        GPRReg callerFrameGPR;
+        if (inlineCallFrame->caller.inlineCallFrame) {
+            jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->caller.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister, GPRInfo::regT3);
+            callerFrameGPR = GPRInfo::regT3;
+        } else
+            callerFrameGPR = GPRInfo::callFrameRegister;
+        jit.storePtr(AssemblyHelpers::TrustedImmPtr(jumpTarget), AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
+            case InlineCallFrame::GetterCall:
+            case InlineCallFrame::SetterCall: {
+                StructureStubInfo* stubInfo =
+                    baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
+                RELEASE_ASSERT(stubInfo);
+                switch (inlineCallFrame->kind) {
+                case InlineCallFrame::GetterCall:
+                    jumpTarget = jit.vm()->getCTIStub(baselineGetterReturnThunkGenerator).code().executableAddress();
+                    break;
+                case InlineCallFrame::SetterCall:
+                    jumpTarget = jit.vm()->getCTIStub(baselineSetterReturnThunkGenerator).code().executableAddress();
+                    break;
+                default:
+                    RELEASE_ASSERT_NOT_REACHED();
+                    break;
+                }
+                trueReturnPC = stubInfo->callReturnLocation.labelAtOffset(
+                    stubInfo->patch.deltaCallToDone).executableAddress();
+                break;
+            } }
+            if (trueCaller->inlineCallFrame) {
+                jit.addPtr(
+                    AssemblyHelpers::TrustedImm32(trueCaller->inlineCallFrame->stackOffset * sizeof(EncodedJSValue)),
+                    GPRInfo::callFrameRegister,
+                    GPRInfo::regT3);
+                callerFrameGPR = GPRInfo::regT3;
+            }
+            jit.storePtr(AssemblyHelpers::TrustedImmPtr(jumpTarget), AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
+        }
         if (trueReturnPC)
             jit.storePtr(AssemblyHelpers::TrustedImmPtr(trueReturnPC), AssemblyHelpers::addressFor(inlineCallFrame->stackOffset + virtualRegisterForArgument(inlineCallFrame->arguments.size()).offset()));
 …
 #if USE(JSVALUE64)
         jit.store64(callerFrameGPR, AssemblyHelpers::addressForByteOffset(inlineCallFrame->callerFrameOffset()));
         uint32_t locationBits = CallSiteIndex(codeOrigin.bytecodeIndex).bits();
+        uint32_t locationBits = CallSiteIndex(codeOrigin->bytecodeIndex).bits();
         jit.store32(AssemblyHelpers::TrustedImm32(locationBits), AssemblyHelpers::tagFor((VirtualRegister)(inlineCallFrame->stackOffset + JSStack::ArgumentCount)));
         if (!inlineCallFrame->isClosureCall)
 …
 #else // USE(JSVALUE64) // so this is the 32-bit part
         jit.storePtr(callerFrameGPR, AssemblyHelpers::addressForByteOffset(inlineCallFrame->callerFrameOffset()));
         Instruction* instruction = baselineCodeBlock->instructions().begin() + codeOrigin.bytecodeIndex;
+        Instruction* instruction = baselineCodeBlock->instructions().begin() + codeOrigin->bytecodeIndex;
         uint32_t locationBits = CallSiteIndex(instruction).bits();
         jit.store32(AssemblyHelpers::TrustedImm32(locationBits), AssemblyHelpers::tagFor((VirtualRegister)(inlineCallFrame->stackOffset + JSStack::ArgumentCount)));
 …
+    }
+    // Don't need to set the toplevel code origin if we only did inline tail calls
+    if (codeOrigin) {
 #if USE(JSVALUE64)
     uint32_t locationBits = CallSiteIndex(codeOrigin.bytecodeIndex).bits();
+    uint32_t locationBits = CallSiteIndex(codeOrigin->bytecodeIndex).bits();
 #else
     Instruction* instruction = jit.baselineCodeBlock()->instructions().begin() + codeOrigin.bytecodeIndex;
+    Instruction* instruction = jit.baselineCodeBlock()->instructions().begin() + codeOrigin->bytecodeIndex;
     uint32_t locationBits = CallSiteIndex(instruction).bits();
 #endif
+    jit.store32(AssemblyHelpers::TrustedImm32(locationBits), AssemblyHelpers::tagFor((VirtualRegister)(JSStack::ArgumentCount)));
+        jit.store32(AssemblyHelpers::TrustedImm32(locationBits), AssemblyHelpers::tagFor((VirtualRegister)(JSStack::ArgumentCount)));
+    }
+}

