Changeset 102545 in webkit

Timestamp:

Dec 11, 2011 4:35:51 PM (12 years ago)

Author:

ggaren@apple.com

Message:

v8 benchmark takes 12-13 million function call slow paths due to extra arguments
​https://bugs.webkit.org/show_bug.cgi?id=74244

Reviewed by Filip Pizlo.

.arguments function of order the Reversed

10% speedup on v8-raytrace, 1.7% speedup on v8 overall, neutral on Kraken
and SunSpider.

• bytecode/CodeBlock.h:

(JSC::CodeBlock::valueProfileForArgument): Clarified that the interface
to this function is an argument number.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
(JSC::BytecodeGenerator::isArgumentNumber): Switched to using CallFrame
helper functions for computing offsets for arguments, rather than doing
the math by hand.

Switched to iterating argument offsets backwards (--) instead of forwards (++).

• bytecompiler/BytecodeGenerator.h:

(JSC::CallArguments::thisRegister):
(JSC::CallArguments::argumentRegister):
(JSC::CallArguments::registerOffset): Updated for arguments being reversed.

• bytecompiler/NodesCodegen.cpp: Allocate arguments in reverse order.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::getArgument):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleMinMax):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::processPhiStack): Use abstract argument indices
that just-in-time convert to bytecode operands (i.e., indexes in the register
file) through helper functions. This means only one piece of code needs
to know how arguments are laid out in the register file.

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump): Ditto.

• dfg/DFGGraph.h:

(JSC::DFG::Graph::valueProfileFor): Ditto.

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::compileFunction): The whole point of this patch:
Treat too many arguments as an arity match.

• dfg/DFGOSRExit.h:

(JSC::DFG::OSRExit::variableForIndex):
(JSC::DFG::OSRExit::operandForIndex): Use helper functions, as above.

• dfg/DFGOperands.h:

(JSC::DFG::operandToArgument):
(JSC::DFG::argumentToOperand): These are now the only two lines of code in
the DFG compiler that know how arguments are laid out in memory.

(JSC::DFG::Operands::operand):
(JSC::DFG::Operands::setOperand): Use helper functions, as above.

• dfg/DFGOperations.cpp: The whole point of this patch:

Treat too many arguments as an arity match.

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.

Also, don't tag the caller frame slot as a cell, because it's not a cell.

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile): Use helper functions, as above.

(JSC::DFG::SpeculativeJIT::checkArgumentTypes): Use already-computed
argument virtual register instead of recomputing by hand.

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callFrameSlot):
(JSC::DFG::SpeculativeJIT::argumentSlot):
(JSC::DFG::SpeculativeJIT::callFrameTagSlot):
(JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
(JSC::DFG::SpeculativeJIT::argumentTagSlot):
(JSC::DFG::SpeculativeJIT::argumentPayloadSlot): Added a few helper
functions for dealing with callee arguments specifically. These still
build on top of our other helper functions, and have no direct knowledge
of how arguments are laid out in the register file.

(JSC::DFG::SpeculativeJIT::resetCallArguments):
(JSC::DFG::SpeculativeJIT::addCallArgument): Renamed argumentIndex to
argumentOffset to match CallFrame naming.

(JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand): Use helper
functions, as above.

• interpreter/CallFrame.h:

(JSC::ExecState::argumentOffset):
(JSC::ExecState::argumentOffsetIncludingThis):
(JSC::ExecState::argument):
(JSC::ExecState::setArgument):
(JSC::ExecState::thisArgumentOffset):
(JSC::ExecState::thisValue):
(JSC::ExecState::setThisValue):
(JSC::ExecState::offsetFor):
(JSC::ExecState::hostThisRegister):
(JSC::ExecState::hostThisValue): Added a bunch of helper functions for
computing where an argument is in the register file. Anything in the
runtime that needs to access arguments should use these helpers.

• interpreter/CallFrameClosure.h:

(JSC::CallFrameClosure::setThis):
(JSC::CallFrameClosure::setArgument):
(JSC::CallFrameClosure::resetCallFrame): This stuff is a lot simpler, now
that too many arguments counts as an arity match and doesn't require
preserving two copies of our arguments.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::slideRegisterWindowForCall): Only need to do something
special if the caller provided too few arguments.

Key simplification: We never need to maintain two copies of our arguments
anymore.

(JSC::eval):
(JSC::loadVarargs): Use helper functions.

(JSC::Interpreter::unwindCallFrame): Updated for new interface.

(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
(JSC::Interpreter::prepareForRepeatCall): Seriously, though: use helper
functions.

(JSC::Interpreter::privateExecute): No need to check for stack overflow
when calling host functions because they have zero callee registers.

(JSC::Interpreter::retrieveArguments): Explicitly tear off the arguments
object, since there's no special constructor for this anymore.

• interpreter/Interpreter.h: Reduced the C++ re-entry depth because some

workers tests were hitting stack overflow in some of my testing. We should
make this test more exact in future.

• interpreter/RegisterFile.h: Death to all runtime knowledge of argument

location that does not belong to the CallFrame class!

• jit/JIT.cpp:

(JSC::JIT::privateCompile): I am a broken record and I use helper functions.

Also, the whole point of this patch: Treat too many arguments as an arity match.

• jit/JITCall32_64.cpp:

(JSC::JIT::compileLoadVarargs):

• jit/JITCall.cpp:

(JSC::JIT::compileLoadVarargs): Updated the argument copying math to use
helper functions, for backwards-correctness. Removed the condition
pertaining to declared argument count because, now that arguments are
always in just one place, this optimization is valid for all functions.
Standardized the if predicate for each line of the optimization. This might
fix a bug, but I couldn't get the bug to crash in practice.

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_create_arguments):
(JSC::JIT::emit_op_get_argument_by_val):
(JSC::JIT::emitSlow_op_get_argument_by_val):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_create_arguments):
(JSC::JIT::emit_op_get_argument_by_val):
(JSC::JIT::emitSlow_op_get_argument_by_val): Removed cti_op_create_arguments_no_params
optimization because it's no longer an optimization, now that arguments
are always contiguous in a known location.

Updated argument access opcode math for backwards-correctness.

• jit/JITStubs.cpp:

(JSC::arityCheckFor): Updated just like slideRegisterWindowForCall. This
function is slightly different because it copies the call frame in
addition to the arguments. (In the Interpreter, the call frame is not
set up by this point.)

(JSC::lazyLinkFor): The whole point of this patch: Treat too many
arguments as an arity match.

(JSC::DEFINE_STUB_FUNCTION): Updated for new iterface to tearOff().

• jit/JITStubs.h:
• jit/SpecializedThunkJIT.h:

(JSC::SpecializedThunkJIT::loadDoubleArgument):
(JSC::SpecializedThunkJIT::loadCellArgument):
(JSC::SpecializedThunkJIT::loadInt32Argument): Use helper functions! They
build strong bones and teeth!

• runtime/ArgList.cpp:

(JSC::ArgList::getSlice):
(JSC::MarkedArgumentBuffer::slowAppend):

• runtime/ArgList.h:

(JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
(JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
(JSC::MarkedArgumentBuffer::at):
(JSC::MarkedArgumentBuffer::clear):
(JSC::MarkedArgumentBuffer::append):
(JSC::MarkedArgumentBuffer::removeLast):
(JSC::MarkedArgumentBuffer::last):
(JSC::ArgList::ArgList):
(JSC::ArgList::at): Updated for backwards-correctness. WTF::Vector doesn't
play nice with backwards-ness, so I changed to using manual allocation.

Fixed a FIXME about not all values being marked in the case of out-of-line
arguments. I had to rewrite the loop anyway, and I didn't feel like
maintaining fidelity to its old bugs.

• runtime/Arguments.cpp:

(JSC::Arguments::visitChildren):
(JSC::Arguments::copyToArguments):
(JSC::Arguments::fillArgList):
(JSC::Arguments::getOwnPropertySlotByIndex):
(JSC::Arguments::getOwnPropertySlot):
(JSC::Arguments::getOwnPropertyDescriptor):
(JSC::Arguments::putByIndex):
(JSC::Arguments::put):
(JSC::Arguments::tearOff):

• runtime/Arguments.h:

(JSC::Arguments::create):
(JSC::Arguments::Arguments):
(JSC::Arguments::argument):
(JSC::Arguments::finishCreation): Secondary benefit of this patch: deleted
lots of tricky code designed to maintain two different copies of function
arguments. Now that arguments are always contiguous in one place in memory,
this complexity can go away.

Reduced down to one create function for the Arguments class, from three.

Moved tearOff() into an out-of-line function because it's huge.

Moved logic about whether to tear off eagerly into the Arguments class,
so we didn't have to duplicate it elsewhere.

• runtime/JSActivation.cpp:

(JSC::JSActivation::JSActivation):
(JSC::JSActivation::visitChildren): Renamed m_numParametersMinusThis to
m_numCapturedArgs because if the value really were m_numParametersMinusThis
we would be marking too much. (We shouldn't mark 'this' because it can't
be captured.) Also, use helper functions.

• runtime/JSActivation.h:

(JSC::JSActivation::tearOff): Use helper functions.

• runtime/JSArray.cpp:

(JSC::JSArray::copyToArguments):

• runtime/JSArray.h: Use helper functions, as above.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (3 diffs)
• Configurations/Base.xcconfig (modified) (1 diff)
• bytecode/CodeBlock.h (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (8 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (22 diffs)
• dfg/DFGGraph.cpp (modified) (1 diff)
• dfg/DFGGraph.h (modified) (1 diff)
• dfg/DFGJITCompiler.cpp (modified) (1 diff)
• dfg/DFGOSRExit.h (modified) (2 diffs)
• dfg/DFGOperands.h (modified) (3 diffs)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (3 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• interpreter/CallFrame.h (modified) (2 diffs)
• interpreter/CallFrameClosure.h (modified) (2 diffs)
• interpreter/Interpreter.cpp (modified) (24 diffs)
• interpreter/Interpreter.h (modified) (1 diff)
• interpreter/RegisterFile.h (modified) (1 diff)
• jit/JIT.cpp (modified) (2 diffs)
• jit/JITCall.cpp (modified) (4 diffs)
• jit/JITCall32_64.cpp (modified) (4 diffs)
• jit/JITOpcodes.cpp (modified) (3 diffs)
• jit/JITOpcodes32_64.cpp (modified) (3 diffs)
• jit/JITStubs.cpp (modified) (5 diffs)
• jit/JITStubs.h (modified) (1 diff)
• jit/SpecializedThunkJIT.h (modified) (4 diffs)
• runtime/ArgList.cpp (modified) (3 diffs)
• runtime/ArgList.h (modified) (11 diffs)
• runtime/Arguments.cpp (modified) (9 diffs)
• runtime/Arguments.h (modified) (11 diffs)
• runtime/JSActivation.cpp (modified) (3 diffs)
• runtime/JSActivation.h (modified) (2 diffs)
• runtime/JSArray.cpp (modified) (1 diff)
• runtime/JSArray.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-12-10  Geoffrey Garen  <ggaren@apple.com>
+
+        v8 benchmark takes 12-13 million function call slow paths due to extra arguments
+        https://bugs.webkit.org/show_bug.cgi?id=74244
+
+        Reviewed by Filip Pizlo.
+        
+        .arguments function of order the Reversed
+        
+        10% speedup on v8-raytrace, 1.7% speedup on v8 overall, neutral on Kraken
+        and SunSpider.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::valueProfileForArgument): Clarified that the interface
+        to this function is an argument number.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitCall):
+        (JSC::BytecodeGenerator::emitConstruct):
+        (JSC::BytecodeGenerator::isArgumentNumber): Switched to using CallFrame
+        helper functions for computing offsets for arguments, rather than doing
+        the math by hand.
+        
+        Switched to iterating argument offsets backwards (--) instead of forwards (++).
+
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::CallArguments::thisRegister):
+        (JSC::CallArguments::argumentRegister):
+        (JSC::CallArguments::registerOffset): Updated for arguments being reversed.
+
+        * bytecompiler/NodesCodegen.cpp: Allocate arguments in reverse order.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getArgument):
+        (JSC::DFG::ByteCodeParser::setArgument):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::addCall):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::handleMinMax):
+        (JSC::DFG::ByteCodeParser::handleIntrinsic):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::processPhiStack): Use abstract argument indices
+        that just-in-time convert to bytecode operands (i.e., indexes in the register
+        file) through helper functions. This means only one piece of code needs
+        to know how arguments are laid out in the register file.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump): Ditto.
+
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::valueProfileFor): Ditto.
+
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction): The whole point of this patch:
+        Treat too many arguments as an arity match.
+
+        * dfg/DFGOSRExit.h:
+        (JSC::DFG::OSRExit::variableForIndex):
+        (JSC::DFG::OSRExit::operandForIndex): Use helper functions, as above.
+
+        * dfg/DFGOperands.h:
+        (JSC::DFG::operandToArgument):
+        (JSC::DFG::argumentToOperand): These are now the only two lines of code in
+        the DFG compiler that know how arguments are laid out in memory.
+
+        (JSC::DFG::Operands::operand):
+        (JSC::DFG::Operands::setOperand): Use helper functions, as above.
+
+        * dfg/DFGOperations.cpp: The whole point of this patch:
+        Treat too many arguments as an arity match.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.
+        
+        Also, don't tag the caller frame slot as a cell, because it's not a cell.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Use helper functions, as above.
+
+        (JSC::DFG::SpeculativeJIT::checkArgumentTypes): Use already-computed
+        argument virtual register instead of recomputing by hand.
+
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callFrameSlot):
+        (JSC::DFG::SpeculativeJIT::argumentSlot):
+        (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
+        (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
+        (JSC::DFG::SpeculativeJIT::argumentTagSlot):
+        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot): Added a few helper
+        functions for dealing with callee arguments specifically. These still
+        build on top of our other helper functions, and have no direct knowledge
+        of how arguments are laid out in the register file.
+
+        (JSC::DFG::SpeculativeJIT::resetCallArguments):
+        (JSC::DFG::SpeculativeJIT::addCallArgument): Renamed argumentIndex to
+        argumentOffset to match CallFrame naming.
+
+        (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand): Use helper
+        functions, as above.
+
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::argumentOffset):
+        (JSC::ExecState::argumentOffsetIncludingThis):
+        (JSC::ExecState::argument):
+        (JSC::ExecState::setArgument):
+        (JSC::ExecState::thisArgumentOffset):
+        (JSC::ExecState::thisValue):
+        (JSC::ExecState::setThisValue):
+        (JSC::ExecState::offsetFor):
+        (JSC::ExecState::hostThisRegister):
+        (JSC::ExecState::hostThisValue): Added a bunch of helper functions for
+        computing where an argument is in the register file. Anything in the
+        runtime that needs to access arguments should use these helpers.
+
+        * interpreter/CallFrameClosure.h:
+        (JSC::CallFrameClosure::setThis):
+        (JSC::CallFrameClosure::setArgument):
+        (JSC::CallFrameClosure::resetCallFrame): This stuff is a lot simpler, now
+        that too many arguments counts as an arity match and doesn't require
+        preserving two copies of our arguments.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::slideRegisterWindowForCall): Only need to do something
+        special if the caller provided too few arguments.
+        
+        Key simplification: We never need to maintain two copies of our arguments
+        anymore.
+
+        (JSC::eval):
+        (JSC::loadVarargs): Use helper functions.
+
+        (JSC::Interpreter::unwindCallFrame): Updated for new interface.
+
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeCall):
+        (JSC::Interpreter::executeConstruct):
+        (JSC::Interpreter::prepareForRepeatCall): Seriously, though: use helper
+        functions.
+
+        (JSC::Interpreter::privateExecute): No need to check for stack overflow
+        when calling host functions because they have zero callee registers.
+
+        (JSC::Interpreter::retrieveArguments): Explicitly tear off the arguments
+        object, since there's no special constructor for this anymore.
+
+        * interpreter/Interpreter.h: Reduced the C++ re-entry depth because some
+        workers tests were hitting stack overflow in some of my testing. We should
+        make this test more exact in future.
+
+        * interpreter/RegisterFile.h: Death to all runtime knowledge of argument
+        location that does not belong to the CallFrame class!
+
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompile): I am a broken record and I use helper functions.
+        
+        Also, the whole point of this patch: Treat too many arguments as an arity match.
+
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileLoadVarargs):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileLoadVarargs): Updated the argument copying math to use
+        helper functions, for backwards-correctness. Removed the condition
+        pertaining to declared argument count because, now that arguments are
+        always in just one place, this optimization is valid for all functions.
+        Standardized the if predicate for each line of the optimization. This might
+        fix a bug, but I couldn't get the bug to crash in practice.
+
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_create_arguments):
+        (JSC::JIT::emit_op_get_argument_by_val):
+        (JSC::JIT::emitSlow_op_get_argument_by_val):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_create_arguments):
+        (JSC::JIT::emit_op_get_argument_by_val):
+        (JSC::JIT::emitSlow_op_get_argument_by_val): Removed cti_op_create_arguments_no_params
+        optimization because it's no longer an optimization, now that arguments
+        are always contiguous in a known location.
+        
+        Updated argument access opcode math for backwards-correctness.
+
+        * jit/JITStubs.cpp:
+        (JSC::arityCheckFor): Updated just like slideRegisterWindowForCall. This
+        function is slightly different because it copies the call frame in
+        addition to the arguments. (In the Interpreter, the call frame is not
+        set up by this point.)
+
+        (JSC::lazyLinkFor): The whole point of this patch: Treat too many
+        arguments as an arity match.
+
+        (JSC::DEFINE_STUB_FUNCTION): Updated for new iterface to tearOff().
+
+        * jit/JITStubs.h:
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::loadDoubleArgument):
+        (JSC::SpecializedThunkJIT::loadCellArgument):
+        (JSC::SpecializedThunkJIT::loadInt32Argument): Use helper functions! They
+        build strong bones and teeth!
+
+        * runtime/ArgList.cpp:
+        (JSC::ArgList::getSlice):
+        (JSC::MarkedArgumentBuffer::slowAppend):
+        * runtime/ArgList.h:
+        (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
+        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
+        (JSC::MarkedArgumentBuffer::at):
+        (JSC::MarkedArgumentBuffer::clear):
+        (JSC::MarkedArgumentBuffer::append):
+        (JSC::MarkedArgumentBuffer::removeLast):
+        (JSC::MarkedArgumentBuffer::last):
+        (JSC::ArgList::ArgList):
+        (JSC::ArgList::at): Updated for backwards-correctness. WTF::Vector doesn't
+        play nice with backwards-ness, so I changed to using manual allocation.
+        
+        Fixed a FIXME about not all values being marked in the case of out-of-line
+        arguments. I had to rewrite the loop anyway, and I didn't feel like
+        maintaining fidelity to its old bugs.
+
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::visitChildren):
+        (JSC::Arguments::copyToArguments):
+        (JSC::Arguments::fillArgList):
+        (JSC::Arguments::getOwnPropertySlotByIndex):
+        (JSC::Arguments::getOwnPropertySlot):
+        (JSC::Arguments::getOwnPropertyDescriptor):
+        (JSC::Arguments::putByIndex):
+        (JSC::Arguments::put):
+        (JSC::Arguments::tearOff):
+        * runtime/Arguments.h:
+        (JSC::Arguments::create):
+        (JSC::Arguments::Arguments):
+        (JSC::Arguments::argument):
+        (JSC::Arguments::finishCreation): Secondary benefit of this patch: deleted
+        lots of tricky code designed to maintain two different copies of function
+        arguments. Now that arguments are always contiguous in one place in memory,
+        this complexity can go away.
+        
+        Reduced down to one create function for the Arguments class, from three.
+
+        Moved tearOff() into an out-of-line function because it's huge.
+        
+        Moved logic about whether to tear off eagerly into the Arguments class,
+        so we didn't have to duplicate it elsewhere.
+
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::JSActivation):
+        (JSC::JSActivation::visitChildren): Renamed m_numParametersMinusThis to
+        m_numCapturedArgs because if the value really were m_numParametersMinusThis
+        we would be marking too much. (We shouldn't mark 'this' because it can't
+        be captured.) Also, use helper functions.
+
+        * runtime/JSActivation.h:
+        (JSC::JSActivation::tearOff): Use helper functions.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::copyToArguments):
+        * runtime/JSArray.h: Use helper functions, as above.
+
 2011-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>
 
