Changeset 90529 in webkit

Timestamp:

Jul 6, 2011, 8:42:02 PM (14 years ago)

Author:

commit-queue@webkit.org

Message:

2011-07-06 Filip Pizlo <​fpizlo@apple.com>

DFG JIT does not support method_check
​https://bugs.webkit.org/show_bug.cgi?id=63972

Reviewed by Gavin Barraclough.

• assembler/CodeLocation.h: (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall):
• bytecode/CodeBlock.cpp: (JSC::CodeBlock::visitAggregate):
• bytecode/CodeBlock.h: (JSC::MethodCallLinkInfo::MethodCallLinkInfo): (JSC::MethodCallLinkInfo::seenOnce): (JSC::MethodCallLinkInfo::setSeen):
• dfg/DFGAliasTracker.h: (JSC::DFG::AliasTracker::recordGetMethod):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock):
• dfg/DFGJITCodeGenerator.cpp: (JSC::DFG::JITCodeGenerator::cachedGetById): (JSC::DFG::JITCodeGenerator::cachedGetMethod):
• dfg/DFGJITCodeGenerator.h:
• dfg/DFGJITCompiler.cpp: (JSC::DFG::JITCompiler::compileFunction):
• dfg/DFGJITCompiler.h: (JSC::DFG::JITCompiler::addMethodGet): (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord):
• dfg/DFGNode.h: (JSC::DFG::Node::hasIdentifier):
• dfg/DFGNonSpeculativeJIT.cpp: (JSC::DFG::NonSpeculativeJIT::compile):
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGRepatch.cpp: (JSC::DFG::dfgRepatchGetMethodFast): (JSC::DFG::tryCacheGetMethod): (JSC::DFG::dfgRepatchGetMethod):
• dfg/DFGRepatch.h:
• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compile):
• jit/JITWriteBarrier.h: (JSC::JITWriteBarrier::set):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/CodeBlock.h (modified) (3 diffs)
• dfg/DFGAliasTracker.h (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• dfg/DFGJITCodeGenerator.cpp (modified) (4 diffs)
• dfg/DFGJITCodeGenerator.h (modified) (1 diff)
• dfg/DFGJITCompiler.cpp (modified) (2 diffs)
• dfg/DFGJITCompiler.h (modified) (3 diffs)
• dfg/DFGNode.h (modified) (2 diffs)
• dfg/DFGNonSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (2 diffs)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGRepatch.cpp (modified) (1 diff)
• dfg/DFGRepatch.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• jit/JITWriteBarrier.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-06  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT does not support method_check
+        https://bugs.webkit.org/show_bug.cgi?id=63972
+
+        Reviewed by Gavin Barraclough.
+
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitAggregate):
+        * bytecode/CodeBlock.h:
+        (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
+        (JSC::MethodCallLinkInfo::seenOnce):
+        (JSC::MethodCallLinkInfo::setSeen):
+        * dfg/DFGAliasTracker.h:
+        (JSC::DFG::AliasTracker::recordGetMethod):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::cachedGetById):
+        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addMethodGet):
+        (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasIdentifier):
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::dfgRepatchGetMethodFast):
+        (JSC::DFG::tryCacheGetMethod):
+        (JSC::DFG::dfgRepatchGetMethod):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITWriteBarrier.h:
+        (JSC::JITWriteBarrier::set):
+
 2011-07-06  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1566 +1566 @@
     for (size_t size = m_methodCallLinkInfos.size(), i = 0; i < size; ++i) {
         if (m_methodCallLinkInfos[i].cachedStructure) {
-            // Both members must be filled at the same time
+            // These members must be filled at the same time, and only after
+            // the MethodCallLinkInfo is set as seen.
+            ASSERT(m_methodCallLinkInfos[i].seenOnce());
             visitor.append(&m_methodCallLinkInfos[i].cachedStructure);
             ASSERT(!!m_methodCallLinkInfos[i].cachedPrototypeStructure);

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -130 +130 @@
     struct MethodCallLinkInfo {
         MethodCallLinkInfo()
+            : seen(false)
         {
         }
@@ -135 +136 @@
         bool seenOnce()
         {
-            ASSERT(!cachedStructure);
-            return cachedPrototypeStructure.isFlagged();
+            return seen;
         }
 
         void setSeen()
         {
-            ASSERT(!cachedStructure && !cachedPrototypeStructure);
-            // We use the values of cachedStructure & cachedPrototypeStructure to indicate the
-            // current state.
-            //     - In the initial state, both are null.
-            //     - Once this transition has been taken once, cachedStructure is
-            //       null and cachedPrototypeStructure is set to a nun-null value.
-            //     - Once the call is linked both structures are set to non-null values.
-            cachedPrototypeStructure.setFlagOnBarrier();
+            seen = true;
         }
 