trunk/Source/JavaScriptCore/dfg/DFGOSRExitPreparation.cpp

r189889	r190220
42	42	DeferGC deferGC(vm.heap);
43	43
44		for (; codeOrigin.inlineCallFrame; codeOrigin = codeOrigin.inlineCallFrame->caller) {
	44	for (; codeOrigin.inlineCallFrame; codeOrigin = codeOrigin.inlineCallFrame->directCaller) {
45	45	CodeBlock* codeBlock = codeOrigin.inlineCallFrame->baselineCodeBlock();
46	46	if (codeBlock->jitType() == JSC::JITCode::BaselineJIT)

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

r189523	r190220
1307	1307
1308	1308	bool didTryToEnterIntoInlinedLoops = false;
1309		for (InlineCallFrame* inlineCallFrame = exit->m_codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->caller.inlineCallFrame) {
	1309	for (InlineCallFrame* inlineCallFrame = exit->m_codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->directCaller.inlineCallFrame) {
1310	1310	if (inlineCallFrame->executable->didTryToEnterInLoop()) {
1311	1311	didTryToEnterIntoInlinedLoops = true;

trunk/Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h

-              r184776
+              r190220
         case ForwardVarargs:
         case CallForwardVarargs:
+        case ConstructForwardVarargs: {
+        case ConstructForwardVarargs:
+        case TailCallForwardVarargs:
+        case TailCallForwardVarargsInlinedCaller: {
             InlineCallFrame* inlineCallFrame = m_node->child1()->origin.semantic.inlineCallFrame;
             if (!inlineCallFrame) {
 …
             // Read all of the inline arguments and call frame headers that we didn't already capture.
             for (InlineCallFrame* inlineCallFrame = m_node->origin.semantic.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->caller.inlineCallFrame) {
+            for (InlineCallFrame* inlineCallFrame = m_node->origin.semantic.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->getCallerInlineFrameSkippingDeadFrames()) {
                 for (unsigned i = inlineCallFrame->arguments.size(); i-- > 1;)
                     m_read(VirtualRegister(inlineCallFrame->stackOffset + virtualRegisterForArgument(i).offset()));

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

-              r189279
+              r190220
         case GetDirectPname:
         case Call:
+        case TailCallInlinedCaller:
         case Construct:
         case CallVarargs:
+        case TailCallVarargsInlinedCaller:
         case ConstructVarargs:
         case CallForwardVarargs:
         case ConstructForwardVarargs:
+        case TailCallForwardVarargsInlinedCaller:
         case GetGlobalVar:
         case GetGlobalLexicalVariable:
 …
         case PutToArguments:
         case Return:
+        case TailCall:
+        case TailCallVarargs:
+        case TailCallForwardVarargs:
         case Throw:
         case PutById:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

-              r190076
+              r190220
     case CompareStrictEq:
     case Call:
+    case TailCallInlinedCaller:
     case Construct:
     case CallVarargs:
+    case TailCallVarargsInlinedCaller:
+    case TailCallForwardVarargsInlinedCaller:
     case ConstructVarargs:
     case LoadVarargs:
 …
     case Switch:
     case Return:
+    case TailCall:
+    case TailCallVarargs:
+    case TailCallForwardVarargs:
     case Throw:
     case ThrowReferenceError:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