@@ -20357 +20619 @@
         (JSC::PredictionTracker::numberOfArguments):
         (JSC::PredictionTracker::numberOfVariables):
-        (JSC::PredictionTracker::argumentIndexForOperand):
+        (JSC::PredictionTracker::argumentOffsetForOperand):
         (JSC::PredictionTracker::predictArgument):
         (JSC::PredictionTracker::predict):
@@ -22092 +22354 @@
         (JSC::DFG::PredictionTracker::numberOfArguments):
         (JSC::DFG::PredictionTracker::numberOfVariables):
-        (JSC::DFG::PredictionTracker::argumentIndexForOperand):
+        (JSC::DFG::PredictionTracker::argumentOffsetForOperand):
         (JSC::DFG::PredictionTracker::predictArgument):
         (JSC::DFG::PredictionTracker::predict):

trunk/Source/JavaScriptCore/Configurations/Base.xcconfig

@@ -25 +25 @@
 
 COMPILER_SPECIFIC_WARNING_CFLAGS = $(COMPILER_SPECIFIC_WARNING_CFLAGS_$(TARGET_GCC_VERSION));
-COMPILER_SPECIFIC_WARNING_CFLAGS_LLVM_COMPILER = -Wglobal-constructors -Wexit-time-destructors;
+COMPILER_SPECIFIC_WARNING_CFLAGS_LLVM_COMPILER = ;
 
 CLANG_WARN_CXX0X_EXTENSIONS = NO;

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -652 +652 @@
             return WTF::genericBinarySearch<ValueProfile, int, getValueProfileBytecodeOffset>(m_valueProfiles, m_valueProfiles.size(), bytecodeOffset);
         }
-        ValueProfile* valueProfileForArgument(int argumentIndex)
-        {
-            int index = argumentIndex;
-            if (static_cast<unsigned>(index) >= m_valueProfiles.size())
+        ValueProfile* valueProfileForArgument(int argument)
+        {
+            size_t index = argument;
+            if (index >= m_valueProfiles.size())
                 return 0;
-            ValueProfile* result = valueProfile(argumentIndex);
+            ValueProfile* result = valueProfile(index);
             if (result->m_bytecodeOffset != -1)
                 return 0;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -203 +203 @@
     , m_scopeNode(programNode)
     , m_codeBlock(codeBlock)
-    , m_thisRegister(RegisterFile::ProgramCodeThisRegister)
+    , m_thisRegister(CallFrame::thisArgumentOffset())
     , m_finallyDepth(0)
     , m_dynamicScopeDepth(0)
@@ -397 +397 @@
 
     FunctionParameters& parameters = *functionBody->parameters();
-    size_t parameterCount = parameters.size();
-    int nextParameterIndex = -RegisterFile::CallFrameHeaderSize - parameterCount - 1;
-    m_parameters.grow(1 + parameterCount); // reserve space for "this"
+    m_parameters.grow(parameters.size() + 1); // reserve space for "this"
 
     // Add "this" as a parameter
-    m_thisRegister.setIndex(nextParameterIndex);
+    int nextParameterIndex = CallFrame::thisArgumentOffset();
+    m_thisRegister.setIndex(nextParameterIndex--);
     ++m_codeBlock->m_numParameters;
     
-    for (size_t i = 0; i < parameterCount; ++i)
-        addParameter(parameters[i], ++nextParameterIndex);
+    for (size_t i = 0; i < parameters.size(); ++i)
+        addParameter(parameters[i], nextParameterIndex--);
 
     preserveLastVar();
@@ -436 +435 @@
     , m_scopeNode(evalNode)
     , m_codeBlock(codeBlock)
-    , m_thisRegister(RegisterFile::ProgramCodeThisRegister)
+    , m_thisRegister(CallFrame::thisArgumentOffset())
     , m_finallyDepth(0)
     , m_dynamicScopeDepth(0)
@@ -1802 +1801 @@
 
     // Generate code for arguments.
-    unsigned argumentIndex = 0;
+    unsigned argument = 0;
     for (ArgumentListNode* n = callArguments.argumentsNode()->m_listNode; n; n = n->m_next)
-        emitNode(callArguments.argumentRegister(argumentIndex++), n);
+        emitNode(callArguments.argumentRegister(argument++), n);
 
     // Reserve space for call frame.
@@ -1821 +1820 @@
     emitOpcode(opcodeID);
     instructions().append(func->index()); // func
-    instructions().append(callArguments.count()); // argCount
+    instructions().append(callArguments.argumentCountIncludingThis()); // argCount
     instructions().append(callArguments.registerOffset()); // registerOffset
     if (dst != ignoredResult()) {
@@ -1901 +1900 @@
 
     // Generate code for arguments.
-    unsigned argumentIndex = 0;
+    unsigned argument = 0;
     if (ArgumentsNode* argumentsNode = callArguments.argumentsNode()) {
         for (ArgumentListNode* n = argumentsNode->m_listNode; n; n = n->m_next)
-            emitNode(callArguments.argumentRegister(argumentIndex++), n);
+            emitNode(callArguments.argumentRegister(argument++), n);
     }
 
@@ -1921 +1920 @@
     emitOpcode(op_construct);
     instructions().append(func->index()); // func
-    instructions().append(callArguments.count()); // argCount
+    instructions().append(callArguments.argumentCountIncludingThis()); // argCount
     instructions().append(callArguments.registerOffset()); // registerOffset
     if (dst != ignoredResult()) {
@@ -2363 +2362 @@
     if (!registerID || registerID->index() >= 0)
          return 0;
-    return registerID->index() - m_thisRegister.index() - 1 == argumentNumber;
+    return registerID->index() == CallFrame::argumentOffset(argumentNumber);
 }
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -56 +56 @@
         RegisterID* thisRegister() { return m_argv[0].get(); }
         RegisterID* argumentRegister(unsigned i) { return m_argv[i + 1].get(); }
-        unsigned registerOffset() { return thisRegister()->index() + count() + RegisterFile::CallFrameHeaderSize; }
-        unsigned count() { return m_argv.size(); }
+        unsigned registerOffset() { return m_argv.last()->index() + CallFrame::offsetFor(argumentCountIncludingThis()); }
+        unsigned argumentCountIncludingThis() { return m_argv.size(); }
         RegisterID* profileHookRegister() { return m_profileHookRegister.get(); }
         ArgumentsNode* argumentsNode() { return m_argumentsNode; }

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -320 +320 @@
         m_profileHookRegister = generator.newTemporary();
 
-    newArgument(generator); // 'this' register.
-    if (!argumentsNode)
-        return;
-    for (ArgumentListNode* n = argumentsNode->m_listNode; n; n = n->m_next)
-        newArgument(generator);
+    size_t argumentCountIncludingThis = 1; // 'this' register.
+    if (argumentsNode) {
+        for (ArgumentListNode* node = argumentsNode->m_listNode; node; node = node->m_next)
+            ++argumentCountIncludingThis;
+    }
+
+    m_argv.grow(argumentCountIncludingThis);
+    for (int i = argumentCountIncludingThis - 1; i >= 0; --i) {
+        m_argv[i] = generator.newTemporary();
+        ASSERT(static_cast<size_t>(i) == m_argv.size() - 1 || m_argv[i]->index() == m_argv[i + 1]->index() + 1);
+    }
 }
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -77 +77 @@
 
     // Helper for min and max.
-    bool handleMinMax(bool usesResult, int resultOperand, NodeType op, int firstArg, int lastArg);
+    bool handleMinMax(bool usesResult, int resultOperand, NodeType op, int registerOffset, int argumentCountIncludingThis);
     
     // Handle calls. This resolves issues surrounding inlining and intrinsics.
     void handleCall(Interpreter*, Instruction* currentInstruction, NodeType op, CodeSpecializationKind);
     // Handle inlining. Return true if it succeeded, false if we need to plant a call.
-    bool handleInlining(bool usesResult, int callTarget, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction*, int firstArg, int lastArg, unsigned nextOffset, CodeSpecializationKind);
+    bool handleInlining(bool usesResult, int callTarget, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction*, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind);
     // Handle intrinsic functions. Return true if it succeeded, false if we need to plant a call.
-    bool handleIntrinsic(bool usesResult, int resultOperand, Intrinsic, int firstArg, int lastArg, PredictedType prediction);
+    bool handleIntrinsic(bool usesResult, int resultOperand, Intrinsic, int registerOffset, int argumentCountIncludingThis, PredictedType prediction);
     // Prepare to parse a block.
     void prepareToParseBlock();
@@ -200 +200 @@
     NodeIndex getArgument(unsigned operand)
     {
-        unsigned argument = operand + m_codeBlock->m_numParameters + RegisterFile::CallFrameHeaderSize;
+        unsigned argument = operandToArgument(operand);
         ASSERT(argument < m_numArguments);
 
@@ -249 +249 @@
     void setArgument(int operand, NodeIndex value)
     {
-        unsigned argument = operand + m_codeBlock->m_numParameters + RegisterFile::CallFrameHeaderSize;
+        unsigned argument = operandToArgument(operand);
         ASSERT(argument < m_numArguments);
 
@@ -267 +267 @@
         int index;
         if (operandIsArgument(operand)) {
-            index = operand + m_codeBlock->m_numParameters + RegisterFile::CallFrameHeaderSize;
+            index = operandToArgument(operand);
             nodeIndex = m_currentBlock->variablesAtTail.argument(index);
         } else {
@@ -579 +579 @@
         addVarArgChild(get(currentInstruction[1].u.operand));
         int argCount = currentInstruction[2].u.operand;
+        if (RegisterFile::CallFrameHeaderSize + (unsigned)argCount > m_parameterSlots)
+            m_parameterSlots = RegisterFile::CallFrameHeaderSize + argCount;
+
         int registerOffset = currentInstruction[3].u.operand;
-        int firstArg = registerOffset - argCount - RegisterFile::CallFrameHeaderSize;
-        for (int argIdx = firstArg + (op == Construct ? 1 : 0); argIdx < firstArg + argCount; argIdx++)
-            addVarArgChild(get(argIdx));
+        int dummyThisArgument = op == Call ? 0 : 1;
+        for (int i = 0 + dummyThisArgument; i < argCount; ++i)
+            addVarArgChild(get(registerOffset + argumentToOperand(i)));
+
         NodeIndex call = addToGraph(Node::VarArg, op, OpInfo(0), OpInfo(prediction));
         if (interpreter->getOpcodeID(putInstruction->u.opcode) == op_call_put_result)
             set(putInstruction[1].u.operand, call);
-        if (RegisterFile::CallFrameHeaderSize + (unsigned)argCount > m_parameterSlots)
-            m_parameterSlots = RegisterFile::CallFrameHeaderSize + argCount;
         return call;
     }
@@ -896 +898 @@
         callType = UnknownFunction;
     if (callType != UnknownFunction) {
-        int argCount = currentInstruction[2].u.operand;
+        int argumentCountIncludingThis = currentInstruction[2].u.operand;
         int registerOffset = currentInstruction[3].u.operand;
-        int firstArg = registerOffset - argCount - RegisterFile::CallFrameHeaderSize;
-        int lastArg = firstArg + argCount - 1;
-                
+
         // Do we have a result?
         bool usesResult = false;
@@ -931 +931 @@
                 addToGraph(CheckFunction, OpInfo(expectedFunction), callTarget);
             
-            if (handleIntrinsic(usesResult, resultOperand, intrinsic, firstArg, lastArg, prediction)) {
+            if (handleIntrinsic(usesResult, resultOperand, intrinsic, registerOffset, argumentCountIncludingThis, prediction)) {
                 if (!certainAboutExpectedFunction) {
                     // Need to keep the call target alive for OSR. We could easily optimize this out if we wanted
@@ -941 +941 @@
                 return;
             }
-        } else if (handleInlining(usesResult, currentInstruction[1].u.operand, callTarget, resultOperand, certainAboutExpectedFunction, expectedFunction, firstArg, lastArg, nextOffset, kind))
+        } else if (handleInlining(usesResult, currentInstruction[1].u.operand, callTarget, resultOperand, certainAboutExpectedFunction, expectedFunction, registerOffset, argumentCountIncludingThis, nextOffset, kind))
             return;
     }
@@ -948 +948 @@
 }
 
-bool ByteCodeParser::handleInlining(bool usesResult, int callTarget, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction* expectedFunction, int firstArg, int lastArg, unsigned nextOffset, CodeSpecializationKind kind)
+bool ByteCodeParser::handleInlining(bool usesResult, int callTarget, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction* expectedFunction, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind kind)
 {
     // First, the really simple checks: do we have an actual JS function?
@@ -960 +960 @@
     // Does the number of arguments we're passing match the arity of the target? We could
     // inline arity check failures, but for simplicity we currently don't.
-    if (static_cast<int>(executable->parameterCount()) + 1 != lastArg - firstArg + 1)
+    if (static_cast<int>(executable->parameterCount()) + 1 != argumentCountIncludingThis)
         return false;
     
@@ -1001 +1001 @@
     // FIXME: Don't flush constants!
     