@@ -156 +149 @@
         JITWriteBarrier<JSFunction> cachedFunction;
         JITWriteBarrier<JSObject> cachedPrototype;
+        bool seen;
     };
 

trunk/Source/JavaScriptCore/dfg/DFGAliasTracker.h

@@ -83 +83 @@
         m_candidateAliasGetByVal = NoNode;
     }
+    
+    void recordGetMethod(NodeIndex getMethod)
+    {
+        ASSERT_UNUSED(getMethod, m_graph[getMethod].op == GetMethod);
+        m_candidateAliasGetByVal = NoNode;
+    }
 
     void recordPutById(NodeIndex putById)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -853 +853 @@
             NEXT_OPCODE(op_put_by_val);
         }
+            
+        case op_method_check: {
+            Instruction* getInstruction = currentInstruction + OPCODE_LENGTH(op_method_check);
+            
+            ASSERT(interpreter->getOpcodeID(getInstruction->u.opcode) == op_get_by_id);
+            
+            NodeIndex base = get(getInstruction[2].u.operand);
+            unsigned identifier = getInstruction[3].u.operand;
+            
+            NodeIndex getMethod = addToGraph(GetMethod, OpInfo(identifier), base);
+            set(getInstruction[1].u.operand, getMethod);
+            aliases.recordGetMethod(getMethod);
+            
+            m_currentIndex += OPCODE_LENGTH(op_method_check) + OPCODE_LENGTH(op_get_by_id);
+            continue;
+        }
 
         case op_get_by_id: {
@@ -858 +874 @@
             NodeIndex base = get(currentInstruction[2].u.operand);
             unsigned identifier = currentInstruction[3].u.operand;
-
+            
             NodeIndex getById = addToGraph(GetById, OpInfo(identifier), base);
             set(currentInstruction[1].u.operand, getById);

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp

@@ -326 +326 @@
 }
 
-void JITCodeGenerator::cachedGetById(GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget)
+JITCompiler::Call JITCodeGenerator::cachedGetById(GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget, NodeType nodeType)
 {
     GPRReg scratchGPR;
@@ -354 +354 @@
     m_jit.move(JITCompiler::ImmPtr(identifier(identifierNumber)), GPRInfo::argumentGPR2);
     m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
-    JITCompiler::Call functionCall = appendCallWithExceptionCheck(operationGetByIdOptimize);
+    JITCompiler::Call functionCall;
+    switch (nodeType) {
+    case GetById:
+        functionCall = appendCallWithExceptionCheck(operationGetByIdOptimize);
+        break;
+        
+    case GetMethod:
+        functionCall = appendCallWithExceptionCheck(operationGetMethodOptimize);
+        break;
+        
+    default:
+        ASSERT_NOT_REACHED();
+        return JITCompiler::Call();
+    }
     m_jit.move(GPRInfo::returnValueGPR, resultGPR);
     silentFillAllRegisters(resultGPR);
@@ -372 +385 @@
     if (scratchGPR != resultGPR && scratchGPR != InvalidGPRReg)
         unlock(scratchGPR);
+    
+    return functionCall;
 }
 
@@ -429 +444 @@
 
     m_jit.addPropertyAccess(functionCall, checkImmToCall, callToCheck, callToStore, callToSlowCase, callToDone, static_cast<int8_t>(baseGPR), static_cast<int8_t>(valueGPR), static_cast<int8_t>(scratchGPR));
+}
+
+void JITCodeGenerator::cachedGetMethod(GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget)
+{
+    JITCompiler::Call slowCall;
+    JITCompiler::DataLabelPtr structToCompare, protoObj, protoStructToCompare, putFunction;
+    
+    JITCompiler::Jump wrongStructure = m_jit.branchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), structToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
+    protoObj = m_jit.moveWithPatch(JITCompiler::TrustedImmPtr(0), resultGPR);
+    JITCompiler::Jump wrongProtoStructure = m_jit.branchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(resultGPR, JSCell::structureOffset()), protoStructToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
+    
+    putFunction = m_jit.moveWithPatch(JITCompiler::TrustedImmPtr(0), resultGPR);
+    
+    JITCompiler::Jump done = m_jit.jump();
+    
+    wrongStructure.link(&m_jit);
+    wrongProtoStructure.link(&m_jit);
+    
+    slowCall = cachedGetById(baseGPR, resultGPR, identifierNumber, slowPathTarget, GetMethod);
+    
+    done.link(&m_jit);
+    
+    m_jit.addMethodGet(slowCall, structToCompare, protoObj, protoStructToCompare, putFunction);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -523 +523 @@
     }
     
-    void cachedGetById(GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
+    JITCompiler::Call cachedGetById(GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump(), NodeType = GetById);
     void cachedPutById(GPRReg baseGPR, GPRReg valueGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
+    void cachedGetMethod(GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
     
     MacroAssembler::Address addressOfCallData(int idx)

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -296 +296 @@
         m_propertyAccesses.clear();
         m_jsCalls.clear();
+        m_methodGets.clear();
         rewindToLabel(speculativePathBegin);
 
@@ -410 +411 @@
     }
     
+    m_codeBlock->addMethodCallLinkInfos(m_methodGets.size());
+    for (unsigned i = 0; i < m_methodGets.size(); ++i) {
+        MethodCallLinkInfo& info = m_codeBlock->methodCallLinkInfo(i);
+        info.cachedStructure.setLocation(linkBuffer.locationOf(m_methodGets[i].m_structToCompare));
+        info.cachedPrototypeStructure.setLocation(linkBuffer.locationOf(m_methodGets[i].m_protoStructToCompare));
+        info.cachedFunction.setLocation(linkBuffer.locationOf(m_methodGets[i].m_putFunction));
+        info.cachedPrototype.setLocation(linkBuffer.locationOf(m_methodGets[i].m_protoObj));
+        info.callReturnLocation = linkBuffer.locationOf(m_methodGets[i].m_slowCall);
+    }
+    
     // FIXME: switch the register file check & arity check over to DFGOpertaion style calls, not JIT stubs.
     linkBuffer.link(callRegisterFileCheck, cti_register_file_check);

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -269 +269 @@
     }
     
+    void addMethodGet(Call slowCall, DataLabelPtr structToCompare, DataLabelPtr protoObj, DataLabelPtr protoStructToCompare, DataLabelPtr putFunction)
+    {
+        m_methodGets.append(MethodGetRecord(slowCall, structToCompare, protoObj, protoStructToCompare, putFunction));
+    }
+    
     void addJSCall(Call fastCall, Call slowCall, DataLabelPtr targetToCheck, bool isCall, unsigned exceptionInfo)
     {
@@ -317 +322 @@
         int8_t m_valueGPR;
         int8_t m_scratchGPR;
+    };
+    
+    struct MethodGetRecord {
+        MethodGetRecord(Call slowCall, DataLabelPtr structToCompare, DataLabelPtr protoObj, DataLabelPtr protoStructToCompare, DataLabelPtr putFunction)
+            : m_slowCall(slowCall)
+            , m_structToCompare(structToCompare)
+            , m_protoObj(protoObj)
+            , m_protoStructToCompare(protoStructToCompare)
+            , m_putFunction(putFunction)
+        {
+        }
+        
+        Call m_slowCall;
+        DataLabelPtr m_structToCompare;
+        DataLabelPtr m_protoObj;
+        DataLabelPtr m_protoStructToCompare;
+        DataLabelPtr m_putFunction;
     };
     
@@ -337 +359 @@
 
     Vector<PropertyAccessRecord, 4> m_propertyAccesses;
+    Vector<MethodGetRecord, 4> m_methodGets;
     Vector<JSCallRecord, 4> m_jsCalls;
 };

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -129 +129 @@
     macro(PutById, NodeMustGenerate) \
     macro(PutByIdDirect, NodeMustGenerate) \
+    macro(GetMethod, NodeResultJS | NodeMustGenerate) \
     macro(GetGlobalVar, NodeResultJS | NodeMustGenerate) \
     macro(PutGlobalVar, NodeMustGenerate) \
@@ -267 +268 @@
     bool hasIdentifier()
     {
-        return op == GetById || op == PutById || op == PutByIdDirect;
+        return op == GetById || op == PutById || op == PutByIdDirect || op == GetMethod;
     }
 

trunk/Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp

@@ -839 +839 @@
     }
 
+    case GetMethod: {
+        JSValueOperand base(this, node.child1());
+        GPRReg baseGPR = base.gpr();
+        GPRTemporary result(this, base);
+        GPRReg resultGPR = result.gpr();
+
+        JITCompiler::Jump notCell = m_jit.branchTestPtr(MacroAssembler::NonZero, baseGPR, GPRInfo::tagMaskRegister);
+
+        cachedGetMethod(baseGPR, resultGPR, node.identifierNumber(), notCell);
+
+        jsValueResult(resultGPR, m_compileIndex);
+        break;
+    }
+
     case PutById: {
         JSValueOperand base(this, node.child1());

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -229 +229 @@
 }
 
+EncodedJSValue operationGetMethodOptimizeWithReturnAddress(ExecState*, EncodedJSValue, Identifier*, ReturnAddressPtr);
+FUNCTION_WRAPPER_WITH_ARG4_RETURN_ADDRESS(operationGetMethodOptimize);
+EncodedJSValue operationGetMethodOptimizeWithReturnAddress(ExecState* exec, EncodedJSValue encodedBase, Identifier* propertyName, ReturnAddressPtr returnAddress)
+{
+    JSValue baseValue = JSValue::decode(encodedBase);
+    PropertySlot slot(baseValue);
+    JSValue result = baseValue.get(exec, *propertyName, slot);
+
+    MethodCallLinkInfo& methodInfo = exec->codeBlock()->getMethodCallLinkInfo(returnAddress);
+    if (methodInfo.seenOnce())
+        dfgRepatchGetMethod(exec, baseValue, *propertyName, slot, methodInfo);
+    else
+        methodInfo.setSeen();
+
+    return JSValue::encode(result);
+}
+
+EncodedJSValue operationGetByIdBuildListWithReturnAddress(ExecState*, EncodedJSValue, Identifier*, ReturnAddressPtr);
+FUNCTION_WRAPPER_WITH_ARG4_RETURN_ADDRESS(operationGetByIdBuildList);
+EncodedJSValue operationGetByIdBuildListWithReturnAddress(ExecState* exec, EncodedJSValue encodedBase, Identifier* propertyName, ReturnAddressPtr returnAddress)
+{
+    JSValue baseValue = JSValue::decode(encodedBase);
+    PropertySlot slot(baseValue);
+    JSValue result = baseValue.get(exec, *propertyName, slot);
+
+    StructureStubInfo& stubInfo = exec->codeBlock()->getStubInfo(returnAddress);
+    dfgBuildGetByIDList(exec, baseValue, *propertyName, slot, stubInfo);
+
+    return JSValue::encode(result);
+}
+
 EncodedJSValue operationGetByIdOptimizeWithReturnAddress(ExecState*, EncodedJSValue, Identifier*, ReturnAddressPtr);
 FUNCTION_WRAPPER_WITH_ARG4_RETURN_ADDRESS(operationGetByIdOptimize);
@@ -242 +273 @@
     else
         stubInfo.seen = true;
-
-    return JSValue::encode(result);
-}
-
-EncodedJSValue operationGetByIdBuildListWithReturnAddress(ExecState*, EncodedJSValue, Identifier*, ReturnAddressPtr);
-FUNCTION_WRAPPER_WITH_ARG4_RETURN_ADDRESS(operationGetByIdBuildList);
-EncodedJSValue operationGetByIdBuildListWithReturnAddress(ExecState* exec, EncodedJSValue encodedBase, Identifier* propertyName, ReturnAddressPtr returnAddress)
-{
-    JSValue baseValue = JSValue::decode(encodedBase);
-    PropertySlot slot(baseValue);
-    JSValue result = baseValue.get(exec, *propertyName, slot);
-
-    StructureStubInfo& stubInfo = exec->codeBlock()->getStubInfo(returnAddress);
-    dfgBuildGetByIDList(exec, baseValue, *propertyName, slot, stubInfo);
 
     return JSValue::encode(result);