-              r190129
+              r190220
 #include "ArrayPrototype.h"
+#include "CallFrameShuffler.h"
 #include "DFGAbstractInterpreterInlines.h"
 #include "DFGCallArrayAllocatorSlowPathGenerator.h"
 …
     bool isVarargs = false;
     bool isForwardVarargs = false;
+    bool isTail = false;
+    bool isEmulatedTail = false;
     switch (node->op()) {
     case Call:
         callType = CallLinkInfo::Call;
         break;
+    case TailCall:
+        callType = CallLinkInfo::TailCall;
+        isTail = true;
+        break;
+    case TailCallInlinedCaller:
+        callType = CallLinkInfo::Call;
+        isEmulatedTail = true;
+        break;
     case Construct:
         callType = CallLinkInfo::Construct;
 …
         isVarargs = true;
         break;
+    case TailCallVarargs:
+        callType = CallLinkInfo::TailCallVarargs;
+        isVarargs = true;
+        isTail = true;
+        break;
+    case TailCallVarargsInlinedCaller:
+        callType = CallLinkInfo::CallVarargs;
+        isVarargs = true;
+        isEmulatedTail = true;
+        break;
     case ConstructVarargs:
         callType = CallLinkInfo::ConstructVarargs;
 …
         isForwardVarargs = true;
         break;
+    case TailCallForwardVarargs:
+        callType = CallLinkInfo::TailCallVarargs;
+        isTail = true;
+        isForwardVarargs = true;
+        break;
+    case TailCallForwardVarargsInlinedCaller:
+        callType = CallLinkInfo::CallVarargs;
+        isEmulatedTail = true;
+        isForwardVarargs = true;
+        break;
     case ConstructForwardVarargs:
         callType = CallLinkInfo::ConstructVarargs;
 …
     Edge calleeEdge = m_jit.graph().child(node, 0);
+    GPRReg calleeTagGPR;
+    GPRReg calleePayloadGPR;
+    CallFrameShuffleData shuffleData;
     // Gotta load the arguments somehow. Varargs is trickier.
 …
         int numPassedArgs = node->numChildren() - 1;
+        m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), m_jit.calleeFramePayloadSlot(JSStack::ArgumentCount));
+        for (int i = 0; i < numPassedArgs; i++) {
+            Edge argEdge = m_jit.graph().m_varArgChildren[node->firstChild() + 1 + i];
+            JSValueOperand arg(this, argEdge);
+            GPRReg argTagGPR = arg.tagGPR();
+            GPRReg argPayloadGPR = arg.payloadGPR();
+            use(argEdge);
+            m_jit.store32(argTagGPR, m_jit.calleeArgumentTagSlot(i));
+            m_jit.store32(argPayloadGPR, m_jit.calleeArgumentPayloadSlot(i));
+        }
+    }
+    JSValueOperand callee(this, calleeEdge);
+    GPRReg calleeTagGPR = callee.tagGPR();
+    GPRReg calleePayloadGPR = callee.payloadGPR();
+    use(calleeEdge);
+    m_jit.store32(calleePayloadGPR, m_jit.calleeFramePayloadSlot(JSStack::Callee));
+    m_jit.store32(calleeTagGPR, m_jit.calleeFrameTagSlot(JSStack::Callee));
+    flushRegisters();
+        if (node->op() == TailCall) {
+            JSValueOperand callee(this, calleeEdge);
+            calleeTagGPR = callee.tagGPR();
+            calleePayloadGPR = callee.payloadGPR();
+            use(calleeEdge);
+            shuffleData.numLocals = m_jit.graph().frameRegisterCount();
+            shuffleData.callee = ValueRecovery::inPair(calleeTagGPR, calleePayloadGPR);
+            shuffleData.args.resize(numPassedArgs);
+            for (int i = 0; i < numPassedArgs; ++i) {
+                Edge argEdge = m_jit.graph().varArgChild(node, i + 1);
+                GenerationInfo& info = generationInfo(argEdge.node());
+                use(argEdge);
+                shuffleData.args[i] = info.recovery(argEdge->virtualRegister());
+            }
+        } else {
+            m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), m_jit.calleeFramePayloadSlot(JSStack::ArgumentCount));
+            for (int i = 0; i < numPassedArgs; i++) {
+                Edge argEdge = m_jit.graph().m_varArgChildren[node->firstChild() + 1 + i];
+                JSValueOperand arg(this, argEdge);
+                GPRReg argTagGPR = arg.tagGPR();
+                GPRReg argPayloadGPR = arg.payloadGPR();
+                use(argEdge);
+                m_jit.store32(argTagGPR, m_jit.calleeArgumentTagSlot(i));
+                m_jit.store32(argPayloadGPR, m_jit.calleeArgumentPayloadSlot(i));
+            }
+        }
+    }
+    if (node->op() != TailCall) {
+        JSValueOperand callee(this, calleeEdge);
+        calleeTagGPR = callee.tagGPR();
+        calleePayloadGPR = callee.payloadGPR();
+        use(calleeEdge);
+        m_jit.store32(calleePayloadGPR, m_jit.calleeFramePayloadSlot(JSStack::Callee));
+        m_jit.store32(calleeTagGPR, m_jit.calleeFrameTagSlot(JSStack::Callee));
