Changeset 116670 in webkit

Timestamp:

May 10, 2012 11:40:29 AM (12 years ago)

Author:

barraclough@apple.com

Message:

Cache inheritorID on JSFunction
​https://bugs.webkit.org/show_bug.cgi?id=85853

Reviewed by Geoff Garen & Filip Pizlo.

An object's prototype is indicated via its structure. To create an otherwise
empty object with object A as its prototype, we require a structure with its
prototype set to point to A. We wish to use this same structure for all empty
objects created with a prototype of A, so we presently store this structure as
a property of A, known as the inheritorID.

When a function F is invoked as a constructor, where F has a property 'prototype'
set to point to A, in order to create the 'this' value for the constructor to
use the following steps are taken:

• the 'prototype' proptery of F is read, via a regular Get? access.
• the inheritorID internal property of the prototype is read.
• a new, empty object is constructed with its structure set to point to inheritorID.

There are two drawbacks to the current approach:

• it requires that every object has an inheritorID field.
• it requires a Get? access on every constructor call to access the 'prototype' property.

Instead, switch to caching a copy of the inheritorID on the function. Constructor
calls now only need read the internal property from the callee, saving a Get?.
This also means that JSObject::m_inheritorID is no longer commonly read, and in a
future patch we can move to storing this in a more memory efficient fashion.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dump):

• bytecode/Opcode.h:

(JSC):
(JSC::padOpcodeName):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGNodeType.h:

(DFG):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::privateExecute):

• jit/JITInlineMethods.h:

(JSC::JIT::emitAllocateJSFunction):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_create_this):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/JSFunction.cpp:

(JSC::JSFunction::JSFunction):
(JSC::JSFunction::cacheInheritorID):
(JSC):
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):

• runtime/JSFunction.h:

(JSC::JSFunction::cachedInheritorID):
(JSFunction):
(JSC::JSFunction::offsetOfCachedInheritorID):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/Opcode.h (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• dfg/DFGAbstractState.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• interpreter/Interpreter.cpp (modified) (2 diffs)
• jit/JITInlineMethods.h (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (3 diffs)
• jit/JITOpcodes32_64.cpp (modified) (3 diffs)
• jit/JITStubs.cpp (modified) (1 diff)
• llint/LLIntSlowPaths.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)
• runtime/JSFunction.cpp (modified) (3 diffs)
• runtime/JSFunction.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-05-10  Gavin Barraclough  <barraclough@apple.com>
+
+        Cache inheritorID on JSFunction
+        https://bugs.webkit.org/show_bug.cgi?id=85853
+
+        Reviewed by Geoff Garen & Filip Pizlo.
+
+        An object's prototype is indicated via its structure.  To create an otherwise
+        empty object with object A as its prototype, we require a structure with its
+        prototype set to point to A.  We wish to use this same structure for all empty
+        objects created with a prototype of A, so we presently store this structure as
+        a property of A, known as the inheritorID.
+
+        When a function F is invoked as a constructor, where F has a property 'prototype'
+        set to point to A, in order to create the 'this' value for the constructor to
+        use the following steps are taken:
+          - the 'prototype' proptery of F is read, via a regular [[Get]] access.
+          - the inheritorID internal property of the prototype is read.
+          - a new, empty object is constructed with its structure set to point to inheritorID.
+
+        There are two drawbacks to the current approach:
+          - it requires that every object has an inheritorID field.
+          - it requires a [[Get]] access on every constructor call to access the 'prototype' property.
+
+        Instead, switch to caching a copy of the inheritorID on the function.  Constructor
+        calls now only need read the internal property from the callee, saving a [[Get]].
+        This also means that JSObject::m_inheritorID is no longer commonly read, and in a
+        future patch we can move to storing this in a more memory efficient fashion.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        * bytecode/Opcode.h:
+        (JSC):
+        (JSC::padOpcodeName):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JITInlineMethods.h:
+        (JSC::JIT::emitAllocateJSFunction):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emitSlow_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_create_this):
+        (JSC::JIT::emitSlow_op_create_this):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::JSFunction):
+        (JSC::JSFunction::cacheInheritorID):
+        (JSC):
+        (JSC::JSFunction::put):
+        (JSC::JSFunction::defineOwnProperty):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::cachedInheritorID):
+        (JSFunction):
+        (JSC::JSFunction::offsetOfCachedInheritorID):
+
 2012-05-10  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1042 +1042 @@
                 869D04AE1193B54D00803475 /* CachedTranscendentalFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CachedTranscendentalFunction.h; sourceTree = "<group>"; };
                 869EBCB60E8C6D4A008722CC /* ResultType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ResultType.h; sourceTree = "<group>"; };
+                86A054461556451B00445157 /* LowLevelInterpreter.asm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.asm.asm; name = LowLevelInterpreter.asm; path = llint/LowLevelInterpreter.asm; sourceTree = "<group>"; };
+                86A054471556451B00445157 /* LowLevelInterpreter32_64.asm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.asm.asm; name = LowLevelInterpreter32_64.asm; path = llint/LowLevelInterpreter32_64.asm; sourceTree = "<group>"; };
+                86A054481556451B00445157 /* LowLevelInterpreter64.asm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.asm.asm; name = LowLevelInterpreter64.asm; path = llint/LowLevelInterpreter64.asm; sourceTree = "<group>"; };
                 86A90ECF0EE7D51F00AB350D /* JITArithmetic.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITArithmetic.cpp; sourceTree = "<group>"; };
                 86ADD1430FDDEA980006EEC2 /* ARMv7Assembler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ARMv7Assembler.h; sourceTree = "<group>"; };
@@ -1431 +1434 @@
                                 A767FF9F14F4502900789059 /* JSCTypedArrayStubs.h */,
                                 F68EBB8C0255D4C601FF60F7 /* config.h */,
-                                0F46809C14BA7F4D00BFE272 /* llint */,
                                 1432EBD70A34CAD400717B9F /* API */,
                                 9688CB120ED12B4E001D649F /* assembler */,
@@ -1441 +1443 @@
                                 1429D77A0ED20D7300B89619 /* interpreter */,
                                 1429D92C0ED22D7000B89619 /* jit */,
+                                0F46809C14BA7F4D00BFE272 /* llint */,
                                 7E39D8370EC3A388003AF11A /* parser */,
                                 95AB831A0DA42C6900BC83F3 /* profiler */,
@@ -1490 +1493 @@
                                 0F4680A014BA7F8200BFE272 /* LLIntSlowPaths.h */,
                                 0F4680A114BA7F8200BFE272 /* LLIntOffsetsExtractor.cpp */,
+                                86A054461556451B00445157 /* LowLevelInterpreter.asm */,
+                                86A054471556451B00445157 /* LowLevelInterpreter32_64.asm */,
+                                86A054481556451B00445157 /* LowLevelInterpreter64.asm */,
                         );
                         name = llint;