-    for (int arg = firstArg + 1; arg <= lastArg; ++arg)
-        flush(arg);
-    
-    int inlineCallFrameStart = m_inlineStackTop->remapOperand(lastArg) + 1;
+    for (int i = 1; i < argumentCountIncludingThis; ++i)
+        flush(registerOffset + argumentToOperand(i));
+    
+    int inlineCallFrameStart = m_inlineStackTop->remapOperand(registerOffset) - RegisterFile::CallFrameHeaderSize;
     
     // Make sure that the area used by the call frame is reserved.
@@ -1124 +1124 @@
 }
 
-bool ByteCodeParser::handleMinMax(bool usesResult, int resultOperand, NodeType op, int firstArg, int lastArg)
+bool ByteCodeParser::handleMinMax(bool usesResult, int resultOperand, NodeType op, int registerOffset, int argumentCountIncludingThis)
 {
     if (!usesResult)
         return true;
 
-    if (lastArg == firstArg) {
+    if (argumentCountIncludingThis == 1) { // Math.min()
         set(resultOperand, constantNaN());
         return true;
     }
      
-    if (lastArg == firstArg + 1) {
-        set(resultOperand, getToNumber(firstArg + 1));
+    if (argumentCountIncludingThis == 2) { // Math.min(x)
+        set(resultOperand, getToNumber(registerOffset + argumentToOperand(1)));
         return true;
     }
     
-    if (lastArg == firstArg + 2) {
-        set(resultOperand, addToGraph(op, OpInfo(NodeUseBottom), getToNumber(firstArg + 1), getToNumber(firstArg + 2)));
+    if (argumentCountIncludingThis == 3) { // Math.min(x, y)
+        set(resultOperand, addToGraph(op, OpInfo(NodeUseBottom), getToNumber(registerOffset + argumentToOperand(1)), getToNumber(registerOffset + argumentToOperand(2))));
         return true;
     }
@@ -1148 +1148 @@
 }
 
-bool ByteCodeParser::handleIntrinsic(bool usesResult, int resultOperand, Intrinsic intrinsic, int firstArg, int lastArg, PredictedType prediction)
+// FIXME: We dead-code-eliminate unused Math intrinsics, but that's invalid because
+// they need to perform the ToNumber conversion, which can have side-effects.
+bool ByteCodeParser::handleIntrinsic(bool usesResult, int resultOperand, Intrinsic intrinsic, int registerOffset, int argumentCountIncludingThis, PredictedType prediction)
 {
     switch (intrinsic) {
@@ -1158 +1160 @@
         }
         
-        // We don't care about the this argument. If we don't have a first
-        // argument then make this JSConstant(NaN).
-        int absArg = firstArg + 1;
-        if (absArg > lastArg) {
+        if (argumentCountIncludingThis == 1) { // Math.abs()
             set(resultOperand, constantNaN());
             return true;
@@ -1169 +1168 @@
             return false;
 
-        set(resultOperand, addToGraph(ArithAbs, OpInfo(NodeUseBottom), getToNumber(absArg)));
+        set(resultOperand, addToGraph(ArithAbs, OpInfo(NodeUseBottom), getToNumber(registerOffset + argumentToOperand(1))));
         return true;
     }
-        
+
     case MinIntrinsic:
-        return handleMinMax(usesResult, resultOperand, ArithMin, firstArg, lastArg);
+        return handleMinMax(usesResult, resultOperand, ArithMin, registerOffset, argumentCountIncludingThis);
         
     case MaxIntrinsic:
-        return handleMinMax(usesResult, resultOperand, ArithMax, firstArg, lastArg);
+        return handleMinMax(usesResult, resultOperand, ArithMax, registerOffset, argumentCountIncludingThis);
         
     case SqrtIntrinsic: {
@@ -1183 +1182 @@
             return true;
         
-        if (firstArg == lastArg) {
+        if (argumentCountIncludingThis == 1) { // Math.sqrt()
             set(resultOperand, constantNaN());
             return true;
@@ -1191 +1190 @@
             return false;
         
-        set(resultOperand, addToGraph(ArithSqrt, getToNumber(firstArg + 1)));
+        set(resultOperand, addToGraph(ArithSqrt, getToNumber(registerOffset + argumentToOperand(1))));
         return true;
     }
         
     case ArrayPushIntrinsic: {
-        if (firstArg + 1 != lastArg)
+        if (argumentCountIncludingThis != 2)
             return false;
         
-        NodeIndex arrayPush = addToGraph(ArrayPush, OpInfo(0), OpInfo(prediction), get(firstArg), get(firstArg + 1));
+        NodeIndex arrayPush = addToGraph(ArrayPush, OpInfo(0), OpInfo(prediction), get(registerOffset + argumentToOperand(0)), get(registerOffset + argumentToOperand(1)));
         if (usesResult)
             set(resultOperand, arrayPush);
@@ -1207 +1206 @@
         
     case ArrayPopIntrinsic: {
-        if (firstArg != lastArg)
+        if (argumentCountIncludingThis != 1)
             return false;
         
-        NodeIndex arrayPop = addToGraph(ArrayPop, OpInfo(0), OpInfo(prediction), get(firstArg));
+        NodeIndex arrayPop = addToGraph(ArrayPop, OpInfo(0), OpInfo(prediction), get(registerOffset + argumentToOperand(0)));
         if (usesResult)
             set(resultOperand, arrayPop);
@@ -1217 +1216 @@
 
     case CharCodeAtIntrinsic: {
-        if (firstArg + 1 != lastArg)
+        if (argumentCountIncludingThis != 2)
             return false;
-        if (!(m_graph[get(firstArg)].prediction() & PredictString))
+
+        int thisOperand = registerOffset + argumentToOperand(0);
+        if (!(m_graph[get(thisOperand)].prediction() & PredictString))
             return false;
         
-        NodeIndex storage = addToGraph(GetIndexedPropertyStorage, get(firstArg), getToInt32(firstArg + 1));
-        NodeIndex charCode = addToGraph(StringCharCodeAt, get(firstArg), getToInt32(firstArg + 1), storage);
+        int indexOperand = registerOffset + argumentToOperand(1);
+        NodeIndex storage = addToGraph(GetIndexedPropertyStorage, get(thisOperand), getToInt32(indexOperand));
+        NodeIndex charCode = addToGraph(StringCharCodeAt, get(thisOperand), getToInt32(indexOperand), storage);
+
         if (usesResult)
             set(resultOperand, charCode);
@@ -1230 +1233 @@
 
     case CharAtIntrinsic: {
-        if (firstArg + 1 != lastArg)
+        if (argumentCountIncludingThis != 2)
             return false;
-        if (!(m_graph[get(firstArg)].prediction() & PredictString))
+
+        int thisOperand = registerOffset + argumentToOperand(0);
+        if (!(m_graph[get(thisOperand)].prediction() & PredictString))
             return false;
 
-        NodeIndex storage = addToGraph(GetIndexedPropertyStorage, get(firstArg), getToInt32(firstArg + 1));
-        NodeIndex charCode = addToGraph(StringCharAt, get(firstArg), getToInt32(firstArg + 1), storage);
+        int indexOperand = registerOffset + argumentToOperand(1);
+        NodeIndex storage = addToGraph(GetIndexedPropertyStorage, get(thisOperand), getToInt32(indexOperand));
+        NodeIndex charCode = addToGraph(StringCharAt, get(thisOperand), getToInt32(indexOperand), storage);
+
         if (usesResult)
             set(resultOperand, charCode);
@@ -1268 +1275 @@
         m_graph.m_arguments.resize(m_numArguments);
         for (unsigned argument = 0; argument < m_numArguments; ++argument) {
-            NodeIndex setArgument = addToGraph(SetArgument, OpInfo(newVariableAccessData(argument - m_codeBlock->m_numParameters - RegisterFile::CallFrameHeaderSize)));
+            NodeIndex setArgument = addToGraph(SetArgument, OpInfo(newVariableAccessData(argumentToOperand(argument))));
             m_graph.m_arguments[argument] = setArgument;
             m_currentBlock->variablesAtHead.setArgumentFirstTime(argument, setArgument);
@@ -2208 +2215 @@
 #endif
 
-                valueInPredecessor = addToGraph(Phi, OpInfo(newVariableAccessData(stackType == ArgumentPhiStack ? varNo - m_codeBlock->m_numParameters - RegisterFile::CallFrameHeaderSize : varNo)));
+                valueInPredecessor = addToGraph(Phi, OpInfo(newVariableAccessData(stackType == ArgumentPhiStack ? argumentToOperand(varNo) : static_cast<int>(varNo))));
                 var = valueInPredecessor;
                 if (stackType == ArgumentPhiStack)

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -218 +218 @@
         int operand = variableAccessData->operand();
         if (operandIsArgument(operand))
-            printf("%sarg%u(%s)", hasPrinted ? ", " : "", operand - codeBlock->thisRegister(), nameOfVariableAccessData(variableAccessData));
+            printf("%sarg%u(%s)", hasPrinted ? ", " : "", operandToArgument(operand), nameOfVariableAccessData(variableAccessData));
         else
             printf("%sr%u(%s)", hasPrinted ? ", " : "", operand, nameOfVariableAccessData(variableAccessData));

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -198 +198 @@
             if (!operandIsArgument(node.local()))
                 return 0;
-            int argument = node.local() + m_arguments.size() + RegisterFile::CallFrameHeaderSize;
+            int argument = operandToArgument(node.local());
             if (node.variableAccessData() != at(m_arguments[argument]).variableAccessData())
                 return 0;

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -257 +257 @@
 
     load32(Address(GPRInfo::callFrameRegister, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))), GPRInfo::regT1);
-    branch32(Equal, GPRInfo::regT1, Imm32(m_codeBlock->m_numParameters)).linkTo(fromArityCheck, this);
+    branch32(AboveOrEqual, GPRInfo::regT1, Imm32(m_codeBlock->m_numParameters)).linkTo(fromArityCheck, this);
     move(stackPointerRegister, GPRInfo::argumentGPR0);
     poke(GPRInfo::callFrameRegister, OBJECT_OFFSETOF(struct JITStackFrame, callFrame) / sizeof(void*));

trunk/Source/JavaScriptCore/dfg/DFGOSRExit.h

@@ -35 +35 @@
 #include "DFGCorrectableJumpPoint.h"
 #include "DFGGPRInfo.h"
+#include "DFGOperands.h"
 #include "MacroAssembler.h"
 #include "ValueProfile.h"
@@ -113 +114 @@
         return index - m_arguments.size();
     }
-    int operandForArgument(int argument) const
-    {
-        return argument - m_arguments.size() - RegisterFile::CallFrameHeaderSize;
-    }
     int operandForIndex(int index) const
     {
         if (index < (int)m_arguments.size())
-            return operandForArgument(index);
+            return operandToArgument(index);
         return index - m_arguments.size();
     }

trunk/Source/JavaScriptCore/dfg/DFGOperands.h

@@ -31 +31 @@
 #if ENABLE(DFG_JIT)
 
+#include "CallFrame.h"
 #include <wtf/Vector.h>
 
 namespace JSC { namespace DFG {
 
-// helper function to distinguish vars & temporaries from arguments.
+// argument 0 is 'this'.
 inline bool operandIsArgument(int operand) { return operand < 0; }
+inline int operandToArgument(int operand) { return -operand + CallFrame::thisArgumentOffset(); }
+inline int argumentToOperand(int argument) { return -argument + CallFrame::thisArgumentOffset(); }
 
 template<typename T> struct OperandValueTraits;
@@ -106 +109 @@
     {
         if (operandIsArgument(operand)) {
-            int argument = operand + m_arguments.size() + RegisterFile::CallFrameHeaderSize;
+            int argument = operandToArgument(operand);
             return m_arguments[argument];
         }
@@ -118 +121 @@
     {
         if (operandIsArgument(operand)) {
-            int argument = operand + m_arguments.size() + RegisterFile::CallFrameHeaderSize;
+            int argument = operandToArgument(operand);
             m_arguments[argument] = value;
             return;

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -659 +659 @@
         }
         codeBlock = &functionExecutable->generatedBytecodeFor(kind);
-        if (execCallee->argumentCountIncludingThis() == static_cast<size_t>(codeBlock->m_numParameters))
+        if (execCallee->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->m_numParameters))
+            codePtr = functionExecutable->generatedJITCodeWithArityCheckFor(kind);
+        else
             codePtr = functionExecutable->generatedJITCodeFor(kind).addressForCall();
-        else
-            codePtr = functionExecutable->generatedJITCodeWithArityCheckFor(kind);
     }
     CallLinkInfo& callLinkInfo = exec->codeBlock()->getCallLinkInfo(returnAddress);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -964 +964 @@
             case InlineStart: {
                 InlineCallFrame* inlineCallFrame = node.codeOrigin.inlineCallFrame;
-                unsigned argumentsStart = inlineCallFrame->stackOffset - RegisterFile::CallFrameHeaderSize - inlineCallFrame->arguments.size();
-                for (unsigned i = 0; i < inlineCallFrame->arguments.size(); ++i) {
-                    ValueRecovery recovery = computeValueRecoveryFor(m_variables[argumentsStart + i]);
+                int argumentCountIncludingThis = inlineCallFrame->arguments.size();
+                for (int i = 0; i < argumentCountIncludingThis; ++i) {
+                    ValueRecovery recovery = computeValueRecoveryFor(m_variables[inlineCallFrame->stackOffset + CallFrame::argumentOffsetIncludingThis(i)]);
                     // The recovery cannot point to registers, since the call frame reification isn't
                     // as smart as OSR, so it can't handle that. The exception is the this argument,
@@ -1021 +1021 @@
         
 #if DFG_ENABLE(VERBOSE_VALUE_RECOVERIES)
-        for (int operand = -m_arguments.size() - RegisterFile::CallFrameHeaderSize; operand < -RegisterFile::CallFrameHeaderSize; ++operand)
-            computeValueRecoveryFor(operand).dump(stderr);
+        for (size_t i = 0; i < m_arguments.size(); ++i)
+            computeValueRecoveryFor(argumentToOperand(i)).dump(stderr);
         
         fprintf(stderr, " : ");
@@ -1055 +1055 @@
     
     for (int i = 0; i < m_jit.codeBlock()->m_numParameters; ++i) {
-        VirtualRegister virtualRegister = (VirtualRegister)(m_jit.codeBlock()->thisRegister() + i);
-        PredictedType predictedType = at(m_jit.graph().m_arguments[i]).variableAccessData()->prediction();
+        VariableAccessData* variableAccessData = at(m_jit.graph().m_arguments[i]).variableAccessData();
+        VirtualRegister virtualRegister = variableAccessData->local();
+        PredictedType predictedType = variableAccessData->prediction();
 #if USE(JSVALUE64)
         if (isInt32Prediction(predictedType))

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -891 +891 @@
     void compileInstanceOf(Node&);
     
-    MacroAssembler::Address addressOfCallData(int idx)
-    {
-        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + idx) * static_cast<int>(sizeof(Register)));
+    // Access to our fixed callee CallFrame.
+    MacroAssembler::Address callFrameSlot(int slot)
+    {
+        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + slot) * static_cast<int>(sizeof(Register)));
+    }
+
+    // Access to our fixed callee CallFrame.
+    MacroAssembler::Address argumentSlot(int argument)
+    {
+        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + argumentToOperand(argument)) * static_cast<int>(sizeof(Register)));
     }
 
 #if USE(JSVALUE32_64)    
-    MacroAssembler::Address tagOfCallData(int idx)
-    {
-        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + idx) * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
-    }
-
-    MacroAssembler::Address payloadOfCallData(int idx)
-    {
-        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + idx) * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
+    MacroAssembler::Address callFrameTagSlot(int slot)
+    {
+        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + slot) * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
+    }
+
+    MacroAssembler::Address callFramePayloadSlot(int slot)
+    {
+        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + slot) * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
+    }
+
+    MacroAssembler::Address argumentTagSlot(int argument)
+    {
+        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + argumentToOperand(argument)) * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
+    }
+
+    MacroAssembler::Address argumentPayloadSlot(int argument)
+    {
+        return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + argumentToOperand(argument)) * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
     }
 #endif
@@ -1046 +1063 @@
     // correct registers.
 #if !NUMBER_OF_ARGUMENT_REGISTERS
-    unsigned m_callArgumentIndex;
-    void resetCallArguments() { m_callArgumentIndex = 0; }
+    unsigned m_callArgumentOffset;
+    void resetCallArguments() { m_callArgumentOffset = 0; }
 
     // These methods are using internally to implement the callOperation methods.
     void addCallArgument(GPRReg value)
     {
-        m_jit.poke(value, m_callArgumentIndex++);
+        m_jit.poke(value, m_callArgumentOffset++);
     }
     void addCallArgument(TrustedImm32 imm)
     {
-        m_jit.poke(imm, m_callArgumentIndex++);
+        m_jit.poke(imm, m_callArgumentOffset++);
     }
     void addCallArgument(TrustedImmPtr pointer)
     {
-        m_jit.poke(pointer, m_callArgumentIndex++);
+        m_jit.poke(pointer, m_callArgumentOffset++);
     }
     void addCallArgument(FPRReg value)
     {
-        m_jit.storeDouble(value, JITCompiler::Address(JITCompiler::stackPointerRegister, m_callArgumentIndex * sizeof(void*)));
-        m_callArgumentIndex += sizeof(double) / sizeof(void*);
+        m_jit.storeDouble(value, JITCompiler::Address(JITCompiler::stackPointerRegister, m_callArgumentOffset * sizeof(void*)));
+        m_callArgumentOffset += sizeof(double) / sizeof(void*);
     }
 
@@ -2076 +2093 @@
     {
         if (operandIsArgument(operand)) {
-            int argument = operand + m_arguments.size() + RegisterFile::CallFrameHeaderSize;
+            int argument = operandToArgument(operand);
             return m_arguments[argument];
         }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -1259 +1259 @@
     use(calleeNodeIndex);
 
-    // the call instruction's first child is either the function (normal call) or the
+    // The call instruction's first child is either the function (normal call) or the
     // receiver (method call). subsequent children are the arguments.
-    int numArgs = node.numChildren() - 1;
-
-    // For constructors, the this argument is not passed but we have to make space
-    // for it.
-    int numPassedArgs = numArgs + dummyThisArgument;
-
-    // amount of stuff (in units of sizeof(Register)) that we need to place at the
-    // top of the JS stack.
-    int callDataSize = 0;
-
-    // first there are the arguments
-    callDataSize += numPassedArgs;
-
-    // and then there is the call frame header
-    callDataSize += RegisterFile::CallFrameHeaderSize;
-
-    m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), payloadOfCallData(RegisterFile::ArgumentCount));
-    m_jit.store32(MacroAssembler::TrustedImm32(JSValue::Int32Tag), tagOfCallData(RegisterFile::ArgumentCount));
-    m_jit.storePtr(GPRInfo::callFrameRegister, payloadOfCallData(RegisterFile::CallerFrame));
-    m_jit.store32(MacroAssembler::TrustedImm32(JSValue::CellTag), tagOfCallData(RegisterFile::CallerFrame));
-
-    for (int argIdx = 0; argIdx < numArgs; argIdx++) {
-        NodeIndex argNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1 + argIdx];
+    int numPassedArgs = node.numChildren() - 1;
+
+    m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs + dummyThisArgument), callFramePayloadSlot(RegisterFile::ArgumentCount));
+    m_jit.store32(MacroAssembler::TrustedImm32(JSValue::Int32Tag), callFrameTagSlot(RegisterFile::ArgumentCount));
+    m_jit.storePtr(GPRInfo::callFrameRegister, callFramePayloadSlot(RegisterFile::CallerFrame));
+    m_jit.store32(calleePayloadGPR, callFramePayloadSlot(RegisterFile::Callee));
+    m_jit.store32(calleeTagGPR, callFrameTagSlot(RegisterFile::Callee));
+
+    for (int i = 0; i < numPassedArgs; i++) {
+        NodeIndex argNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1 + i];
         JSValueOperand arg(this, argNodeIndex);
         GPRReg argTagGPR = arg.tagGPR();
@@ -1289 +1276 @@
         use(argNodeIndex);
 
-        m_jit.store32(argTagGPR, tagOfCallData(-callDataSize + argIdx + dummyThisArgument));
-        m_jit.store32(argPayloadGPR, payloadOfCallData(-callDataSize + argIdx + dummyThisArgument));
-    }
-
-    m_jit.store32(calleeTagGPR, tagOfCallData(RegisterFile::Callee));
-    m_jit.store32(calleePayloadGPR, payloadOfCallData(RegisterFile::Callee));
+        m_jit.store32(argTagGPR, argumentTagSlot(i + dummyThisArgument));
+        m_jit.store32(argPayloadGPR, argumentPayloadSlot(i + dummyThisArgument));
+    }
 
     flushRegisters();
@@ -1309 +1293 @@
     slowPath.append(m_jit.branch32(MacroAssembler::NotEqual, calleeTagGPR, TrustedImm32(JSValue::CellTag)));
     m_jit.loadPtr(MacroAssembler::Address(calleePayloadGPR, OBJECT_OFFSETOF(JSFunction, m_scopeChain)), resultPayloadGPR);
-    m_jit.storePtr(resultPayloadGPR, payloadOfCallData(RegisterFile::ScopeChain));
-    m_jit.store32(MacroAssembler::TrustedImm32(JSValue::CellTag), tagOfCallData(RegisterFile::ScopeChain));
+    m_jit.storePtr(resultPayloadGPR, callFramePayloadSlot(RegisterFile::ScopeChain));
+    m_jit.store32(MacroAssembler::TrustedImm32(JSValue::CellTag), callFrameTagSlot(RegisterFile::ScopeChain));
 
     m_jit.addPtr(Imm32(m_jit.codeBlock()->m_numCalleeRegisters * sizeof(Register)), GPRInfo::callFrameRegister);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -1218 +1218 @@
     use(calleeNodeIndex);
     
-    // the call instruction's first child is either the function (normal call) or the
+    // The call instruction's first child is either the function (normal call) or the
     // receiver (method call). subsequent children are the arguments.
-    int numArgs = node.numChildren() - 1;
-    
-    int numPassedArgs = numArgs + dummyThisArgument;
-    
-    // amount of stuff (in units of sizeof(Register)) that we need to place at the
-    // top of the JS stack.
-    int callDataSize = 0;
-
-    // first there are the arguments
-    callDataSize += numPassedArgs;
-    
-    // and then there is the call frame header
-    callDataSize += RegisterFile::CallFrameHeaderSize;
-    
-    m_jit.storePtr(MacroAssembler::TrustedImmPtr(JSValue::encode(jsNumber(numPassedArgs))), addressOfCallData(RegisterFile::ArgumentCount));
-    m_jit.storePtr(GPRInfo::callFrameRegister, addressOfCallData(RegisterFile::CallerFrame));
-    
-    for (int argIdx = 0; argIdx < numArgs; argIdx++) {
-        NodeIndex argNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1 + argIdx];
+    int numPassedArgs = node.numChildren() - 1;
+    
+    m_jit.storePtr(MacroAssembler::TrustedImmPtr(JSValue::encode(jsNumber(numPassedArgs + dummyThisArgument))), callFrameSlot(RegisterFile::ArgumentCount));
+    m_jit.storePtr(GPRInfo::callFrameRegister, callFrameSlot(RegisterFile::CallerFrame));
+    m_jit.storePtr(calleeGPR, callFrameSlot(RegisterFile::Callee));
+    
+    for (int i = 0; i < numPassedArgs; i++) {
+        NodeIndex argNodeIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1 + i];
         JSValueOperand arg(this, argNodeIndex);
         GPRReg argGPR = arg.gpr();
         use(argNodeIndex);
         
-        m_jit.storePtr(argGPR, addressOfCallData(-callDataSize + argIdx + dummyThisArgument));
-    }
-    
-    m_jit.storePtr(calleeGPR, addressOfCallData(RegisterFile::Callee));
-    
+        m_jit.storePtr(argGPR, argumentSlot(i + dummyThisArgument));
+    }
+
     flushRegisters();
-    
+
     GPRResult result(this);
     GPRReg resultGPR = result.gpr();
@@ -1255 +1242 @@
     JITCompiler::DataLabelPtr targetToCheck;
     JITCompiler::Jump slowPath;
-    
+
     slowPath = m_jit.branchPtrWithPatch(MacroAssembler::NotEqual, calleeGPR, targetToCheck, MacroAssembler::TrustedImmPtr(JSValue::encode(JSValue())));
     m_jit.loadPtr(MacroAssembler::Address(calleeGPR, OBJECT_OFFSETOF(JSFunction, m_scopeChain)), resultGPR);
-    m_jit.storePtr(resultGPR, addressOfCallData(RegisterFile::ScopeChain));
+    m_jit.storePtr(resultGPR, callFrameSlot(RegisterFile::ScopeChain));
 
     m_jit.addPtr(Imm32(m_jit.codeBlock()->m_numCalleeRegisters * sizeof(Register)), GPRInfo::callFrameRegister);

trunk/Source/JavaScriptCore/interpreter/CallFrame.h

@@ -144 +144 @@
 
         // Access to arguments.
-        int hostThisRegister() { return -RegisterFile::CallFrameHeaderSize - argumentCountIncludingThis(); }
-        JSValue hostThisValue() { return this[hostThisRegister()].jsValue(); }
         size_t argumentCount() const { return argumentCountIncludingThis() - 1; }
         size_t argumentCountIncludingThis() const { return this[RegisterFile::ArgumentCount].i(); }
-        JSValue argument(int argumentNumber)
-        {
-            int argumentIndex = -RegisterFile::CallFrameHeaderSize - this[RegisterFile::ArgumentCount].i() + argumentNumber + 1;
-            if (argumentIndex >= -RegisterFile::CallFrameHeaderSize)
-                return jsUndefined();
-            return this[argumentIndex].jsValue();
-        }
+        static int argumentOffset(size_t argument) { return s_firstArgumentOffset - argument; }
+        static int argumentOffsetIncludingThis(size_t argument) { return s_thisArgumentOffset - argument; }
+
+        JSValue argument(size_t argument)
+        {
+            if (argument >= argumentCount())
+                 return jsUndefined();
+            return this[argumentOffset(argument)].jsValue();
+        }
+        void setArgument(size_t argument, JSValue value)
+        {
+            this[argumentOffset(argument)] = value;
+        }
+
+        static int thisArgumentOffset() { return argumentOffsetIncludingThis(0); }
+        JSValue thisValue() { return this[thisArgumentOffset()].jsValue(); }
+        void setThisValue(JSValue value) { this[thisArgumentOffset()] = value; }
+
+        static int offsetFor(size_t argumentCountIncludingThis) { return argumentCountIncludingThis + RegisterFile::CallFrameHeaderSize; }
+
+        // FIXME: Remove these.
+        int hostThisRegister() { return thisArgumentOffset(); }
+        JSValue hostThisValue() { return thisValue(); }
 
         static CallFrame* noCaller() { return reinterpret_cast<CallFrame*>(HostCallFrameFlag); }
@@ -183 +197 @@
     private:
         static const intptr_t HostCallFrameFlag = 1;
+        static const int s_thisArgumentOffset = -1 - RegisterFile::CallFrameHeaderSize;
+        static const int s_firstArgumentOffset = s_thisArgumentOffset - 1;
+
 #ifndef NDEBUG
         RegisterFile* registerFile();

trunk/Source/JavaScriptCore/interpreter/CallFrameClosure.h

@@ -42 +42 @@
     void setThis(JSValue value)
     {
-        newCallFrame[-RegisterFile::CallFrameHeaderSize - parameterCountIncludingThis] = value;
-        if (argumentCountIncludingThis > parameterCountIncludingThis)
-            newCallFrame[-RegisterFile::CallFrameHeaderSize - parameterCountIncludingThis - argumentCountIncludingThis] = value;
+        newCallFrame->setThisValue(value);
     }
 
     void setArgument(int argument, JSValue value)
     {
-        if (argument + 1 < parameterCountIncludingThis)
-            newCallFrame[argument + 1 - RegisterFile::CallFrameHeaderSize - parameterCountIncludingThis] = value;
-
-        if (argumentCountIncludingThis > parameterCountIncludingThis)
-            newCallFrame[argument + 1 - RegisterFile::CallFrameHeaderSize - parameterCountIncludingThis - argumentCountIncludingThis] = value;
+        newCallFrame->setArgument(argument, value);
     }
 
@@ -60 +54 @@
         newCallFrame->setScopeChain(scopeChain);
         for (int i = argumentCountIncludingThis; i < parameterCountIncludingThis; ++i)
-            newCallFrame[i - RegisterFile::CallFrameHeaderSize - parameterCountIncludingThis] = jsUndefined();
+            newCallFrame->setArgument(i, jsUndefined());
     }
 };

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -368 +368 @@
 #endif // ENABLE(INTERPRETER)
 
-ALWAYS_INLINE CallFrame* Interpreter::slideRegisterWindowForCall(CodeBlock* newCodeBlock, RegisterFile* registerFile, CallFrame* callFrame, size_t registerOffset, int argc)
+ALWAYS_INLINE CallFrame* Interpreter::slideRegisterWindowForCall(CodeBlock* newCodeBlock, RegisterFile* registerFile, CallFrame* callFrame, size_t registerOffset, int argumentCountIncludingThis)
 {
-    Register* r = callFrame->registers();
-    Register* newEnd = r + registerOffset + newCodeBlock->m_numCalleeRegisters;
-
-    if (LIKELY(argc == newCodeBlock->m_numParameters)) { // correct number of arguments
-        if (UNLIKELY(!registerFile->grow(newEnd)))
-            return 0;
-        r += registerOffset;
-    } else if (argc < newCodeBlock->m_numParameters) { // too few arguments -- fill in the blanks
-        size_t omittedArgCount = newCodeBlock->m_numParameters - argc;
-        registerOffset += omittedArgCount;
-        newEnd += omittedArgCount;
-        if (!registerFile->grow(newEnd))
-            return 0;
-        r += registerOffset;
-
-        Register* argv = r - RegisterFile::CallFrameHeaderSize - omittedArgCount;
-        for (size_t i = 0; i < omittedArgCount; ++i)
-            argv[i] = jsUndefined();
-    } else { // too many arguments -- copy expected arguments, leaving the extra arguments behind
-        size_t numParameters = newCodeBlock->m_numParameters;
-        registerOffset += numParameters;
-        newEnd += numParameters;
-
-        if (!registerFile->grow(newEnd))
-            return 0;
-        r += registerOffset;
-
-        Register* argv = r - RegisterFile::CallFrameHeaderSize - numParameters - argc;
-        for (size_t i = 0; i < numParameters; ++i)
-            argv[i + argc] = argv[i];
-    }
-
-    return CallFrame::create(r);
+    // This ensures enough space for the worst case scenario of zero arguments passed by the caller.
+    if (!registerFile->grow(callFrame->registers() + registerOffset + newCodeBlock->m_numParameters + newCodeBlock->m_numCalleeRegisters))
+        return 0;
+
+    if (argumentCountIncludingThis >= newCodeBlock->m_numParameters) {
+        Register* newCallFrame = callFrame->registers() + registerOffset;
+        return CallFrame::create(newCallFrame);
+    }
+
+    // Too few arguments -- copy arguments, then fill in missing arguments with undefined.
+    size_t delta = newCodeBlock->m_numParameters - argumentCountIncludingThis;
+    CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + registerOffset + delta);
+
+    Register* dst = &newCallFrame->uncheckedR(CallFrame::thisArgumentOffset());
+    Register* end = dst - argumentCountIncludingThis;
+    for ( ; dst != end; --dst)
+        *dst = *(dst - delta);
+
+    end -= delta;
+    for ( ; dst != end; --dst)
+        *dst = jsUndefined();
+
+    return newCallFrame;
 }
 
@@ -464 +454 @@
     }
 
-    JSValue thisValue = callerFrame->uncheckedR(callerCodeBlock->thisRegister()).jsValue();
+    JSValue thisValue = callerFrame->thisValue();
     ASSERT(isValidThisObject(thisValue, callFrame));
     Interpreter* interpreter = callFrame->globalData().interpreter;
@@ -480 +470 @@
         }
 
-        unsigned parameterCount = callFrame->codeBlock()->m_numParameters;
-        Register* src = callFrame->registers() - RegisterFile::CallFrameHeaderSize - parameterCount;
-        if (argumentCountIncludingThis > parameterCount)
-            src -= argumentCountIncludingThis;
-        Register* dst = callFrame->registers() + firstFreeRegister;
-        dst[0] = thisValue;
-        for (unsigned i = 1; i < argumentCountIncludingThis; ++i)
-            dst[i] = src[i];
-
         newCallFrame->setArgumentCountIncludingThis(argumentCountIncludingThis);
+        newCallFrame->setThisValue(thisValue);
+        for (size_t i = 0; i < callFrame->argumentCount(); ++i)
+            newCallFrame->setArgument(i, callFrame->argument(i));
         return newCallFrame;
     }
@@ -499 +483 @@
             return 0;
         }
-        Register* dst = callFrame->registers() + firstFreeRegister;
-        dst[0] = thisValue;
-
         newCallFrame->setArgumentCountIncludingThis(1);
+        newCallFrame->setThisValue(thisValue);
         return newCallFrame;
     }
@@ -519 +501 @@
             return 0;
         }
-        Register* dst = callFrame->registers() + firstFreeRegister;
-        dst[0] = thisValue;
-        argsObject->copyToRegisters(callFrame, &dst[1], argCount);
-
         newCallFrame->setArgumentCountIncludingThis(argCount + 1);
+        newCallFrame->setThisValue(thisValue);
+        argsObject->copyToArguments(callFrame, newCallFrame, argCount);
         return newCallFrame;
     }
@@ -535 +515 @@
             return 0;
         }
-        Register* dst = callFrame->registers() + firstFreeRegister;
-        dst[0] = thisValue;
-        array->copyToRegisters(callFrame, &dst[1], argCount);
-
         newCallFrame->setArgumentCountIncludingThis(argCount + 1);
+        newCallFrame->setThisValue(thisValue);
+        array->copyToArguments(callFrame, newCallFrame, argCount);
         return newCallFrame;
     }
@@ -550 +528 @@
         return 0;
     }
-    Register* dst = callFrame->registers() + firstFreeRegister;
-    dst[0] = thisValue;
-    for (unsigned i = 0; i < argCount; ++i) {
-        dst[i + 1] = asObject(arguments)->get(callFrame, i);
+    newCallFrame->setArgumentCountIncludingThis(argCount + 1);
+    newCallFrame->setThisValue(thisValue);
+    for (size_t i = 0; i < argCount; ++i) {
+        newCallFrame->setArgument(i, asObject(arguments)->get(callFrame, i));
         if (UNLIKELY(callFrame->globalData().exception))
             return 0;
     }
-
-    newCallFrame->setArgumentCountIncludingThis(argCount + 1);
     return newCallFrame;
 }
@@ -701 +677 @@
     } else if (oldCodeBlock->usesArguments() && !oldCodeBlock->isStrictMode()) {
         if (JSValue arguments = callFrame->uncheckedR(unmodifiedArgumentsRegister(oldCodeBlock->argumentsRegister())).jsValue())
-            asArguments(arguments)->tearOff(callFrame->globalData());
+            asArguments(arguments)->tearOff(callFrame);
     }
 
@@ -986 +962 @@
     ASSERT(codeBlock->m_numParameters == 1); // 1 parameter for 'this'.
     newCallFrame->init(codeBlock, 0, scopeChain, CallFrame::noCaller(), codeBlock->m_numParameters, 0);
-    newCallFrame->uncheckedR(newCallFrame->hostThisRegister()) = JSValue(thisObj);
+    newCallFrame->setThisValue(thisObj);
     TopCallFrameSetter topCallFrame(callFrame->globalData(), newCallFrame);
 
@@ -1031 +1007 @@
     size_t registerOffset = argCount + RegisterFile::CallFrameHeaderSize;
 
-    if (!m_registerFile.grow(oldEnd + registerOffset))
+    CallFrame* newCallFrame = CallFrame::create(oldEnd + registerOffset);
+    if (!m_registerFile.grow(newCallFrame->registers()))
         return checkedReturn(throwStackOverflowError(callFrame));
 
-    CallFrame* newCallFrame = CallFrame::create(oldEnd);
-    size_t dst = 0;
-    newCallFrame->uncheckedR(0) = thisValue;
+    newCallFrame->setThisValue(thisValue);
     for (size_t i = 0; i < args.size(); ++i)
-        newCallFrame->uncheckedR(++dst) = args.at(i);
+        newCallFrame->setArgument(i, args.at(i));
 
     if (callType == CallTypeJS) {
@@ -1052 +1027 @@
 
         CodeBlock* newCodeBlock = &callData.js.functionExecutable->generatedBytecodeForCall();
-        newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, registerOffset, argCount);
+        newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, 0, argCount);
         if (UNLIKELY(!newCallFrame)) {
             m_registerFile.shrink(oldEnd);
@@ -1089 +1064 @@
     ASSERT(callType == CallTypeHost);
     ScopeChainNode* scopeChain = callFrame->scopeChain();
-    newCallFrame = CallFrame::create(newCallFrame->registers() + registerOffset);
     newCallFrame->init(0, 0, scopeChain, callFrame->addHostCallFrameFlag(), argCount, function);
 
@@ -1132 +1106 @@
         return checkedReturn(throwStackOverflowError(callFrame));
 
-    CallFrame* newCallFrame = CallFrame::create(oldEnd);
-    size_t dst = 0;
+    CallFrame* newCallFrame = CallFrame::create(oldEnd + registerOffset);
+    newCallFrame->setThisValue(jsUndefined());
     for (size_t i = 0; i < args.size(); ++i)
-        newCallFrame->uncheckedR(++dst) = args.at(i);
+        newCallFrame->setArgument(i, args.at(i));
 
     if (constructType == ConstructTypeJS) {
@@ -1149 +1123 @@
 
         CodeBlock* newCodeBlock = &constructData.js.functionExecutable->generatedBytecodeForConstruct();
-        newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, registerOffset, argCount);
+        newCallFrame = slideRegisterWindowForCall(newCodeBlock, &m_registerFile, newCallFrame, 0, argCount);
         if (UNLIKELY(!newCallFrame)) {
             m_registerFile.shrink(oldEnd);
@@ -1189 +1163 @@
     ASSERT(constructType == ConstructTypeHost);
     ScopeChainNode* scopeChain = callFrame->scopeChain();
-    newCallFrame = CallFrame::create(newCallFrame->registers() + registerOffset);
     newCallFrame->init(0, 0, scopeChain, callFrame->addHostCallFrameFlag(), argCount, constructor);
 
@@ -1220 +1193 @@
     ASSERT(!scopeChain->globalData->exception);
     
-    if (m_reentryDepth >= MaxSmallThreadReentryDepth) {
-        if (m_reentryDepth >= callFrame->globalData().maxReentryDepth) {
-            throwStackOverflowError(callFrame);
-            return CallFrameClosure();
-        }
-    }
-    
-    Register* oldEnd = m_registerFile.end();
-    if (!m_registerFile.grow(oldEnd + argumentCountIncludingThis)) {
+    if (callFrame->globalData().isCollectorBusy())
+        return CallFrameClosure();
+
+    if (m_reentryDepth >= MaxSmallThreadReentryDepth && m_reentryDepth >= callFrame->globalData().maxReentryDepth) {
         throwStackOverflowError(callFrame);
         return CallFrameClosure();
     }
 
-    CallFrame* newCallFrame = CallFrame::create(oldEnd);
-    // We initialise |this| unnecessarily here for the sake of code clarity
-    size_t dst = 0;
-    for (int i = 0; i < argumentCountIncludingThis; ++i)
-        newCallFrame->uncheckedR(dst++) = jsUndefined();
-    
+    Register* oldEnd = m_registerFile.end();
+    size_t registerOffset = argumentCountIncludingThis + RegisterFile::CallFrameHeaderSize;
+
+    CallFrame* newCallFrame = CallFrame::create(oldEnd + registerOffset);
+    if (!m_registerFile.grow(newCallFrame->registers())) {
+        throwStackOverflowError(callFrame);
+        return CallFrameClosure();
+    }
+
     JSObject* error = functionExecutable->compileForCall(callFrame, scopeChain);
     if (error) {
@@ -1247 +1218 @@
     CodeBlock* codeBlock = &functionExecutable->generatedBytecodeForCall();
 
-    newCallFrame = slideRegisterWindowForCall(codeBlock, &m_registerFile, newCallFrame, argumentCountIncludingThis + RegisterFile::CallFrameHeaderSize, argumentCountIncludingThis);
+    newCallFrame = slideRegisterWindowForCall(codeBlock, &m_registerFile, newCallFrame, 0, argumentCountIncludingThis);
     if (UNLIKELY(!newCallFrame)) {
         throwStackOverflowError(callFrame);
@@ -1368 +1339 @@
     ASSERT(codeBlock->m_numParameters == 1); // 1 parameter for 'this'.
     newCallFrame->init(codeBlock, 0, scopeChain, callFrame->addHostCallFrameFlag(), codeBlock->m_numParameters, 0);
-    newCallFrame->uncheckedR(newCallFrame->hostThisRegister()) = thisValue;
+    newCallFrame->setThisValue(thisValue);
 
     TopCallFrameSetter topCallFrame(callFrame->globalData(), newCallFrame);
@@ -3511 +3482 @@
         JSValue subscript = callFrame->r(property).jsValue();
         if (!arguments && subscript.isUInt32() && subscript.asUInt32() < callFrame->argumentCount()) {
-            unsigned arg = subscript.asUInt32() + 1;
-            unsigned numParameters = callFrame->codeBlock()->m_numParameters;
-            if (arg < numParameters)
-                callFrame->uncheckedR(dst) = callFrame->r(arg - RegisterFile::CallFrameHeaderSize - numParameters);
-            else
-                callFrame->uncheckedR(dst) = callFrame->r(arg - RegisterFile::CallFrameHeaderSize - numParameters - callFrame->argumentCount() - 1);
+            callFrame->uncheckedR(dst) = callFrame->argument(subscript.asUInt32());
             vPC += OPCODE_LENGTH(op_get_argument_by_val);
             NEXT_INSTRUCTION();
@@ -4326 +4292 @@
             ScopeChainNode* scopeChain = callFrame->scopeChain();
             CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + registerOffset);
-            if (!registerFile->grow(newCallFrame->registers())) {
-                exceptionValue = createStackOverflowError(callFrame);
-                goto vm_throw;
-            }
-
             newCallFrame->init(0, vPC + OPCODE_LENGTH(op_call), scopeChain, callFrame, argCount, asObject(v));
             JSValue returnValue;
@@ -4453 +4414 @@
         } else if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue()) {
             if (!codeBlock->isStrictMode())
-                asArguments(argumentsValue)->tearOff(*globalData);
+                asArguments(argumentsValue)->tearOff(callFrame);
         }
 
@@ -4475 +4436 @@
 
         if (JSValue arguments = callFrame->r(unmodifiedArgumentsRegister(src1)).jsValue())
-            asArguments(arguments)->tearOff(*globalData);
+            asArguments(arguments)->tearOff(callFrame);
 
         vPC += OPCODE_LENGTH(op_tear_off_arguments);
@@ -4728 +4689 @@
             ScopeChainNode* scopeChain = callFrame->scopeChain();
             CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + registerOffset);
-            if (!registerFile->grow(newCallFrame->registers())) {
-                exceptionValue = createStackOverflowError(callFrame);
-                goto vm_throw;
-            }
             newCallFrame->init(0, vPC + OPCODE_LENGTH(op_construct), scopeChain, callFrame, argCount, asObject(v));
 
@@ -5136 +5093 @@
     }
 
-    return Arguments::createAndTearOff(functionCallFrame->globalData(), functionCallFrame);
+    Arguments* arguments = Arguments::create(functionCallFrame->globalData(), functionCallFrame);
+    arguments->tearOff(functionCallFrame);
+    return JSValue(arguments);
 }
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -84 +84 @@
     // We use a smaller reentrancy limit on iPhone because of the high amount of
     // stack space required on the web thread.
-    enum { MaxLargeThreadReentryDepth = 93, MaxSmallThreadReentryDepth = 32 };
+    enum { MaxLargeThreadReentryDepth = 93, MaxSmallThreadReentryDepth = 16 };
 #else
-    enum { MaxLargeThreadReentryDepth = 256, MaxSmallThreadReentryDepth = 32 };
+    enum { MaxLargeThreadReentryDepth = 256, MaxSmallThreadReentryDepth = 16 };
 #endif // PLATFORM(IOS)
 

trunk/Source/JavaScriptCore/interpreter/RegisterFile.h

@@ -54 +54 @@
             CodeBlock = -1,
         };
-
-        enum { ProgramCodeThisRegister = -CallFrameHeaderSize - 1 };
 
         static const size_t defaultCapacity = 512 * 1024;

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -558 +558 @@
         ASSERT(m_bytecodeOffset == (unsigned)-1);
         if (shouldEmitProfiling()) {
-            for (int argumentRegister = -RegisterFile::CallFrameHeaderSize - m_codeBlock->m_numParameters; argumentRegister < -RegisterFile::CallFrameHeaderSize; ++argumentRegister) {
+            for (int argument = 0; argument < m_codeBlock->m_numParameters; ++argument) {
                 // If this is a constructor, then we want to put in a dummy profiling site (to
                 // keep things consistent) but we don't actually want to record the dummy value.
-                if (m_codeBlock->m_isConstructor
-                    && argumentRegister == -RegisterFile::CallFrameHeaderSize - m_codeBlock->m_numParameters)
+                if (m_codeBlock->m_isConstructor && !argument)
                     m_codeBlock->addValueProfile(-1);
                 else {
+                    int offset = CallFrame::argumentOffsetIncludingThis(argument) * static_cast<int>(sizeof(Register));
 #if USE(JSVALUE64)
-                    loadPtr(Address(callFrameRegister, argumentRegister * sizeof(Register)), regT0);
+                    loadPtr(Address(callFrameRegister, offset), regT0);
 #elif USE(JSVALUE32_64)
-                    load32(Address(callFrameRegister, argumentRegister * sizeof(Register) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
-                    load32(Address(callFrameRegister, argumentRegister * sizeof(Register) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
+                    load32(Address(callFrameRegister, offset + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
+                    load32(Address(callFrameRegister, offset + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
 #endif
                     emitValueProfilingSite(FirstProfilingSite);
@@ -608 +608 @@
 
         load32(Address(callFrameRegister, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))), regT1);
-        branch32(Equal, regT1, TrustedImm32(m_codeBlock->m_numParameters)).linkTo(beginLabel, this);
+        branch32(AboveOrEqual, regT1, TrustedImm32(m_codeBlock->m_numParameters)).linkTo(beginLabel, this);
 
         JITStubCall(this, m_codeBlock->m_isConstructor ? cti_op_construct_arityCheck : cti_op_call_arityCheck).call(callFrameRegister);

trunk/Source/JavaScriptCore/jit/JITCall.cpp

@@ -65 +65 @@
     JumpList slowCase;
     JumpList end;
-    if (m_codeBlock->usesArguments()
-        && arguments == m_codeBlock->argumentsRegister()
-        && m_codeBlock->m_numParameters == 1) {
+    if (m_codeBlock->usesArguments() && arguments == m_codeBlock->argumentsRegister()) {
         emitGetVirtualRegister(arguments, regT0);
         slowCase.append(branchPtr(NotEqual, regT0, TrustedImmPtr(JSValue::encode(JSValue()))));
@@ -87 +85 @@
         storePtr(regT2, Address(regT1, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))));
 
-        // Initialize 'this' and copy arguments.
+        // Initialize 'this'.
+        emitGetVirtualRegister(thisValue, regT2);
+        storePtr(regT2, Address(regT1, CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))));
+
+        // Copy arguments.
         neg32(regT0);
         signExtend32ToPtr(regT0, regT0);
-        emitGetVirtualRegister(thisValue, regT2);
-        storePtr(regT2, BaseIndex(regT1, regT0, TimesEight, -(RegisterFile::CallFrameHeaderSize * static_cast<int>(sizeof(Register)))));
         end.append(branchAddPtr(Zero, Imm32(1), regT0));
+        // regT0: -argumentCount
 
         Label copyLoop = label();
-        loadPtr(BaseIndex(callFrameRegister, regT0, TimesEight, -((RegisterFile::CallFrameHeaderSize + 1) * static_cast<int>(sizeof(Register)))), regT2);
-        storePtr(regT2, BaseIndex(regT1, regT0, TimesEight, -(RegisterFile::CallFrameHeaderSize * static_cast<int>(sizeof(Register)))));
+        loadPtr(BaseIndex(callFrameRegister, regT0, TimesEight, CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT2);
+        storePtr(regT2, BaseIndex(regT1, regT0, TimesEight, CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))));
         branchAddPtr(NonZero, Imm32(1), regT0).linkTo(copyLoop, this);
 
@@ -102 +103 @@
     }
 
-    if (m_codeBlock->m_numParameters == 1)
+    if (m_codeBlock->usesArguments() && arguments == m_codeBlock->argumentsRegister())
         slowCase.link(this);
 
@@ -111 +112 @@
     stubCall.call(regT1);
 
-    if (m_codeBlock->m_numParameters == 1)
+    if (m_codeBlock->usesArguments() && arguments == m_codeBlock->argumentsRegister())
         end.link(this);
 }

trunk/Source/JavaScriptCore/jit/JITCall32_64.cpp

@@ -146 +146 @@
     JumpList slowCase;
     JumpList end;
-    if (m_codeBlock->usesArguments()
-        && arguments == m_codeBlock->argumentsRegister()
-        && m_codeBlock->m_numParameters == 1) {
+    if (m_codeBlock->usesArguments() && arguments == m_codeBlock->argumentsRegister()) {
         emitLoadTag(arguments, regT1);
         slowCase.append(branch32(NotEqual, regT1, TrustedImm32(JSValue::EmptyValueTag)));
@@ -168 +166 @@
         store32(regT2, payloadFor(RegisterFile::ArgumentCount, regT3));
 
-        // Initialize 'this' and copy arguments.
+        // Initialize 'this'.
+        emitLoad(thisValue, regT1, regT0);
+        store32(regT0, Address(regT3, OBJECT_OFFSETOF(JSValue, u.asBits.payload) + (CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)))));
+        store32(regT1, Address(regT3, OBJECT_OFFSETOF(JSValue, u.asBits.tag) + (CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)))));
+
+        // Copy arguments.
         neg32(regT2);
-        emitLoad(thisValue, regT1, regT0);
-        store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) -(RegisterFile::CallFrameHeaderSize * static_cast<int>(sizeof(Register)))));
-        store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) -(RegisterFile::CallFrameHeaderSize * static_cast<int>(sizeof(Register)))));
         end.append(branchAdd32(Zero, Imm32(1), regT2));
+        // regT2: -argumentCount;
 
         Label copyLoop = label();
-        load32(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) -((RegisterFile::CallFrameHeaderSize + 1) * static_cast<int>(sizeof(Register)))), regT0);
-        load32(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) -((RegisterFile::CallFrameHeaderSize + 1) * static_cast<int>(sizeof(Register)))), regT1);
-        store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) -(RegisterFile::CallFrameHeaderSize * static_cast<int>(sizeof(Register)))));
-        store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) -(RegisterFile::CallFrameHeaderSize * static_cast<int>(sizeof(Register)))));
+        load32(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) +(CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)))), regT0);
+        load32(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) +(CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)))), regT1);
+        store32(regT0, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) +(CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)))));
+        store32(regT1, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) +(CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)))));
         branchAdd32(NonZero, Imm32(1), regT2).linkTo(copyLoop, this);
 
@@ -185 +186 @@
     }
 
-    if (m_codeBlock->m_numParameters == 1)
+    if (m_codeBlock->usesArguments() && arguments == m_codeBlock->argumentsRegister())
         slowCase.link(this);
 
@@ -194 +195 @@
     stubCall.call(regT3);
 
-    if (m_codeBlock->m_numParameters == 1)
+    if (m_codeBlock->usesArguments() && arguments == m_codeBlock->argumentsRegister())
         end.link(this);
 }

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1185 +1185 @@
 
     Jump argsCreated = branchTestPtr(NonZero, Address(callFrameRegister, sizeof(Register) * dst));
-    if (m_codeBlock->m_numParameters == 1)
-        JITStubCall(this, cti_op_create_arguments_no_params).call();
-    else
-        JITStubCall(this, cti_op_create_arguments).call();
+    JITStubCall(this, cti_op_create_arguments).call();
     emitPutVirtualRegister(dst);
     emitPutVirtualRegister(unmodifiedArgumentsRegister(dst));
@@ -1492 +1489 @@
     emitGetFromCallFrameHeader32(RegisterFile::ArgumentCount, regT2);
     addSlowCase(branch32(AboveOrEqual, regT1, regT2));
-    
-    Jump skipOutofLineParams;
-    int numArgs = m_codeBlock->m_numParameters;
-    if (numArgs) {
-        Jump notInInPlaceArgs = branch32(AboveOrEqual, regT1, Imm32(numArgs));
-        addPtr(Imm32(static_cast<unsigned>(-(RegisterFile::CallFrameHeaderSize + numArgs) * sizeof(Register))), callFrameRegister, regT0);
-        loadPtr(BaseIndex(regT0, regT1, TimesEight, 0), regT0);
-        skipOutofLineParams = jump();
-        notInInPlaceArgs.link(this);
-    }
-    
-    addPtr(Imm32(static_cast<unsigned>(-(RegisterFile::CallFrameHeaderSize + numArgs) * sizeof(Register))), callFrameRegister, regT0);
-    mul32(TrustedImm32(sizeof(Register)), regT2, regT2);
-    subPtr(regT2, regT0);
-    loadPtr(BaseIndex(regT0, regT1, TimesEight, 0), regT0);
-    if (numArgs)
-        skipOutofLineParams.link(this);
+
+    neg32(regT1);
+    signExtend32ToPtr(regT1, regT1);
+    loadPtr(BaseIndex(callFrameRegister, regT1, TimesEight, CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT0);
     emitPutVirtualRegister(dst, regT0);
 }
@@ -1523 +1507 @@
     linkSlowCase(iter);
     linkSlowCase(iter);
-    if (m_codeBlock->m_numParameters == 1)
-        JITStubCall(this, cti_op_create_arguments_no_params).call();
-    else
-        JITStubCall(this, cti_op_create_arguments).call();
+    JITStubCall(this, cti_op_create_arguments).call();
     emitPutVirtualRegister(arguments);
     emitPutVirtualRegister(unmodifiedArgumentsRegister(arguments));

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1463 +1463 @@
     Jump argsCreated = branch32(NotEqual, tagFor(dst), TrustedImm32(JSValue::EmptyValueTag));
 
-    if (m_codeBlock->m_numParameters == 1)
-        JITStubCall(this, cti_op_create_arguments_no_params).call();
-    else
-        JITStubCall(this, cti_op_create_arguments).call();
-
+    JITStubCall(this, cti_op_create_arguments).call();
     emitStore(dst, regT1, regT0);
     emitStore(unmodifiedArgumentsRegister(dst), regT1, regT0);
@@ -1611 +1607 @@
     addSlowCase(branch32(AboveOrEqual, regT2, regT3));
     
-    Jump skipOutofLineParams;
-    int numArgs = m_codeBlock->m_numParameters;
-    if (numArgs) {
-        Jump notInInPlaceArgs = branch32(AboveOrEqual, regT2, Imm32(numArgs));
-        addPtr(Imm32(static_cast<unsigned>(-(RegisterFile::CallFrameHeaderSize + numArgs) * sizeof(Register))), callFrameRegister, regT1);
-        loadPtr(BaseIndex(regT1, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
-        loadPtr(BaseIndex(regT1, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
-        skipOutofLineParams = jump();
-        notInInPlaceArgs.link(this);
-    }
-
-    addPtr(Imm32(static_cast<unsigned>(-(RegisterFile::CallFrameHeaderSize + numArgs) * sizeof(Register))), callFrameRegister, regT1);
-    mul32(TrustedImm32(sizeof(Register)), regT3, regT3);
-    subPtr(regT3, regT1);
-    loadPtr(BaseIndex(regT1, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
-    loadPtr(BaseIndex(regT1, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
-    if (numArgs)
-        skipOutofLineParams.link(this);
+    neg32(regT2);
+    loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT0);
+    loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT1);
     emitStore(dst, regT1, regT0);
 }
@@ -1643 +1624 @@
     linkSlowCase(iter);
     linkSlowCase(iter);
-    if (m_codeBlock->m_numParameters == 1)
-        JITStubCall(this, cti_op_create_arguments_no_params).call();
-    else
-        JITStubCall(this, cti_op_create_arguments).call();
-    
+    JITStubCall(this, cti_op_create_arguments).call();
     emitStore(arguments, regT1, regT0);
     emitStore(unmodifiedArgumentsRegister(arguments), regT1, regT0);

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -2202 +2202 @@
 }
 
+static size_t debugCount[5];
+struct DebugCounter {
+    ~DebugCounter()
+    {
+        for (size_t i = 0; i < 5; ++i)
+            fprintf(stderr, "DebugCounter[%ld]: %ld\n", i, debugCount[i]);
+    }
+    void count(int delta) { ++debugCount[std::min(4, delta)]; }
+};
+
+DebugCounter debugCounter;
+
 inline CallFrame* arityCheckFor(CallFrame* callFrame, RegisterFile* registerFile, CodeSpecializationKind kind)
 {
@@ -2207 +2219 @@
     ASSERT(!callee->isHostFunction());
     CodeBlock* newCodeBlock = &callee->jsExecutable()->generatedBytecodeFor(kind);
-    int argCount = callFrame->argumentCountIncludingThis();
-    ReturnAddressPtr pc = callFrame->returnPC();
-
-    ASSERT(argCount != newCodeBlock->m_numParameters);
-
-    CallFrame* oldCallFrame = callFrame->callerFrame();
-
-    Register* r;
-    if (argCount > newCodeBlock->m_numParameters) {
-        size_t numParameters = newCodeBlock->m_numParameters;
-        r = callFrame->registers() + numParameters;
-        Register* newEnd = r + newCodeBlock->m_numCalleeRegisters;
-        if (!registerFile->grow(newEnd))
-            return 0;
-
-        Register* argv = r - RegisterFile::CallFrameHeaderSize - numParameters - argCount;
-        for (size_t i = 0; i < numParameters; ++i)
-            argv[i + argCount] = argv[i];
-    } else {
-        size_t omittedArgCount = newCodeBlock->m_numParameters - argCount;
-        r = callFrame->registers() + omittedArgCount;
-        Register* newEnd = r + newCodeBlock->m_numCalleeRegisters;
-        if (!registerFile->grow(newEnd))
-            return 0;
-
-        Register* argv = r - RegisterFile::CallFrameHeaderSize - omittedArgCount;
-        for (size_t i = 0; i < omittedArgCount; ++i)
-            argv[i] = jsUndefined();
-    }
-
-    callFrame = CallFrame::create(r);
-    callFrame->setCallerFrame(oldCallFrame);
-    callFrame->setArgumentCountIncludingThis(argCount);
-    callFrame->setCallee(callee);
-    callFrame->setScopeChain(callee->scope());
-    callFrame->setReturnPC(pc.value());
-    callFrame->setCodeBlock(newCodeBlock);
-
-    ASSERT((void*)callFrame <= registerFile->end());
-    return callFrame;
+    int argumentCountIncludingThis = callFrame->argumentCountIncludingThis();
+
+    // This ensures enough space for the worst case scenario of zero arguments passed by the caller.
+    if (!registerFile->grow(callFrame->registers() + newCodeBlock->m_numParameters + newCodeBlock->m_numCalleeRegisters))
+        return 0;
+
+    ASSERT(argumentCountIncludingThis < newCodeBlock->m_numParameters);
+
+    debugCounter.count(newCodeBlock->m_numParameters - argumentCountIncludingThis);
+
+    // Too few arguments -- copy call frame and arguments, then fill in missing arguments with undefined.
+    size_t delta = newCodeBlock->m_numParameters - argumentCountIncludingThis;
+    Register* src = callFrame->registers();
+    Register* dst = callFrame->registers() + delta;
+
+    int i;
+    int end = -CallFrame::offsetFor(argumentCountIncludingThis);
+    for (i = -1; i >= end; --i)
+        dst[i] = src[i];
+
+    end -= delta;
+    for ( ; i >= end; --i)
+        dst[i] = jsUndefined();
+
+    CallFrame* newCallFrame = CallFrame::create(dst);
+    ASSERT((void*)newCallFrame <= registerFile->end());
+    return newCallFrame;
 }
 
@@ -2292 +2291 @@
             return 0;
         codeBlock = &functionExecutable->generatedBytecodeFor(kind);
-        if (callFrame->argumentCountIncludingThis() != static_cast<size_t>(codeBlock->m_numParameters)
+        if (callFrame->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->m_numParameters)
             || callLinkInfo->callType == CallLinkInfo::CallVarargs)
             codePtr = functionExecutable->generatedJITCodeWithArityCheckFor(kind);
@@ -2376 +2375 @@
 }
 
-DEFINE_STUB_FUNCTION(EncodedJSValue, op_create_arguments_no_params)
-{
-    STUB_INIT_STACK_FRAME(stackFrame);
-
-    Arguments* arguments = Arguments::createNoParameters(*stackFrame.globalData, stackFrame.callFrame);
-    return JSValue::encode(JSValue(arguments));
-}
-
 DEFINE_STUB_FUNCTION(void, op_tear_off_activation)
 {
     STUB_INIT_STACK_FRAME(stackFrame);
 
-    ASSERT(stackFrame.callFrame->codeBlock()->needsFullScopeChain());
+    CallFrame* callFrame = stackFrame.callFrame;
+    ASSERT(callFrame->codeBlock()->needsFullScopeChain());
     JSValue activationValue = stackFrame.args[0].jsValue();
     if (!activationValue) {
         if (JSValue v = stackFrame.args[1].jsValue()) {
-            if (!stackFrame.callFrame->codeBlock()->isStrictMode())
-                asArguments(v)->tearOff(*stackFrame.globalData);
+            if (!callFrame->codeBlock()->isStrictMode())
+                asArguments(v)->tearOff(callFrame);
         }
         return;
@@ -2407 +2399 @@
     STUB_INIT_STACK_FRAME(stackFrame);
 
-    ASSERT(stackFrame.callFrame->codeBlock()->usesArguments() && !stackFrame.callFrame->codeBlock()->needsFullScopeChain());
-    asArguments(stackFrame.args[0].jsValue())->tearOff(*stackFrame.globalData);
+    CallFrame* callFrame = stackFrame.callFrame;
+    ASSERT(callFrame->codeBlock()->usesArguments() && !callFrame->codeBlock()->needsFullScopeChain());
+    asArguments(stackFrame.args[0].jsValue())->tearOff(callFrame);
 }
 

trunk/Source/JavaScriptCore/jit/JITStubs.h

@@ -327 +327 @@
     EncodedJSValue JIT_STUB cti_op_convert_this(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_create_arguments(STUB_ARGS_DECLARATION);
-    EncodedJSValue JIT_STUB cti_op_create_arguments_no_params(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_del_by_id(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_del_by_val(STUB_ARGS_DECLARATION);

trunk/Source/JavaScriptCore/jit/SpecializedThunkJIT.h

@@ -48 +48 @@
         void loadDoubleArgument(int argument, FPRegisterID dst, RegisterID scratch)
         {
-            unsigned src = argumentToVirtualRegister(argument);
+            unsigned src = CallFrame::argumentOffset(argument);
             m_failures.append(emitLoadDouble(src, dst, scratch));
         }
@@ -54 +54 @@
         void loadCellArgument(int argument, RegisterID dst)
         {
-            unsigned src = argumentToVirtualRegister(argument);
+            unsigned src = CallFrame::argumentOffset(argument);
             m_failures.append(emitLoadJSCell(src, dst));
         }
@@ -66 +66 @@
         void loadInt32Argument(int argument, RegisterID dst, Jump& failTarget)
         {
-            unsigned src = argumentToVirtualRegister(argument);
+            unsigned src = CallFrame::argumentOffset(argument);
             failTarget = emitLoadInt32(src, dst);
         }
@@ -150 +150 @@
 
     private:
-        int argumentToVirtualRegister(unsigned argument)
-        {
-            return -static_cast<int>(RegisterFile::CallFrameHeaderSize + (m_expectedArgCount - argument));
-        }
 
         void tagReturnAsInt32()

trunk/Source/JavaScriptCore/runtime/ArgList.cpp

@@ -33 +33 @@
 void ArgList::getSlice(int startIndex, ArgList& result) const
 {
-    if (startIndex <= 0 || static_cast<unsigned>(startIndex) >= m_argCount) {
+    if (startIndex <= 0 || startIndex >= m_argCount) {
         result = ArgList();
         return;
     }
 
-    result.m_args = m_args + startIndex;
+    result.m_args = m_args - startIndex;
     result.m_argCount =  m_argCount - startIndex;
 }
@@ -53 +53 @@
 void MarkedArgumentBuffer::slowAppend(JSValue v)
 {
+    int newCapacity = m_capacity * 4;
+    EncodedJSValue* newBuffer = &(new EncodedJSValue[newCapacity])[newCapacity - 1];
+    for (int i = 0; i < m_capacity; ++i)
+        newBuffer[-i] = m_buffer[-i];
+
+    if (m_capacity != inlineCapacity)
+        delete [] &m_buffer[-(m_capacity - 1)];
+
+    m_buffer = newBuffer;
+    m_capacity = newCapacity;
+
+    m_buffer[-m_size] = JSValue::encode(v);
+    ++m_size;
+
+    if (m_markSet)
+        return;
+
     // As long as our size stays within our Vector's inline 
     // capacity, all our values are allocated on the stack, and 
@@ -58 +75 @@
     // our Vector's inline capacity, though, our values move to the 
     // heap, where they do need explicit marking.
-    if (!m_markSet) {
-        // FIXME: Even if v is not a JSCell*, if previous values in the buffer
-        // are, then they won't be marked!
-        if (Heap* heap = Heap::heap(v)) {
-            ListSet& markSet = heap->markListSet();
-            markSet.add(this);
-            m_markSet = &markSet;
-        }
+    for (int i = 0; i < m_size; ++i) {
+        Heap* heap = Heap::heap(JSValue::decode(m_buffer[-i]));
+        if (!heap)
+            continue;
+
+        m_markSet = &heap->markListSet();
+        m_markSet->add(this);
+        break;
     }
-
-    if (m_vector.size() < m_vector.capacity()) {
-        m_vector.uncheckedAppend(v);
-        return;
-    }
-
-    // 4x growth would be excessive for a normal vector, but it's OK for Lists 
-    // because they're short-lived.
-    m_vector.reserveCapacity(m_vector.capacity() * 4);
-    
-    m_vector.uncheckedAppend(v);
-    m_buffer = m_vector.data();
 }
 

trunk/Source/JavaScriptCore/runtime/ArgList.h

@@ -39 +39 @@
 
     private:
-        static const unsigned inlineCapacity = 8;
+        static const size_t inlineCapacity = 8;
         typedef Vector<Register, inlineCapacity> VectorType;
         typedef HashSet<MarkedArgumentBuffer*> ListSet;
@@ -47 +47 @@
         // FIXME: Remove all clients of this API, then remove this API.
         MarkedArgumentBuffer()
-            : m_isUsingInlineBuffer(true)
+            : m_size(0)
+            , m_capacity(inlineCapacity)
+            , m_buffer(&m_inlineBuffer[m_capacity - 1])
             , m_markSet(0)
-#ifndef NDEBUG
-            , m_isReadOnly(false)
-#endif
         {
-            m_buffer = m_vector.data();
-            m_size = 0;
-        }
-
-        // Constructor for a read-only list whose data has already been allocated elsewhere.
-        MarkedArgumentBuffer(Register* buffer, size_t size)
-            : m_buffer(buffer)
-            , m_size(size)
-            , m_isUsingInlineBuffer(true)
-            , m_markSet(0)
-#ifndef NDEBUG
-            , m_isReadOnly(true)
-#endif
-        {
-        }
-
-        void initialize(WriteBarrier<Unknown>* buffer, size_t size)
-        {
-            ASSERT(!m_markSet);
-            ASSERT(isEmpty());
-
-            m_buffer = reinterpret_cast<Register*>(buffer);
-            m_size = size;
-#ifndef NDEBUG
-            m_isReadOnly = true;
-#endif
         }
 
@@ -85 +58 @@
             if (m_markSet)
                 m_markSet->remove(this);
+
+            if (m_capacity != inlineCapacity)
+                delete [] &m_buffer[-(m_capacity - 1)];
         }
 
@@ -90 +66 @@
         bool isEmpty() const { return !m_size; }
 
-        JSValue at(size_t i) const
+        JSValue at(int i) const
         {
-            if (i < m_size)
-                return m_buffer[i].jsValue();
-            return jsUndefined();
+            if (i >= m_size)
+                return jsUndefined();
+
+            return JSValue::decode(m_buffer[-i]);
         }
 
         void clear()
         {
-            m_vector.clear();
-            m_buffer = 0;
             m_size = 0;
         }
@@ -106 +81 @@
         void append(JSValue v)
         {
-            ASSERT(!m_isReadOnly);
+            if (m_size >= m_capacity)
+                return slowAppend(v);
 
-            if (m_isUsingInlineBuffer && m_size < inlineCapacity) {
-                m_vector.uncheckedAppend(v);
-                ++m_size;
-            } else {
-                // Putting this case all in one function measurably improves
-                // the performance of the fast "just append to inline buffer" case.
-                slowAppend(v);
-                ++m_size;
-                m_isUsingInlineBuffer = false;
-            }
+            m_buffer[-m_size] = JSValue::encode(v);
+            ++m_size;
         }
 
@@ -124 +92 @@
             ASSERT(m_size);
             m_size--;
-            m_vector.removeLast();
         }
 
@@ -130 +97 @@
         {
             ASSERT(m_size);
-            return m_buffer[m_size - 1].jsValue();
+            return JSValue::decode(m_buffer[-(m_size - 1)]);
         }
         
@@ -138 +105 @@
         void slowAppend(JSValue);
         
-        Register* m_buffer;
-        size_t m_size;
-        bool m_isUsingInlineBuffer;
-
-        VectorType m_vector;
+        int m_size;
+        int m_capacity;
+        EncodedJSValue m_inlineBuffer[inlineCapacity];
+        EncodedJSValue* m_buffer;
         ListSet* m_markSet;
-#ifndef NDEBUG
-        bool m_isReadOnly;
-#endif
 
     private:
@@ -174 +137 @@
         {
         }
-        
+
         ArgList(ExecState* exec)
-            : m_args(reinterpret_cast<JSValue*>(&exec[exec->hostThisRegister() + 1]))
+            : m_args(reinterpret_cast<JSValue*>(&exec[CallFrame::argumentOffset(0)]))
             , m_argCount(exec->argumentCount())
         {
         }
-        
+
         ArgList(const MarkedArgumentBuffer& args)
             : m_args(reinterpret_cast<JSValue*>(args.m_buffer))
@@ -187 +150 @@
         }
 
-        JSValue at(size_t idx) const
+        JSValue at(int i) const
         {
-            if (idx < m_argCount)
-                return m_args[idx];
-            return jsUndefined();
+            if (i >= m_argCount)
+                return jsUndefined();
+            return m_args[-i];
         }
 
@@ -201 +164 @@
     private:
         JSValue* m_args;
-        size_t m_argCount;
+        int m_argCount;
     };
 

trunk/Source/JavaScriptCore/runtime/Arguments.cpp

@@ -38 +38 @@
 const ClassInfo Arguments::s_info = { "Arguments", &JSNonFinalObject::s_info, 0, 0, CREATE_METHOD_TABLE(Arguments) };
 
-Arguments::~Arguments()
-{
-    if (d->extraArguments != d->extraArgumentsFixedBuffer)
-        delete [] d->extraArguments;
-}
-
 void Arguments::visitChildren(JSCell* cell, SlotVisitor& visitor)
 {
@@ -53 +47 @@
 
     if (thisObject->d->registerArray)
-        visitor.appendValues(thisObject->d->registerArray.get(), thisObject->d->numParameters);
-
-    if (thisObject->d->extraArguments) {
-        unsigned numExtraArguments = thisObject->d->numArguments - thisObject->d->numParameters;
-        visitor.appendValues(thisObject->d->extraArguments, numExtraArguments);
-    }
-
+        visitor.appendValues(thisObject->d->registerArray.get(), thisObject->d->numArguments);
     visitor.append(&thisObject->d->callee);
-
     if (thisObject->d->activation)
         visitor.append(&thisObject->d->activation);
 }
 
-void Arguments::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize)
-{
-    if (UNLIKELY(d->overrodeLength)) {
-        unsigned length = min(get(exec, exec->propertyNames().length).toUInt32(exec), maxSize);
-        for (unsigned i = 0; i < length; i++)
-            buffer[i] = get(exec, i);
-        return;
-    }
-
-    if (LIKELY(!d->deletedArguments)) {
-        unsigned parametersLength = min(min(d->numParameters, d->numArguments), maxSize);
-        unsigned i = 0;
-        for (; i < parametersLength; ++i)
-            buffer[i] = d->registers[d->firstParameterIndex + i].get();
-        for (; i < d->numArguments; ++i)
-            buffer[i] = d->extraArguments[i - d->numParameters].get();
-        return;
-    }
-    
-    unsigned parametersLength = min(min(d->numParameters, d->numArguments), maxSize);
-    unsigned i = 0;
-    for (; i < parametersLength; ++i) {
-        if (!d->deletedArguments[i])
-            buffer[i] = d->registers[d->firstParameterIndex + i].get();
+void Arguments::copyToArguments(ExecState* exec, CallFrame* callFrame, uint32_t length)
+{
+    ASSERT(length == this->length(exec));
+    for (size_t i = 0; i < length; ++i) {
+        if (!d->deletedArguments || !d->deletedArguments[i])
+            callFrame->setArgument(i, argument(i).get());
         else
-            buffer[i] = get(exec, i);
-    }
-    for (; i < d->numArguments; ++i) {
-        if (!d->deletedArguments[i])
-            buffer[i] = d->extraArguments[i - d->numParameters].get();
-        else
-            buffer[i] = get(exec, i);
+            callFrame->setArgument(i, get(exec, i));
     }
 }
@@ -103 +66 @@
 void Arguments::fillArgList(ExecState* exec, MarkedArgumentBuffer& args)
 {
-    if (UNLIKELY(d->overrodeLength)) {
-        unsigned length = get(exec, exec->propertyNames().length).toUInt32(exec); 
-        for (unsigned i = 0; i < length; i++) 
-            args.append(get(exec, i)); 
-        return;
-    }
-
-    if (LIKELY(!d->deletedArguments)) {
-        if (LIKELY(!d->numParameters)) {
-            args.initialize(d->extraArguments, d->numArguments);
-            return;
-        }
-
-        if (d->numParameters == d->numArguments) {
-            args.initialize(&d->registers[d->firstParameterIndex], d->numArguments);
-            return;
-        }
-
-        unsigned parametersLength = min(d->numParameters, d->numArguments);
-        unsigned i = 0;
-        for (; i < parametersLength; ++i)
-            args.append(d->registers[d->firstParameterIndex + i].get());
-        for (; i < d->numArguments; ++i)
-            args.append(d->extraArguments[i - d->numParameters].get());
-        return;
-    }
-
-    unsigned parametersLength = min(d->numParameters, d->numArguments);
-    unsigned i = 0;
-    for (; i < parametersLength; ++i) {
-        if (!d->deletedArguments[i])
-            args.append(d->registers[d->firstParameterIndex + i].get());
+    uint32_t length = this->length(exec);
+    for (size_t i = 0; i < length; ++i) {
+        if (!d->deletedArguments || !d->deletedArguments[i])
+            args.append(argument(i).get());
         else
             args.append(get(exec, i));
     }
-    for (; i < d->numArguments; ++i) {
-        if (!d->deletedArguments[i])
-            args.append(d->extraArguments[i - d->numParameters].get());
-        else
-            args.append(get(exec, i));
-    }
 }
 
@@ -150 +79 @@
     Arguments* thisObject = jsCast<Arguments*>(cell);
     if (i < thisObject->d->numArguments && (!thisObject->d->deletedArguments || !thisObject->d->deletedArguments[i])) {
-        if (i < thisObject->d->numParameters) {
-            slot.setValue(thisObject->d->registers[thisObject->d->firstParameterIndex + i].get());
-        } else
-            slot.setValue(thisObject->d->extraArguments[i - thisObject->d->numParameters].get());
+        slot.setValue(thisObject->argument(i).get());
         return true;
     }
@@ -190 +116 @@
     unsigned i = propertyName.toArrayIndex(isArrayIndex);
     if (isArrayIndex && i < thisObject->d->numArguments && (!thisObject->d->deletedArguments || !thisObject->d->deletedArguments[i])) {
-        if (i < thisObject->d->numParameters) {
-            slot.setValue(thisObject->d->registers[thisObject->d->firstParameterIndex + i].get());
-        } else
-            slot.setValue(thisObject->d->extraArguments[i - thisObject->d->numParameters].get());
+        slot.setValue(thisObject->argument(i).get());
         return true;
     }
@@ -222 +145 @@
     unsigned i = propertyName.toArrayIndex(isArrayIndex);
     if (isArrayIndex && i < thisObject->d->numArguments && (!thisObject->d->deletedArguments || !thisObject->d->deletedArguments[i])) {
-        if (i < thisObject->d->numParameters) {
-            descriptor.setDescriptor(thisObject->d->registers[thisObject->d->firstParameterIndex + i].get(), None);
-        } else
-            descriptor.setDescriptor(thisObject->d->extraArguments[i - thisObject->d->numParameters].get(), None);
+        descriptor.setDescriptor(thisObject->argument(i).get(), None);
         return true;
     }
@@ -265 +185 @@
 {
     Arguments* thisObject = jsCast<Arguments*>(cell);
-    if (i < thisObject->d->numArguments && (!thisObject->d->deletedArguments || !thisObject->d->deletedArguments[i])) {
-        if (i < thisObject->d->numParameters)
-            thisObject->d->registers[thisObject->d->firstParameterIndex + i].set(exec->globalData(), thisObject->d->activation ? static_cast<JSCell*>(thisObject->d->activation.get()) : cell, value);
-        else
-            thisObject->d->extraArguments[i - thisObject->d->numParameters].set(exec->globalData(), thisObject, value);
+    if (i < static_cast<unsigned>(thisObject->d->numArguments) && (!thisObject->d->deletedArguments || !thisObject->d->deletedArguments[i])) {
+        thisObject->argument(i).set(exec->globalData(), thisObject, value);
         return;
     }
@@ -283 +200 @@
     unsigned i = propertyName.toArrayIndex(isArrayIndex);
     if (isArrayIndex && i < thisObject->d->numArguments && (!thisObject->d->deletedArguments || !thisObject->d->deletedArguments[i])) {
-        if (i < thisObject->d->numParameters)
-            thisObject->d->registers[thisObject->d->firstParameterIndex + i].set(exec->globalData(), thisObject->d->activation ? static_cast<JSCell*>(thisObject->d->activation.get()) : static_cast<JSCell*>(thisObject), value);
-        else
-            thisObject->d->extraArguments[i - thisObject->d->numParameters].set(exec->globalData(), thisObject, value);
+        thisObject->argument(i).set(exec->globalData(), thisObject, value);
         return;
     }
@@ -363 +277 @@
 }
 
+void Arguments::tearOff(CallFrame* callFrame)
+{
+    if (isTornOff())
+        return;
+
+    if (!d->numArguments)
+        return;
+
+    d->registerArray = adoptArrayPtr(new WriteBarrier<Unknown>[d->numArguments]);
+    d->registers = d->registerArray.get() + CallFrame::offsetFor(d->numArguments + 1);
+
+    if (!callFrame->isInlineCallFrame()) {
+        for (size_t i = 0; i < d->numArguments; ++i)
+            argument(i).set(callFrame->globalData(), this, callFrame->argument(i));
+        return;
+    }
+
+    InlineCallFrame* inlineCallFrame = callFrame->inlineCallFrame();
+    for (size_t i = 0; i < d->numArguments; ++i) {
+        ValueRecovery& recovery = inlineCallFrame->arguments[i + 1];
+        // In the future we'll support displaced recoveries (indicating that the
+        // argument was flushed to a different location), but for now we don't do
+        // that so this code will fail if that were to happen. On the other hand,
+        // it's much less likely that we'll support in-register recoveries since
+        // this code does not (easily) have access to registers.
+        JSValue value;
+        Register* location = &callFrame->registers()[CallFrame::argumentOffset(i)];
+        switch (recovery.technique()) {
+        case AlreadyInRegisterFile:
+            value = location->jsValue();
+            break;
+        case AlreadyInRegisterFileAsUnboxedInt32:
+            value = jsNumber(location->unboxedInt32());
+            break;
+        case AlreadyInRegisterFileAsUnboxedCell:
+            value = location->unboxedCell();
+            break;
+        case AlreadyInRegisterFileAsUnboxedBoolean:
+            value = jsBoolean(location->unboxedBoolean());
+            break;
+        case Constant:
+            value = recovery.constant();
+            break;
+        default:
+            ASSERT_NOT_REACHED();
+            break;
+        }
+        argument(i).set(callFrame->globalData(), this, value);
+    }
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/Arguments.h

@@ -40 +40 @@
         WriteBarrier<JSActivation> activation;
 
-        unsigned numParameters;
-        ptrdiff_t firstParameterIndex;
         unsigned numArguments;
 
@@ -47 +45 @@
         OwnArrayPtr<WriteBarrier<Unknown> > registerArray;
 
-        WriteBarrier<Unknown>* extraArguments;
         OwnArrayPtr<bool> deletedArguments;
-        WriteBarrier<Unknown> extraArgumentsFixedBuffer[4];
 
         WriteBarrier<JSFunction> callee;
@@ -56 +52 @@
         bool overrodeCaller : 1;
         bool isStrictMode : 1;
-        bool isInlineFrame : 1; // If true, all arguments are in the extraArguments buffer.
     };
-
 
     class Arguments : public JSNonFinalObject {
@@ -70 +64 @@
             return arguments;
         }
-        
-        static Arguments* createAndTearOff(JSGlobalData& globalData, CallFrame* callFrame)
-        {
-            Arguments* arguments = new (allocateCell<Arguments>(globalData.heap)) Arguments(callFrame);
-            arguments->finishCreationAndTearOff(callFrame);
-            return arguments;
-        }
-        
-        static Arguments* createNoParameters(JSGlobalData& globalData, CallFrame* callFrame)
-        {
-            Arguments* arguments = new (allocateCell<Arguments>(globalData.heap)) Arguments(callFrame, NoParameters);
-            arguments->finishCreation(callFrame, NoParameters);
-            return arguments;
-        }
 