+        if (!isTail)
+            flushRegisters();
+    }
     GPRFlushedCallResult resultPayload(this);
 …
     JITCompiler::JumpList slowPath;
+    CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(node->origin.semantic, m_stream->size());
+    CodeOrigin staticOrigin = node->origin.semantic;
+    ASSERT(!isTail || !staticOrigin.inlineCallFrame || !staticOrigin.inlineCallFrame->getCallerSkippingDeadFrames());
+    ASSERT(!isEmulatedTail || (staticOrigin.inlineCallFrame && staticOrigin.inlineCallFrame->getCallerSkippingDeadFrames()));
+    CodeOrigin dynamicOrigin =
+        isEmulatedTail ? *staticOrigin.inlineCallFrame->getCallerSkippingDeadFrames() : staticOrigin;
+    CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(dynamicOrigin, m_stream->size());
     m_jit.emitStoreCallSiteIndex(callSite);
     CallLinkInfo* info = m_jit.codeBlock()->addCallLinkInfo();
     slowPath.append(m_jit.branchIfNotCell(callee.jsValueRegs()));
+    slowPath.append(m_jit.branchIfNotCell(JSValueRegs(calleeTagGPR, calleePayloadGPR)));
     slowPath.append(m_jit.branchPtrWithPatch(MacroAssembler::NotEqual, calleePayloadGPR, targetToCheck));
+    JITCompiler::Call fastCall = m_jit.nearCall();
+    if (isTail) {
+        if (node->op() == TailCall) {
+            info->setFrameShuffleData(shuffleData);
+            CallFrameShuffler(m_jit, shuffleData).prepareForTailCall();
+        } else {
+            m_jit.emitRestoreCalleeSaves();
+            m_jit.prepareForTailCallSlow();
+        }
+    }
+    JITCompiler::Call fastCall = isTail ? m_jit.nearTailCall() : m_jit.nearCall();
     JITCompiler::Jump done = m_jit.jump();
 …
     slowPath.link(&m_jit);
+    // Callee payload needs to be in regT0, tag in regT1
+    if (calleeTagGPR == GPRInfo::regT0) {
+        if (calleePayloadGPR == GPRInfo::regT1)
+            m_jit.swap(GPRInfo::regT1, GPRInfo::regT0);
+        else {
+    if (node->op() == TailCall) {
+        CallFrameShuffler callFrameShuffler(m_jit, shuffleData);
+        callFrameShuffler.setCalleeJSValueRegs(JSValueRegs(
+            GPRInfo::regT1, GPRInfo::regT0));
+        callFrameShuffler.prepareForSlowPath();
+    } else {
+        // Callee payload needs to be in regT0, tag in regT1
+        if (calleeTagGPR == GPRInfo::regT0) {
+            if (calleePayloadGPR == GPRInfo::regT1)
+                m_jit.swap(GPRInfo::regT1, GPRInfo::regT0);
+            else {
+                m_jit.move(calleeTagGPR, GPRInfo::regT1);
+                m_jit.move(calleePayloadGPR, GPRInfo::regT0);
+            }
+        } else {
+            m_jit.move(calleePayloadGPR, GPRInfo::regT0);
             m_jit.move(calleeTagGPR, GPRInfo::regT1);
             m_jit.move(calleePayloadGPR, GPRInfo::regT0);
+        }
     } else {
         m_jit.move(calleePayloadGPR, GPRInfo::regT0);
         m_jit.move(calleeTagGPR, GPRInfo::regT1);
+    }
+        }
+        if (isTail)
+            m_jit.emitRestoreCalleeSaves();
+    }
     m_jit.move(MacroAssembler::TrustedImmPtr(info), GPRInfo::regT2);
     JITCompiler::Call slowCall = m_jit.nearCall();
 …
     done.link(&m_jit);
+    m_jit.setupResults(resultPayloadGPR, resultTagGPR);
+    jsValueResult(resultTagGPR, resultPayloadGPR, node, DataFormatJS, UseChildrenCalledExplicitly);
+    if (isTail)
+        m_jit.abortWithReason(JITDidReturnFromTailCall);
+    else {
+        m_jit.setupResults(resultPayloadGPR, resultTagGPR);
+        jsValueResult(resultTagGPR, resultPayloadGPR, node, DataFormatJS, UseChildrenCalledExplicitly);
+        // After the calls are done, we need to reestablish our stack
+        // pointer. We rely on this for varargs calls, calls with arity
+        // mismatch (the callframe is slided) and tail calls.
+        m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
+    }
     info->setUpCall(callType, node->origin.semantic, calleePayloadGPR);
     m_jit.addJSCall(fastCall, slowCall, targetToCheck, info);
-    // After the calls are done, we need to reestablish our stack
-    // pointer. We rely on this for varargs calls, calls with arity
-    // mismatch (the callframe is slided) and tail calls.
-    m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
+}
 …
     case Call:
+    case TailCall:
+    case TailCallInlinedCaller:
     case Construct:
     case CallVarargs:
+    case TailCallVarargs:
+    case TailCallVarargsInlinedCaller:
+    case ConstructVarargs:
     case CallForwardVarargs:
+    case ConstructVarargs:
+    case TailCallForwardVarargs:
+    case TailCallForwardVarargsInlinedCaller:
     case ConstructForwardVarargs:
         emitCall(node);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