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -520 +520 @@
         case op_create_this: {
             int r0 = (++it)->u.operand;
-            int r1 = (++it)->u.operand;
-            dataLog("[%4d] create_this %s %s\n", location, registerName(exec, r0).data(), registerName(exec, r1).data());
+            dataLog("[%4d] create_this %s\n", location, registerName(exec, r0).data());
             break;
         }

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -43 +43 @@
         macro(op_init_lazy_reg, 2) \
         macro(op_create_arguments, 2) \
-        macro(op_create_this, 3) \
+        macro(op_create_this, 2) \
         macro(op_get_callee, 2) \
         macro(op_convert_this, 2) \

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -443 +443 @@
 
     if (isConstructor()) {
-        RefPtr<RegisterID> func = newTemporary();
-        RefPtr<RegisterID> funcProto = newTemporary();
-
-        emitOpcode(op_get_callee);
-        instructions().append(func->index());
-        // Load prototype.
-        emitGetById(funcProto.get(), func.get(), globalData()->propertyNames->prototype);
-
         emitOpcode(op_create_this);
         instructions().append(m_thisRegister.index());
-        instructions().append(funcProto->index());
     } else if (!codeBlock->isStrictMode() && (functionBody->usesThis() || codeBlock->usesEval() || m_shouldEmitDebugHooks)) {
         emitOpcode(op_convert_this);

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -775 +775 @@
         break;
     }
-            
+
     case CreateThis: {
-        Node& child = m_graph[node.child1()];
         AbstractValue& source = forNode(node.child1());
         AbstractValue& destination = forNode(nodeIndex);
             
-        if (child.shouldSpeculateFinalObject())
-            source.filter(PredictFinalObject);
-            
+        source.filter(PredictFunction);
         destination.set(PredictFinalObject);
         break;
     }
-            
+
     case NewObject:
         forNode(nodeIndex).set(m_codeBlock->globalObjectFor(node.codeOrigin)->emptyObjectStructure());