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -62 +62 @@
 EncodedJSValue operationGetByIdBuildList(ExecState*, EncodedJSValue encodedBase, Identifier*);
 EncodedJSValue operationGetByIdOptimize(ExecState*, EncodedJSValue encodedBase, Identifier*);
+EncodedJSValue operationGetMethodOptimize(ExecState*, EncodedJSValue encodedBase, Identifier*);
 EncodedJSValue operationInstanceOf(ExecState*, EncodedJSValue value, EncodedJSValue base, EncodedJSValue prototype);
 void operationThrowHasInstanceError(ExecState*, EncodedJSValue base);

trunk/Source/JavaScriptCore/dfg/DFGRepatch.cpp

@@ -162 +162 @@
 }
 
+static void dfgRepatchGetMethodFast(JSGlobalData* globalData, CodeBlock* codeBlock, MethodCallLinkInfo& methodInfo, JSFunction* callee, Structure* structure, JSObject* slotBaseObject)
+{
+    ScriptExecutable* owner = codeBlock->ownerExecutable();
+    
+    RepatchBuffer repatchBuffer(codeBlock);
+
+    // Only optimize once!
+    repatchBuffer.relink(methodInfo.callReturnLocation, operationGetById);
+
+    methodInfo.cachedStructure.set(*globalData, owner, structure);
+    methodInfo.cachedPrototypeStructure.set(*globalData, owner, slotBaseObject->structure());
+    methodInfo.cachedPrototype.set(*globalData, owner, slotBaseObject);
+    methodInfo.cachedFunction.set(*globalData, owner, callee);
+}
+
+static bool tryCacheGetMethod(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PropertySlot& slot, MethodCallLinkInfo& methodInfo)
+{
+    CodeBlock* codeBlock = exec->codeBlock();
+    JSGlobalData* globalData = &exec->globalData();
+    
+    Structure* structure;
+    JSCell* specific;
+    JSObject* slotBaseObject;
+    if (baseValue.isCell()
+        && slot.isCacheableValue()
+        && !(structure = baseValue.asCell()->structure())->isUncacheableDictionary()
+        && (slotBaseObject = asObject(slot.slotBase()))->getPropertySpecificValue(exec, propertyName, specific)
+        && specific) {
+        
+        JSFunction* callee = (JSFunction*)specific;
+        
+        // Since we're accessing a prototype in a loop, it's a good bet that it
+        // should not be treated as a dictionary.
+        if (slotBaseObject->structure()->isDictionary())
+            slotBaseObject->flattenDictionaryObject(exec->globalData());
+        
+        if (slot.slotBase() == structure->prototypeForLookup(exec)) {
+            dfgRepatchGetMethodFast(globalData, codeBlock, methodInfo, callee, structure, slotBaseObject);
+            return true;
+        }
+        
+        if (slot.slotBase() == baseValue) {
+            dfgRepatchGetMethodFast(globalData, codeBlock, methodInfo, callee, structure, exec->scopeChain()->globalObject->methodCallDummy());
+            return true;
+        }
+    }
+    
+    return false;
+}
+
+void dfgRepatchGetMethod(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PropertySlot& slot, MethodCallLinkInfo& methodInfo)
+{
+    bool cached = tryCacheGetMethod(exec, baseValue, propertyName, slot, methodInfo);
+    if (!cached)
+        dfgRepatchCall(exec->codeBlock(), methodInfo.callReturnLocation, operationGetByIdOptimize);
+}
+
 static bool tryBuildGetByIDList(ExecState* exec, JSValue baseValue, const Identifier&, const PropertySlot& slot, StructureStubInfo& stubInfo)
 {

trunk/Source/JavaScriptCore/dfg/DFGRepatch.h

@@ -35 +35 @@
 
 void dfgRepatchGetByID(ExecState*, JSValue, const Identifier&, const PropertySlot&, StructureStubInfo&);
+void dfgRepatchGetMethod(ExecState*, JSValue, const Identifier&, const PropertySlot&, MethodCallLinkInfo&);
 void dfgBuildGetByIDList(ExecState*, JSValue, const Identifier&, const PropertySlot&, StructureStubInfo&);
 void dfgRepatchPutByID(ExecState*, JSValue, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1020 +1020 @@
         break;
     }
+        
+    case GetMethod: {
+        SpeculateCellOperand base(this, node.child1());
+        GPRTemporary result(this, base);
+
+        GPRReg resultGPR = result.gpr();
+
+        cachedGetMethod(base.gpr(), resultGPR, node.identifierNumber());
+
+        jsValueResult(resultGPR, m_compileIndex);
+        break;
+    }
 
     case PutById: {

trunk/Source/JavaScriptCore/jit/JITWriteBarrier.h

@@ -122 +122 @@
         JITWriteBarrierBase::set(globalData, location, owner, value);
     }
+    void set(JSGlobalData& globalData, JSCell* owner, T* value)
+    {
+        set(globalData, location(), owner, value);
+    }
     T* get() const
     {