-              r190129
+              r190220
 #include "ArrayPrototype.h"
+#include "CallFrameShuffler.h"
 #include "DFGAbstractInterpreterInlines.h"
 #include "DFGCallArrayAllocatorSlowPathGenerator.h"
 …
     bool isVarargs = false;
     bool isForwardVarargs = false;
+    bool isTail = false;
+    bool isEmulatedTail = false;
     switch (node->op()) {
     case Call:
         callType = CallLinkInfo::Call;
         break;
+    case TailCall:
+        callType = CallLinkInfo::TailCall;
+        isTail = true;
+        break;
+    case TailCallInlinedCaller:
+        callType = CallLinkInfo::Call;
+        isEmulatedTail = true;
+        break;
     case Construct:
         callType = CallLinkInfo::Construct;
 …
         isVarargs = true;
         break;
+    case TailCallVarargs:
+        callType = CallLinkInfo::TailCallVarargs;
+        isVarargs = true;
+        isTail = true;
+        break;
+    case TailCallVarargsInlinedCaller:
+        callType = CallLinkInfo::CallVarargs;
+        isVarargs = true;
+        isEmulatedTail = true;
+        break;
     case ConstructVarargs:
         callType = CallLinkInfo::ConstructVarargs;
 …
         isForwardVarargs = true;
         break;
+    case TailCallForwardVarargs:
+        callType = CallLinkInfo::TailCallVarargs;
+        isTail = true;
+        isForwardVarargs = true;
+        break;
+    case TailCallForwardVarargsInlinedCaller:
+        callType = CallLinkInfo::CallVarargs;
+        isEmulatedTail = true;
+        isForwardVarargs = true;
+        break;
     default:
         DFG_CRASH(m_jit.graph(), node, "bad node type");
 …
+    }
+    Edge calleeEdge = m_jit.graph().child(node, 0);
+    GPRReg calleeGPR;
+    CallFrameShuffleData shuffleData;
     // Gotta load the arguments somehow. Varargs is trickier.
 …
         m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), JITCompiler::calleeFramePayloadSlot(JSStack::ArgumentCount));
+        for (int i = 0; i < numPassedArgs; i++) {
+            Edge argEdge = m_jit.graph().m_varArgChildren[node->firstChild() + 1 + i];
+            JSValueOperand arg(this, argEdge);
+            GPRReg argGPR = arg.gpr();
+            use(argEdge);
+            m_jit.store64(argGPR, JITCompiler::calleeArgumentSlot(i));
+        }
+    }
+    JSValueOperand callee(this, calleeEdge);
+    GPRReg calleeGPR = callee.gpr();
+    callee.use();
+    m_jit.store64(calleeGPR, JITCompiler::calleeFrameSlot(JSStack::Callee));
+    flushRegisters();
+    GPRFlushedCallResult result(this);
+    GPRReg resultGPR = result.gpr();
+        if (node->op() == TailCall) {
+            Edge calleeEdge = m_jit.graph().child(node, 0);
+            JSValueOperand callee(this, calleeEdge);
+            calleeGPR = callee.gpr();
+            callee.use();
+            shuffleData.numLocals = m_jit.graph().frameRegisterCount();
+            shuffleData.callee = ValueRecovery::inGPR(calleeGPR, DataFormatJS);
+            shuffleData.args.resize(numPassedArgs);
+            for (int i = 0; i < numPassedArgs; ++i) {
+                Edge argEdge = m_jit.graph().varArgChild(node, i + 1);
+                GenerationInfo& info = generationInfo(argEdge.node());
+                use(argEdge);
+                shuffleData.args[i] = info.recovery(argEdge->virtualRegister());
+            }
+            shuffleData.setupCalleeSaveRegisters(m_jit.codeBlock());
+        } else {
+            m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), JITCompiler::calleeFramePayloadSlot(JSStack::ArgumentCount));
+            for (int i = 0; i < numPassedArgs; i++) {
+                Edge argEdge = m_jit.graph().m_varArgChildren[node->firstChild() + 1 + i];
+                JSValueOperand arg(this, argEdge);
+                GPRReg argGPR = arg.gpr();
+                use(argEdge);
+                m_jit.store64(argGPR, JITCompiler::calleeArgumentSlot(i));
+            }
+        }
+    }
+    if (node->op() != TailCall) {
+        Edge calleeEdge = m_jit.graph().child(node, 0);
+        JSValueOperand callee(this, calleeEdge);
+        calleeGPR = callee.gpr();
+        callee.use();
+        m_jit.store64(calleeGPR, JITCompiler::calleeFrameSlot(JSStack::Callee));