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1535 +1535 @@
 
         case op_create_this: {
-            NodeIndex op1 = get(currentInstruction[2].u.operand);
-            set(currentInstruction[1].u.operand, addToGraph(CreateThis, op1));
+            if (m_inlineStackTop->m_inlineCallFrame)
+                set(currentInstruction[1].u.operand, addToGraph(CreateThis, getDirect(m_inlineStackTop->m_calleeVR)));
+            else
+                set(currentInstruction[1].u.operand, addToGraph(CreateThis, addToGraph(GetCallee)));
             NEXT_OPCODE(op_create_this);
         }

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -210 +210 @@
 }
 
-inline JSCell* createThis(ExecState* exec, JSCell* prototype, JSFunction* constructor)
-{
+JSCell* DFG_OPERATION operationCreateThis(ExecState* exec, JSCell* constructor)
+{
+    JSGlobalData* globalData = &exec->globalData();
+    NativeCallFrameTracer tracer(globalData, exec);
+
 #if !ASSERT_DISABLED
     ConstructData constructData;
-    ASSERT(constructor->methodTable()->getConstructData(constructor, constructData) == ConstructTypeJS);
+    ASSERT(jsCast<JSFunction*>(constructor)->methodTable()->getConstructData(jsCast<JSFunction*>(constructor), constructData) == ConstructTypeJS);
 #endif
     
-    JSGlobalData& globalData = exec->globalData();
-    NativeCallFrameTracer tracer(&globalData, exec);
-
-    Structure* structure;
-    if (prototype->isObject())
-        structure = asObject(prototype)->inheritorID(globalData);
-    else
-        structure = constructor->scope()->globalObject->emptyObjectStructure();
-    
-    return constructEmptyObject(exec, structure);
-}
-
-JSCell* DFG_OPERATION operationCreateThis(ExecState* exec, JSCell* prototype)
-{
-    JSGlobalData* globalData = &exec->globalData();
-    NativeCallFrameTracer tracer(globalData, exec);
-
-    return createThis(exec, prototype, jsCast<JSFunction*>(exec->callee()));
-}
-
-JSCell* DFG_OPERATION operationCreateThisInlined(ExecState* exec, JSCell* prototype, JSCell* constructor)
-{
-    JSGlobalData* globalData = &exec->globalData();
-    NativeCallFrameTracer tracer(globalData, exec);
-    
-    return createThis(exec, prototype, jsCast<JSFunction*>(constructor));
+    return constructEmptyObject(exec, jsCast<JSFunction*>(constructor)->cachedInheritorID(exec));
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -98 +98 @@
 // These routines are provide callbacks out to C++ implementations of operations too complex to JIT.
 JSCell* DFG_OPERATION operationNewObject(ExecState*);
-JSCell* DFG_OPERATION operationCreateThis(ExecState*, JSCell* encodedOp1);
-JSCell* DFG_OPERATION operationCreateThisInlined(ExecState*, JSCell* encodedOp1, JSCell* constructor);
+JSCell* DFG_OPERATION operationCreateThis(ExecState*, JSCell* constructor);
 EncodedJSValue DFG_OPERATION operationConvertThis(ExecState*, EncodedJSValue encodedOp1);
 EncodedJSValue DFG_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3030 +3030 @@
         // otherwise we'd start taking slow path a lot).
         
-        SpeculateCellOperand proto(this, node.child1());
+        SpeculateCellOperand callee(this, node.child1());
         GPRTemporary result(this);
         GPRTemporary scratch(this);
         
-        GPRReg protoGPR = proto.gpr();
+        GPRReg calleeGPR = callee.gpr();
         GPRReg resultGPR = result.gpr();
         GPRReg scratchGPR = scratch.gpr();
         
-        proto.use();
-        
+        // Load the inheritorID. If the inheritorID is not set, go to slow path.
+        m_jit.loadPtr(MacroAssembler::Address(calleeGPR, JSFunction::offsetOfCachedInheritorID()), scratchGPR);
         MacroAssembler::JumpList slowPath;
-        
-        // Need to verify that the prototype is an object. If we have reason to believe
-        // that it's a FinalObject then we speculate on that directly. Otherwise we
-        // do the slow (structure-based) check.
-        if (at(node.child1()).shouldSpeculateFinalObject()) {
-            if (!isFinalObjectPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(BadType, JSValueSource::unboxedCell(protoGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSFinalObject::s_info)));
-        } else {
-            m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
-            slowPath.append(m_jit.branch8(MacroAssembler::Below, MacroAssembler::Address(scratchGPR, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
-        }
-        
-        // Load the inheritorID (the Structure that objects who have protoGPR as the prototype
-        // use to refer to that prototype). If the inheritorID is not set, go to slow path.
-        m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSObject::offsetOfInheritorID()), scratchGPR);
         slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, scratchGPR));
         