-        // Use an enum because otherwise gcc insists on doing a memory
-        // read.
         enum { MaxArguments = 0x10000 };
 
@@ -96 +74 @@
 
     public:
-        virtual ~Arguments();
-
         static const ClassInfo s_info;
 
@@ -111 +87 @@
         }
         
-        void copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize);
-        void tearOff(JSGlobalData&);
+        void copyToArguments(ExecState*, CallFrame*, uint32_t length);
+        void tearOff(CallFrame*);
         bool isTornOff() const { return d->registerArray; }
         void didTearOffActivation(JSGlobalData& globalData, JSActivation* activation)
@@ -130 +106 @@
         static const unsigned StructureFlags = OverridesGetOwnPropertySlot | OverridesVisitChildren | OverridesGetPropertyNames | JSObject::StructureFlags;
 
-        void finishCreationButDontTearOff(CallFrame*);
         void finishCreation(CallFrame*);
-        void finishCreationAndTearOff(CallFrame*);
-        void finishCreation(CallFrame*, NoParametersType);
 
     private:
-        void getArgumentsData(CallFrame*, JSFunction*&, ptrdiff_t& firstParameterIndex, Register*& argv, int& argc);
         static bool getOwnPropertySlot(JSCell*, ExecState*, const Identifier& propertyName, PropertySlot&);
         static bool getOwnPropertySlotByIndex(JSCell*, ExecState*, unsigned propertyName, PropertySlot&);
@@ -147 +119 @@
         void createStrictModeCallerIfNecessary(ExecState*);
         void createStrictModeCalleeIfNecessary(ExecState*);
+
+        WriteBarrier<Unknown>& argument(size_t);
 
         void init(CallFrame*);
@@ -161 +135 @@
     }
 
-    ALWAYS_INLINE void Arguments::getArgumentsData(CallFrame* callFrame, JSFunction*& function, ptrdiff_t& firstParameterIndex, Register*& argv, int& argc)
-    {
-        function = asFunction(callFrame->callee());
-
-        int numParameters = function->jsExecutable()->parameterCount();
-        argc = callFrame->argumentCountIncludingThis();
-        
-        if (callFrame->isInlineCallFrame())
-            ASSERT(argc == numParameters + 1);
-
-        if (argc <= numParameters)
-            argv = callFrame->registers() - RegisterFile::CallFrameHeaderSize - numParameters;
-        else
-            argv = callFrame->registers() - RegisterFile::CallFrameHeaderSize - numParameters - argc;
-
-        argc -= 1; // - 1 to skip "this"
-        firstParameterIndex = -RegisterFile::CallFrameHeaderSize - numParameters;
-    }
-
     inline Arguments::Arguments(CallFrame* callFrame)
         : JSNonFinalObject(callFrame->globalData(), callFrame->lexicalGlobalObject()->argumentsStructure())
@@ -191 +146 @@
     {
     }
-    
-    inline void Arguments::finishCreationButDontTearOff(CallFrame* callFrame)
+
+    inline WriteBarrier<Unknown>& Arguments::argument(size_t i)
+    {
+        return d->registers[CallFrame::argumentOffset(i)];
+    }
+
+    inline void Arguments::finishCreation(CallFrame* callFrame)
     {
         Base::finishCreation(callFrame->globalData());
         ASSERT(inherits(&s_info));
 
-        JSFunction* callee;
-        ptrdiff_t firstParameterIndex;
-        Register* argv;
-        int numArguments;
-        getArgumentsData(callFrame, callee, firstParameterIndex, argv, numArguments);
-
-        d->numParameters = callee->jsExecutable()->parameterCount();
-        d->firstParameterIndex = firstParameterIndex;
-        d->numArguments = numArguments;
-        d->isInlineFrame = false;
-
+        JSFunction* callee = asFunction(callFrame->callee());
+        d->numArguments = callFrame->argumentCount();
         d->registers = reinterpret_cast<WriteBarrier<Unknown>*>(callFrame->registers());
-
-        WriteBarrier<Unknown>* extraArguments;
-        if (d->numArguments <= d->numParameters)
-            extraArguments = 0;
-        else {
-            unsigned numExtraArguments = d->numArguments - d->numParameters;
-            if (numExtraArguments > sizeof(d->extraArgumentsFixedBuffer) / sizeof(WriteBarrier<Unknown>))
-                extraArguments = new WriteBarrier<Unknown>[numExtraArguments];
-            else
-                extraArguments = d->extraArgumentsFixedBuffer;
-            for (unsigned i = 0; i < numExtraArguments; ++i)
-                extraArguments[i].set(callFrame->globalData(), this, argv[d->numParameters + i].jsValue());
-        }
-
-        d->extraArguments = extraArguments;
-
         d->callee.set(callFrame->globalData(), this, callee);
         d->overrodeLength = false;
@@ -230 +165 @@
         d->overrodeCaller = false;
         d->isStrictMode = callFrame->codeBlock()->isStrictMode();
-    }
 
-    inline void Arguments::finishCreation(CallFrame* callFrame)
-    {
-        ASSERT(!callFrame->isInlineCallFrame());
-        finishCreationButDontTearOff(callFrame);
-        if (d->isStrictMode)
-            tearOff(callFrame->globalData());
-    }
-
-    inline void Arguments::finishCreationAndTearOff(CallFrame* callFrame)
-    {
-        Base::finishCreation(callFrame->globalData());
-        ASSERT(inherits(&s_info));
-        
-        JSFunction* callee;
-
-        ptrdiff_t firstParameterIndex;
-        Register* argv;
-        int numArguments;
-        getArgumentsData(callFrame, callee, firstParameterIndex, argv, numArguments);
-        
-        d->numParameters = callee->jsExecutable()->parameterCount();
-        d->firstParameterIndex = firstParameterIndex;
-        d->numArguments = numArguments;
-        
-        if (d->numParameters) {
-            int registerOffset = d->numParameters + RegisterFile::CallFrameHeaderSize;
-            size_t registerArraySize = d->numParameters;
-            
-            OwnArrayPtr<WriteBarrier<Unknown> > registerArray = adoptArrayPtr(new WriteBarrier<Unknown>[registerArraySize]);
-            if (callFrame->isInlineCallFrame()) {
-                InlineCallFrame* inlineCallFrame = callFrame->inlineCallFrame();
-                for (size_t i = 0; i < registerArraySize; ++i) {
-                    ValueRecovery& recovery = inlineCallFrame->arguments[i + 1];
-                    // In the future we'll support displaced recoveries (indicating that the
-                    // argument was flushed to a different location), but for now we don't do
-                    // that so this code will fail if that were to happen. On the other hand,
-                    // it's much less likely that we'll support in-register recoveries since
-                    // this code does not (easily) have access to registers.
-                    JSValue value;
-                    Register* location = callFrame->registers() + i - registerOffset;
-                    switch (recovery.technique()) {
-                    case AlreadyInRegisterFile:
-                        value = location->jsValue();
-                        break;
-                    case AlreadyInRegisterFileAsUnboxedInt32:
-                        value = jsNumber(location->unboxedInt32());
-                        break;
-                    case AlreadyInRegisterFileAsUnboxedCell:
-                        value = location->unboxedCell();
-                        break;
-                    case AlreadyInRegisterFileAsUnboxedBoolean:
-                        value = jsBoolean(location->unboxedBoolean());
-                        break;
-                    case Constant:
-                        value = recovery.constant();
-                        break;
-                    default:
-                        ASSERT_NOT_REACHED();
-                        break;
-                    }
-                    registerArray[i].set(callFrame->globalData(), this, value);
-                }
-            } else {
-                for (size_t i = 0; i < registerArraySize; ++i)
-                    registerArray[i].set(callFrame->globalData(), this, callFrame->registers()[i - registerOffset].jsValue());
-            }
-            d->registers = registerArray.get() + d->numParameters + RegisterFile::CallFrameHeaderSize;
-            d->registerArray = registerArray.release();
-        }
-        
-        WriteBarrier<Unknown>* extraArguments;
-        if (callFrame->isInlineCallFrame())
-            ASSERT(d->numArguments == d->numParameters);
-        if (d->numArguments <= d->numParameters)
-            extraArguments = 0;
-        else {
-            unsigned numExtraArguments = d->numArguments - d->numParameters;
-            if (numExtraArguments > sizeof(d->extraArgumentsFixedBuffer) / sizeof(WriteBarrier<Unknown>))
-                extraArguments = new WriteBarrier<Unknown>[numExtraArguments];
-            else
-                extraArguments = d->extraArgumentsFixedBuffer;
-            for (unsigned i = 0; i < numExtraArguments; ++i)
-                extraArguments[i].set(callFrame->globalData(), this, argv[d->numParameters + i].jsValue());
-        }
-        
-        d->extraArguments = extraArguments;
-
-        d->callee.set(callFrame->globalData(), this, callee);
-        d->overrodeLength = false;
-        d->overrodeCallee = false;
-        d->overrodeCaller = false;
-        d->isInlineFrame = callFrame->isInlineCallFrame();
-        d->isStrictMode = callFrame->codeBlock()->isStrictMode();
-    }
-
-    inline void Arguments::finishCreation(CallFrame* callFrame, NoParametersType)
-    {
-        ASSERT(!callFrame->isInlineCallFrame());
-        Base::finishCreation(callFrame->globalData());
-        ASSERT(inherits(&s_info));
-        ASSERT(!asFunction(callFrame->callee())->jsExecutable()->parameterCount());
-
-        unsigned numArguments = callFrame->argumentCount();
-
-        d->numParameters = 0;
-        d->numArguments = numArguments;
-        d->isInlineFrame = false;
-
-        WriteBarrier<Unknown>* extraArguments;
-        if (numArguments > sizeof(d->extraArgumentsFixedBuffer) / sizeof(Register))
-            extraArguments = new WriteBarrier<Unknown>[numArguments];
-        else
-            extraArguments = d->extraArgumentsFixedBuffer;
-
-        Register* argv = callFrame->registers() - RegisterFile::CallFrameHeaderSize - numArguments - 1;
-        for (unsigned i = 0; i < numArguments; ++i)
-            extraArguments[i].set(callFrame->globalData(), this, argv[i].jsValue());
-
-        d->extraArguments = extraArguments;
-
-        d->callee.set(callFrame->globalData(), this, asFunction(callFrame->callee()));
-        d->overrodeLength = false;
-        d->overrodeCallee = false;
-        d->overrodeCaller = false;
-        d->isStrictMode = callFrame->codeBlock()->isStrictMode();
-        if (d->isStrictMode)
-            tearOff(callFrame->globalData());
-    }
-
-    inline void Arguments::tearOff(JSGlobalData& globalData)
-    {
-        ASSERT(!isTornOff());
-
-        if (!d->numParameters)
-            return;
-
-        int registerOffset = d->numParameters + RegisterFile::CallFrameHeaderSize;
-        size_t registerArraySize = d->numParameters;
-
-        OwnArrayPtr<WriteBarrier<Unknown> > registerArray = adoptArrayPtr(new WriteBarrier<Unknown>[registerArraySize]);
-        for (size_t i = 0; i < registerArraySize; i++)
-            registerArray[i].set(globalData, this, d->registers[i - registerOffset].get());
-        d->registers = registerArray.get() + registerOffset;
-        d->registerArray = registerArray.release();
+        // The bytecode generator omits op_tear_off_activation in cases of no
+        // declared parameters, so we need to tear off immediately.
+        if (d->isStrictMode || !callee->jsExecutable()->parameterCount())
+            tearOff(callFrame);
     }
 

trunk/Source/JavaScriptCore/runtime/JSActivation.cpp

@@ -34 +34 @@
 #include "JSFunction.h"
 
+using namespace std;
+
 namespace JSC {
 
@@ -42 +44 @@
 JSActivation::JSActivation(CallFrame* callFrame, FunctionExecutable* functionExecutable)
     : Base(callFrame->globalData(), callFrame->globalData().activationStructure.get(), functionExecutable->symbolTable(), callFrame->registers())
-    , m_numParametersMinusThis(static_cast<int>(functionExecutable->parameterCount()))
+    , m_numCapturedArgs(max(callFrame->argumentCount(), functionExecutable->parameterCount()))
     , m_numCapturedVars(functionExecutable->capturedVariableCount())
     , m_requiresDynamicChecks(functionExecutable->usesEval())
@@ -78 +80 @@
         return;
 
-    visitor.appendValues(registerArray, thisObject->m_numParametersMinusThis);
-
-    // Skip the call frame, which sits between the parameters and vars.
-    visitor.appendValues(registerArray + thisObject->m_numParametersMinusThis + RegisterFile::CallFrameHeaderSize, thisObject->m_numCapturedVars);
+    visitor.appendValues(registerArray, thisObject->m_numCapturedArgs);
+
+    // Skip 'this' and call frame.
+    visitor.appendValues(registerArray + CallFrame::offsetFor(thisObject->m_numCapturedArgs + 1), thisObject->m_numCapturedVars);
 }
 

trunk/Source/JavaScriptCore/runtime/JSActivation.h

@@ -90 +90 @@
         NEVER_INLINE PropertySlot::GetValueFunc getArgumentsGetter();
 
-        int m_numParametersMinusThis;
+        int m_numCapturedArgs;
         int m_numCapturedVars : 31;
         bool m_requiresDynamicChecks : 1;
@@ -118 +118 @@
     {
         ASSERT(!m_registerArray);
+        ASSERT(m_numCapturedVars + m_numCapturedArgs);
 
-        size_t numLocals = m_numCapturedVars + m_numParametersMinusThis;
+        int registerOffset = CallFrame::offsetFor(m_numCapturedArgs + 1);
+        size_t registerArraySize = registerOffset + m_numCapturedVars;
 
-        if (!numLocals)
-            return;
+        OwnArrayPtr<WriteBarrier<Unknown> > registerArray = adoptArrayPtr(new WriteBarrier<Unknown>[registerArraySize]);
+        WriteBarrier<Unknown>* registers = registerArray.get() + registerOffset;
 
-        int registerOffset = m_numParametersMinusThis + RegisterFile::CallFrameHeaderSize;
-        size_t registerArraySize = numLocals + RegisterFile::CallFrameHeaderSize;
+        // Copy all arguments that can be captured by name or by the arguments object.
+        for (int i = 0; i < m_numCapturedArgs; ++i) {
+            int index = CallFrame::argumentOffset(i);
+            registers[index].set(globalData, this, m_registers[index].get());
+        }
 
-        OwnArrayPtr<WriteBarrier<Unknown> > registerArray = copyRegisterArray(globalData, m_registers - registerOffset, registerArraySize, m_numParametersMinusThis + 1);
-        WriteBarrier<Unknown>* registers = registerArray.get() + registerOffset;
+        // Skip 'this' and call frame.
+
+        // Copy all captured vars.
+        for (int i = 0; i < m_numCapturedVars; ++i)
+            registers[i].set(globalData, this, m_registers[i].get());
+
         setRegisters(registers, registerArray.release());
     }

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -1266 +1266 @@
 }
 
-void JSArray::copyToRegisters(ExecState* exec, Register* buffer, uint32_t maxSize)
-{
-    ASSERT(m_storage->m_length >= maxSize);
-    UNUSED_PARAM(maxSize);
+void JSArray::copyToArguments(ExecState* exec, CallFrame* callFrame, uint32_t length)
+{
+    ASSERT(length == this->length());
+    UNUSED_PARAM(length);
+    unsigned i = 0;
     WriteBarrier<Unknown>* vector = m_storage->m_vector;
-    unsigned vectorEnd = min(maxSize, m_vectorLength);
-    unsigned i = 0;
+    unsigned vectorEnd = min(length, m_vectorLength);
     for (; i < vectorEnd; ++i) {
         WriteBarrier<Unknown>& v = vector[i];
         if (!v)
             break;
-        buffer[i] = v.get();
-    }
-
-    for (; i < maxSize; ++i)
-        buffer[i] = get(exec, i);
+        callFrame->setArgument(i, v.get());
+    }
+
+    for (; i < length; ++i)
+        callFrame->setArgument(i, get(exec, i));
 }
 

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -156 +156 @@
 
         void fillArgList(ExecState*, MarkedArgumentBuffer&);
-        void copyToRegisters(ExecState*, Register*, uint32_t);
+        void copyToArguments(ExecState*, CallFrame*, uint32_t length);
 
         static Structure* createStructure(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue prototype)