+        flushRegisters();
+    }
+    CodeOrigin staticOrigin = node->origin.semantic;
+    ASSERT(!isTail || !staticOrigin.inlineCallFrame || !staticOrigin.inlineCallFrame->getCallerSkippingDeadFrames());
+    ASSERT(!isEmulatedTail || (staticOrigin.inlineCallFrame && staticOrigin.inlineCallFrame->getCallerSkippingDeadFrames()));
+    CodeOrigin dynamicOrigin =
+    isEmulatedTail ? *staticOrigin.inlineCallFrame->getCallerSkippingDeadFrames() : staticOrigin;
+    CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(dynamicOrigin, m_stream->size());
+    m_jit.emitStoreCallSiteIndex(callSite);
+    CallLinkInfo* callLinkInfo = m_jit.codeBlock()->addCallLinkInfo();
     JITCompiler::DataLabelPtr targetToCheck;
+    JITCompiler::Jump slowPath;
+    CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(node->origin.semantic, m_stream->size());
+    m_jit.emitStoreCallSiteIndex(callSite);
+    CallLinkInfo* callLinkInfo = m_jit.codeBlock()->addCallLinkInfo();
+    slowPath = m_jit.branchPtrWithPatch(MacroAssembler::NotEqual, calleeGPR, targetToCheck, MacroAssembler::TrustedImmPtr(0));
+    JITCompiler::Call fastCall = m_jit.nearCall();
+    JITCompiler::Jump slowPath = m_jit.branchPtrWithPatch(MacroAssembler::NotEqual, calleeGPR, targetToCheck, MacroAssembler::TrustedImmPtr(0));
+    if (isTail) {
+        if (node->op() == TailCall) {
+            callLinkInfo->setFrameShuffleData(shuffleData);
+            CallFrameShuffler(m_jit, shuffleData).prepareForTailCall();
+        } else {
+            m_jit.emitRestoreCalleeSaves();
+            m_jit.prepareForTailCallSlow();
+        }
+    }
+    JITCompiler::Call fastCall = isTail ? m_jit.nearTailCall() : m_jit.nearCall();
     JITCompiler::Jump done = m_jit.jump();
     slowPath.link(&m_jit);
+    m_jit.move(calleeGPR, GPRInfo::regT0); // Callee needs to be in regT0
+    if (node->op() == TailCall) {
+        CallFrameShuffler callFrameShuffler(m_jit, shuffleData);
+        callFrameShuffler.setCalleeJSValueRegs(JSValueRegs(GPRInfo::regT0));
+        callFrameShuffler.prepareForSlowPath();
+    } else {
+        m_jit.move(calleeGPR, GPRInfo::regT0); // Callee needs to be in regT0
+        if (isTail)
+            m_jit.emitRestoreCalleeSaves(); // This needs to happen after we moved calleeGPR to regT0
+    }
     m_jit.move(MacroAssembler::TrustedImmPtr(callLinkInfo), GPRInfo::regT2); // Link info needs to be in regT2
     JITCompiler::Call slowCall = m_jit.nearCall();
     done.link(&m_jit);
+    m_jit.move(GPRInfo::returnValueGPR, resultGPR);
+    jsValueResult(resultGPR, m_currentNode, DataFormatJS, UseChildrenCalledExplicitly);
+    if (isTail)
+        m_jit.abortWithReason(JITDidReturnFromTailCall);
+    else {
+        GPRFlushedCallResult result(this);
+        GPRReg resultGPR = result.gpr();
+        m_jit.move(GPRInfo::returnValueGPR, resultGPR);
+        jsValueResult(resultGPR, m_currentNode, DataFormatJS, UseChildrenCalledExplicitly);
+        // After the calls are done, we need to reestablish our stack
+        // pointer. We rely on this for varargs calls, calls with arity
+        // mismatch (the callframe is slided) and tail calls.
+        m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
+    }
     callLinkInfo->setUpCall(callType, m_currentNode->origin.semantic,  calleeGPR);
     m_jit.addJSCall(fastCall, slowCall, targetToCheck, callLinkInfo);
-    // After the calls are done, we need to reestablish our stack
-    // pointer. We rely on this for varargs calls, calls with arity
-    // mismatch (the callframe is slided) and tail calls.
-    m_jit.addPtr(TrustedImm32(m_jit.graph().stackPointerOffset() * sizeof(Register)), GPRInfo::callFrameRegister, JITCompiler::stackPointerRegister);
+}
 …
     case Call:
+    case TailCall:
+    case TailCallInlinedCaller:
     case Construct:
     case CallVarargs:
+    case TailCallVarargs:
+    case TailCallVarargsInlinedCaller:
     case CallForwardVarargs:
     case ConstructVarargs:
     case ConstructForwardVarargs:
+    case TailCallForwardVarargs:
+    case TailCallForwardVarargsInlinedCaller:
         emitCall(node);
         break;
     case LoadVarargs: {
         LoadVarargsData* data = node->loadVarargsData();