@@ -3065 +3050 @@
         
         silentSpillAllRegisters(resultGPR);
-        if (node.codeOrigin.inlineCallFrame)
-            callOperation(operationCreateThisInlined, resultGPR, protoGPR, node.codeOrigin.inlineCallFrame->callee.get());
-        else
-            callOperation(operationCreateThis, resultGPR, protoGPR);
+        callOperation(operationCreateThis, resultGPR, calleeGPR);
         silentFillAllRegisters(resultGPR);
         
         done.link(&m_jit);
         
-        cellResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
+        cellResult(resultGPR, m_compileIndex);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3054 +3054 @@
         // otherwise we'd start taking slow path a lot).
         
-        SpeculateCellOperand proto(this, node.child1());
+        SpeculateCellOperand callee(this, node.child1());
         GPRTemporary result(this);
         GPRTemporary scratch(this);
         
-        GPRReg protoGPR = proto.gpr();
+        GPRReg calleeGPR = callee.gpr();
         GPRReg resultGPR = result.gpr();
         GPRReg scratchGPR = scratch.gpr();
         
-        proto.use();
-        
+        // Load the inheritorID. If the inheritorID is not set, go to slow path.
+        m_jit.loadPtr(MacroAssembler::Address(calleeGPR, JSFunction::offsetOfCachedInheritorID()), scratchGPR);
         MacroAssembler::JumpList slowPath;
-        
-        // Need to verify that the prototype is an object. If we have reason to believe
-        // that it's a FinalObject then we speculate on that directly. Otherwise we
-        // do the slow (structure-based) check.
-        if (at(node.child1()).shouldSpeculateFinalObject()) {
-            if (!isFinalObjectPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(BadType, JSValueRegs(protoGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSFinalObject::s_info)));
-        } else {
-            m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
-            slowPath.append(m_jit.branch8(MacroAssembler::Below, MacroAssembler::Address(scratchGPR, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
-        }
-        
-        // Load the inheritorID (the Structure that objects who have protoGPR as the prototype
-        // use to refer to that prototype). If the inheritorID is not set, go to slow path.
-        m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSObject::offsetOfInheritorID()), scratchGPR);
         slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, scratchGPR));
         
@@ -3089 +3074 @@
         
         silentSpillAllRegisters(resultGPR);
-        if (node.codeOrigin.inlineCallFrame)
-            callOperation(operationCreateThisInlined, resultGPR, protoGPR, node.codeOrigin.inlineCallFrame->callee.get());
-        else
-            callOperation(operationCreateThis, resultGPR, protoGPR);
+        callOperation(operationCreateThis, resultGPR, calleeGPR);
         silentFillAllRegisters(resultGPR);
         
         done.link(&m_jit);
         
-        cellResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
+        cellResult(resultGPR, m_compileIndex);
         break;
     }

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -4810 +4810 @@
 
         int thisRegister = vPC[1].u.operand;
-        int protoRegister = vPC[2].u.operand;
 
         JSFunction* constructor = jsCast<JSFunction*>(callFrame->callee());
@@ -4818 +4817 @@
 #endif
 
-        Structure* structure;
-        JSValue proto = callFrame->r(protoRegister).jsValue();
-        if (proto.isObject())
-            structure = asObject(proto)->inheritorID(callFrame->globalData());
-        else
-            structure = constructor->scope()->globalObject->emptyObjectStructure();
+        Structure* structure = constructor->cachedInheritorID(callFrame);
         callFrame->uncheckedR(thisRegister) = constructEmptyObject(callFrame, structure);
 

trunk/Source/JavaScriptCore/jit/JITInlineMethods.h

@@ -449 +449 @@
     storePtr(TrustedImmPtr(executable), Address(result, JSFunction::offsetOfExecutable()));
 
+    // clear the function's inheritorID
+    storePtr(TrustedImmPtr(0), Address(result, JSFunction::offsetOfCachedInheritorID()));
+
     // store the function's name
     ASSERT(executable->nameValue());

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1273 +1273 @@
 void JIT::emit_op_create_this(Instruction* currentInstruction)
 {
-    emitGetVirtualRegister(currentInstruction[2].u.operand, regT2);
-    emitJumpSlowCaseIfNotJSCell(regT2, currentInstruction[2].u.operand);
-    loadPtr(Address(regT2, JSCell::structureOffset()), regT1);
-    addSlowCase(emitJumpIfNotObject(regT1));
-    
-    // now we know that the prototype is an object, but we don't know if it's got an
-    // inheritor ID
-    
-    loadPtr(Address(regT2, JSObject::offsetOfInheritorID()), regT2);
+    emitGetFromCallFrameHeaderPtr(RegisterFile::Callee, regT0);
+    loadPtr(Address(regT0, JSFunction::offsetOfCachedInheritorID()), regT2);
     addSlowCase(branchTestPtr(Zero, regT2));
     
@@ -1288 +1281 @@
     
     emitAllocateJSFinalObject(regT2, regT0, regT1);
-    
     emitPutVirtualRegister(currentInstruction[1].u.operand);
 }
@@ -1294 +1286 @@
 void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
-    linkSlowCaseIfNotJSCell(iter, currentInstruction[2].u.operand); // not a cell
-    linkSlowCase(iter); // not an object
     linkSlowCase(iter); // doesn't have an inheritor ID
     linkSlowCase(iter); // allocation failed
     JITStubCall stubCall(this, cti_op_create_this);
-    stubCall.addArgument(currentInstruction[2].u.operand, regT1);
     stubCall.call(currentInstruction[1].u.operand);
 }

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1533 +1533 @@
 void JIT::emit_op_create_this(Instruction* currentInstruction)
 {
-    emitLoad(currentInstruction[2].u.operand, regT1, regT0);
-    emitJumpSlowCaseIfNotJSCell(currentInstruction[2].u.operand, regT1);
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    addSlowCase(emitJumpIfNotObject(regT1));
-    
-    // now we know that the prototype is an object, but we don't know if it's got an
-    // inheritor ID
-    
-    loadPtr(Address(regT0, JSObject::offsetOfInheritorID()), regT2);
+    emitGetFromCallFrameHeaderPtr(RegisterFile::Callee, regT0);
+    loadPtr(Address(regT0, JSFunction::offsetOfCachedInheritorID()), regT2);
     addSlowCase(branchTestPtr(Zero, regT2));
     
@@ -1548 +1541 @@
     
     emitAllocateJSFinalObject(regT2, regT0, regT1);
-
     emitStoreCell(currentInstruction[1].u.operand, regT0);
 }
@@ -1554 +1546 @@
 void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
-    linkSlowCaseIfNotJSCell(iter, currentInstruction[2].u.operand); // not a cell
-    linkSlowCase(iter); // not an object
     linkSlowCase(iter); // doesn't have an inheritor ID
     linkSlowCase(iter); // allocation failed
-    unsigned protoRegister = currentInstruction[2].u.operand;
-    emitLoad(protoRegister, regT1, regT0);
     JITStubCall stubCall(this, cti_op_create_this);
-    stubCall.addArgument(regT1, regT0);
     stubCall.call(currentInstruction[1].u.operand);
 }

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -1287 +1287 @@
 #endif
 
-    Structure* structure;
-    JSValue proto = stackFrame.args[0].jsValue();
-    if (proto.isObject())
-        structure = asObject(proto)->inheritorID(*stackFrame.globalData);
-    else
-        structure = constructor->scope()->globalObject->emptyObjectStructure();
+    Structure* structure = constructor->cachedInheritorID(callFrame);
     JSValue result = constructEmptyObject(callFrame, structure);
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -459 +459 @@
 #endif
     
-    Structure* structure;
-    JSValue proto = LLINT_OP(2).jsValue();
-    if (proto.isObject())
-        structure = asObject(proto)->inheritorID(globalData);
-    else
-        structure = constructor->scope()->globalObject->emptyObjectStructure();
-    
+    Structure* structure = constructor->cachedInheritorID(exec);
     LLINT_RETURN(constructEmptyObject(exec, structure));
 }

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -344 +344 @@
 _llint_op_create_this:
     traceExecution()
-    loadi 8[PC], t0
-    assertNotConstant(t0)
-    bineq TagOffset[cfr, t0, 8], CellTag, .opCreateThisSlow
-    loadi PayloadOffset[cfr, t0, 8], t0
-    loadp JSCell::m_structure[t0], t1
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t1], ObjectType, .opCreateThisSlow
-    loadp JSObject::m_inheritorID[t0], t2
+    loadp Callee[cfr], t0
+    loadp JSFunction::m_cachedInheritorID[t0], t2
     btpz t2, .opCreateThisSlow
     allocateBasicJSObject(JSFinalObjectSizeClassIndex, JSGlobalData::jsFinalObjectClassInfo, t2, t0, t1, t3, .opCreateThisSlow)
@@ -356 +351 @@
     storei CellTag, TagOffset[cfr, t1, 8]
     storei t0, PayloadOffset[cfr, t1, 8]
-    dispatch(3)
+    dispatch(2)
 
 .opCreateThisSlow:
     callSlowPath(_llint_slow_path_create_this)
-    dispatch(3)
+    dispatch(2)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -222 +222 @@
 _llint_op_create_this:
     traceExecution()
-    loadis 16[PB, PC, 8], t0
-    assertNotConstant(t0)
-    loadp [cfr, t0, 8], t0
-    btpnz t0, tagMask, .opCreateThisSlow
-    loadp JSCell::m_structure[t0], t1
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t1], ObjectType, .opCreateThisSlow
-    loadp JSObject::m_inheritorID[t0], t2
+    loadp Callee[cfr], t0
+    loadp JSFunction::m_cachedInheritorID[t0], t2
     btpz t2, .opCreateThisSlow
     allocateBasicJSObject(JSFinalObjectSizeClassIndex, JSGlobalData::jsFinalObjectClassInfo, t2, t0, t1, t3, .opCreateThisSlow)
     loadis 8[PB, PC, 8], t1
     storep t0, [cfr, t1, 8]
-    dispatch(3)
+    dispatch(2)
 
 .opCreateThisSlow:
     callSlowPath(_llint_slow_path_create_this)
-    dispatch(3)
+    dispatch(2)
 
 

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -113 +113 @@
 }
 
+Structure* JSFunction::cacheInheritorID(ExecState* exec)
+{
+    JSValue prototype = get(exec, exec->globalData().propertyNames->prototype);
+    if (prototype.isObject())
+        m_cachedInheritorID.set(exec->globalData(), this, asObject(prototype)->inheritorID(exec->globalData()));
+    else
+        m_cachedInheritorID.set(exec->globalData(), this, globalObject()->emptyObjectStructure());
+    return m_cachedInheritorID.get();
+}
+
 const UString& JSFunction::name(ExecState* exec)
 {
@@ -333 +343 @@
         PropertySlot slot;
         thisObject->methodTable()->getOwnPropertySlot(thisObject, exec, propertyName, slot);
+        thisObject->m_cachedInheritorID.clear();
     }
     if (thisObject->jsExecutable()->isStrictMode() && (propertyName == exec->propertyNames().arguments || propertyName == exec->propertyNames().caller)) {
@@ -373 +384 @@
         PropertySlot slot;
         thisObject->methodTable()->getOwnPropertySlot(thisObject, exec, propertyName, slot);
+        thisObject->m_cachedInheritorID.clear();
         return Base::defineOwnProperty(object, exec, propertyName, descriptor, throwException);
     }

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -122 +122 @@
         }
 
+        Structure* cachedInheritorID(ExecState* exec)
+        {
+            if (UNLIKELY(!m_cachedInheritorID))
+                return cacheInheritorID(exec);
+            return m_cachedInheritorID.get();
+        }
+
+        static size_t offsetOfCachedInheritorID()
+        {
+            return OBJECT_OFFSETOF(JSFunction, m_cachedInheritorID);
+        }
+
     protected:
         const static unsigned StructureFlags = OverridesGetOwnPropertySlot | ImplementsHasInstance | OverridesVisitChildren | OverridesGetPropertyNames | JSObject::StructureFlags;
@@ -130 +142 @@
         void finishCreation(ExecState*, NativeExecutable*, int length, const Identifier& name);
         void finishCreation(ExecState*, FunctionExecutable*, ScopeChainNode*);
+
+        Structure* cacheInheritorID(ExecState*);
 
         static bool getOwnPropertySlot(JSCell*, ExecState*, const Identifier&, PropertySlot&);
@@ -153 +167 @@
         WriteBarrier<ExecutableBase> m_executable;
         WriteBarrier<ScopeChainNode> m_scopeChain;
+        WriteBarrier<Structure> m_cachedInheritorID;
     };