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

r190076	r190220
571	571	case ForwardVarargs:
572	572	case CallForwardVarargs:
	573	case TailCallForwardVarargs:
	574	case TailCallForwardVarargsInlinedCaller:
573	575	case ConstructForwardVarargs:
574	576	case GetMyArgumentByVal:

trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp

-              r184288
+              r190220
             case CallVarargs:
             case ConstructVarargs:
+            case TailCallVarargs:
+            case TailCallVarargsInlinedCaller:
                 if (node->child1() == candidate || node->child3() == candidate) {
                     if (verbose)
 …
                 node->setOpAndDefaultFlags(ConstructForwardVarargs);
                 break;
+            case TailCallVarargs:
+                if (node->child2() != candidate)
+                    break;
+                node->setOpAndDefaultFlags(TailCallForwardVarargs);
+                break;
+            case TailCallVarargsInlinedCaller:
+                if (node->child2() != candidate)
+                    break;
+                node->setOpAndDefaultFlags(TailCallForwardVarargsInlinedCaller);
+                break;
             case SetLocal:
                 // This is super odd. We don't have to do anything here, since in DFG IR, the phantom

trunk/Source/JavaScriptCore/interpreter/CallFrame.cpp

r188932	r190220
96	96	CodeOrigin codeOrigin = this->codeOrigin();
97	97	for (InlineCallFrame* inlineCallFrame = codeOrigin.inlineCallFrame; inlineCallFrame;) {
98		codeOrigin = inlineCallFrame->caller;
	98	codeOrigin = inlineCallFrame->directCaller;
99	99	inlineCallFrame = codeOrigin.inlineCallFrame;
100	100	}

trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp

-              r189995
+              r190220
     if (m_frame.isInlinedFrame()) {
         InlineCallFrame* inlineCallFrame = m_frame.inlineCallFrame();
+        CodeOrigin* callerCodeOrigin = &inlineCallFrame->caller;
+        readInlinedFrame(m_frame.callFrame(), callerCodeOrigin);
+        CodeOrigin* callerCodeOrigin = inlineCallFrame->getCallerSkippingDeadFrames();
+        if (!callerCodeOrigin) {
+            while (inlineCallFrame) {
+                readInlinedFrame(m_frame.callFrame(), &inlineCallFrame->directCaller);
+                inlineCallFrame = m_frame.inlineCallFrame();
+            }
+            m_frame.m_VMEntryFrame = m_frame.m_CallerVMEntryFrame;
+            readFrame(m_frame.callerFrame());
+        } else
+            readInlinedFrame(m_frame.callFrame(), callerCodeOrigin);
         return;
+    }

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 190220 in webkit

Legend:

Download in other formats: