Changeset 128096 in webkit

Timestamp:

Sep 10, 2012 1:23:50 PM (12 years ago)

Author:

ggaren@apple.com

Message:

Refactored op_tear_off* to support activations that don't allocate space for 'arguments'
​https://bugs.webkit.org/show_bug.cgi?id=96231

Reviewed by Gavin Barraclough.

This is a step toward smaller activations.

As a side-effect, this patch eliminates a load and branch from the hot path
of activation tear-off by moving it to the cold path of arguments tear-off. Our
optimizing assumptions are that activations are common and that reifying the
arguments object is less common.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dump):

• bytecode/Opcode.h:

(JSC::padOpcodeName): Updated for new opcode lengths.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::addConstantValue): Added support for JSValue()
in the bytecode, which we use when we have 'arguments' but no activation.

(JSC::BytecodeGenerator::emitReturn): Always emit tear_off_arguments
if we've allocated the arguments registers. This allows tear_off_activation
not to worry about the arguments object anymore.

Also, pass the activation and arguments values directly to these opcodes
instead of requiring the opcodes to infer the values through special
registers. This gives us more flexibility to move or eliminate registers.

• dfg/DFGArgumentsSimplificationPhase.cpp:

(JSC::DFG::ArgumentsSimplificationPhase::run):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGNode.h:

(Node): Updated for new opcode lengths.

• dfg/DFGOperations.cpp: Activation tear-off doesn't worry about the

arguments object anymore. If 'arguments' is in use and reified, it's
responsible for aliasing back to the activation object in tear_off_arguments.

• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile): Don't pass the arguments object to
activation tear-off; do pass the activation object to arguments tear-off.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::privateExecute): Ditto.

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_tear_off_activation):
(JSC::JIT::emit_op_tear_off_arguments):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_tear_off_activation):
(JSC::JIT::emit_op_tear_off_arguments):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm: Same change in a few more execution engines.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/Opcode.h (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (6 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (2 diffs)
• dfg/DFGArgumentsSimplificationPhase.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (5 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• interpreter/Interpreter.cpp (modified) (3 diffs)
• jit/JITOpcodes.cpp (modified) (1 diff)
• jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• jit/JITStubs.cpp (modified) (1 diff)
• llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• llint/LowLevelInterpreter64.asm (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-09  Geoffrey Garen  <ggaren@apple.com>
+
+        Refactored op_tear_off* to support activations that don't allocate space for 'arguments'
+        https://bugs.webkit.org/show_bug.cgi?id=96231
+
+        Reviewed by Gavin Barraclough.
+
+        This is a step toward smaller activations.
+
+        As a side-effect, this patch eliminates a load and branch from the hot path
+        of activation tear-off by moving it to the cold path of arguments tear-off. Our
+        optimizing assumptions are that activations are common and that reifying the
+        arguments object is less common.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        * bytecode/Opcode.h:
+        (JSC::padOpcodeName): Updated for new opcode lengths.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::addConstantValue): Added support for JSValue()
+        in the bytecode, which we use when we have 'arguments' but no activation.
+
+        (JSC::BytecodeGenerator::emitReturn): Always emit tear_off_arguments
+        if we've allocated the arguments registers. This allows tear_off_activation
+        not to worry about the arguments object anymore.
+
+        Also, pass the activation and arguments values directly to these opcodes
+        instead of requiring the opcodes to infer the values through special
+        registers. This gives us more flexibility to move or eliminate registers.
+
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        (Node): Updated for new opcode lengths.
+
+        * dfg/DFGOperations.cpp: Activation tear-off doesn't worry about the
+        arguments object anymore. If 'arguments' is in use and reified, it's
+        responsible for aliasing back to the activation object in tear_off_arguments.
+
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        (SpeculativeJIT):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Don't pass the arguments object to
+        activation tear-off; do pass the activation object to arguments tear-off.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute): Ditto.
+
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_tear_off_activation):
+        (JSC::JIT::emit_op_tear_off_arguments):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_tear_off_activation):
+        (JSC::JIT::emit_op_tear_off_arguments):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm: Same change in a few more execution engines.
+
 2012-09-10  Patrick Gansterer  <paroga@webkit.org>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1408 +1408 @@
         case op_tear_off_activation: {
             int r0 = (++it)->u.operand;
+            dataLog("[%4d] tear_off_activation\t %s", location, registerName(exec, r0).data());
+            dumpBytecodeCommentAndNewLine(location);
+            break;
+        }
+        case op_tear_off_arguments: {
+            int r0 = (++it)->u.operand;
             int r1 = (++it)->u.operand;
-            dataLog("[%4d] tear_off_activation\t %s, %s", location, registerName(exec, r0).data(), registerName(exec, r1).data());
-            dumpBytecodeCommentAndNewLine(location);
-            break;
-        }
-        case op_tear_off_arguments: {
-            int r0 = (++it)->u.operand;
-            dataLog("[%4d] tear_off_arguments %s", location, registerName(exec, r0).data());
+            dataLog("[%4d] tear_off_arguments %s, %s", location, registerName(exec, r0).data(), registerName(exec, r1).data());
             dumpBytecodeCommentAndNewLine(location);
             break;

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -175 +175 @@
         macro(op_call_eval, 6) \
         macro(op_call_varargs, 5) \
-        macro(op_tear_off_activation, 3) \
-        macro(op_tear_off_arguments, 2) \
+        macro(op_tear_off_activation, 2) \
+        macro(op_tear_off_arguments, 3) \
         macro(op_ret, 2) \
         macro(op_call_put_result, 3) /* has value profiling */ \

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -273 +273 @@
     , m_codeBlock(codeBlock)
     , m_thisRegister(CallFrame::thisArgumentOffset())
+    , m_emptyValueRegister(0)
     , m_finallyDepth(0)
     , m_dynamicScopeDepth(0)
@@ -354 +355 @@
     , m_codeBlock(codeBlock)
     , m_activationRegister(0)
+    , m_emptyValueRegister(0)
     , m_finallyDepth(0)
     , m_dynamicScopeDepth(0)
@@ -387 +389 @@
     }
 
-    // Both op_tear_off_activation and op_tear_off_arguments tear off the 'arguments'
-    // object, if created.
     if (m_codeBlock->needsFullScopeChain() || functionBody->usesArguments()) {
         RegisterID* unmodifiedArgumentsRegister = addVar(); // Anonymous, so it can't be modified by user code.
@@ -527 +527 @@
     , m_codeBlock(codeBlock)
     , m_thisRegister(CallFrame::thisArgumentOffset())
+    , m_emptyValueRegister(0)
     , m_finallyDepth(0)
     , m_dynamicScopeDepth(0)
@@ -1112 +1113 @@
 }
 
+// We can't hash JSValue(), so we use a dedicated data member to cache it.
+RegisterID* BytecodeGenerator::addConstantEmptyValue()
+{
+    if (!m_emptyValueRegister) {
+        int index = m_nextConstantOffset;
+        m_constantPoolRegisters.append(FirstConstantRegisterIndex + m_nextConstantOffset);
+        ++m_nextConstantOffset;
+        m_codeBlock->addConstant(JSValue());
+        m_emptyValueRegister = &m_constantPoolRegisters[index];
+    }
+
+    return m_emptyValueRegister;
+}
+
 RegisterID* BytecodeGenerator::addConstantValue(JSValue v)
 {
+    if (!v)
+        return addConstantEmptyValue();
+
     int index = m_nextConstantOffset;
-
     JSValueMap::AddResult result = m_jsValueMap.add(JSValue::encode(v), m_nextConstantOffset);
     if (result.isNewEntry) {
         m_constantPoolRegisters.append(FirstConstantRegisterIndex + m_nextConstantOffset);
         ++m_nextConstantOffset;
-        m_codeBlock->addConstant(JSValue(v));
+        m_codeBlock->addConstant(v);
     } else
         index = result.iterator->second;
-
     return &m_constantPoolRegisters[index];
 }
@@ -2047 +2063 @@
         emitOpcode(op_tear_off_activation);
         instructions().append(m_activationRegister->index());
-        instructions().append(m_codeBlock->argumentsRegister());
-    } else if (m_codeBlock->usesArguments() && m_codeBlock->numParameters() != 1 && !m_codeBlock->isStrictMode()) {
+    }
+
+    if (m_codeBlock->usesArguments() && m_codeBlock->numParameters() != 1 && !m_codeBlock->isStrictMode()) {
         emitOpcode(op_tear_off_arguments);
         instructions().append(m_codeBlock->argumentsRegister());
+        instructions().append(m_activationRegister ? m_activationRegister->index() : emitLoad(0, JSValue())->index());
     }
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -638 +638 @@
         unsigned addConstant(const Identifier&);
         RegisterID* addConstantValue(JSValue);
+        RegisterID* addConstantEmptyValue();
         unsigned addRegExp(RegExp*);
 
@@ -714 +715 @@
         RegisterID m_calleeRegister;
         RegisterID* m_activationRegister;
+        RegisterID* m_emptyValueRegister;
         SegmentedVector<RegisterID, 32> m_constantPoolRegisters;
         SegmentedVector<RegisterID, 32> m_calleeRegisters;

trunk/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp

@@ -617 +617 @@
                     node.setOpAndDefaultFlags(Nop);
                     m_graph.clearAndDerefChild1(node);
+                    m_graph.clearAndDerefChild2(node);
                     node.setRefCount(0);
                     break;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2856 +2856 @@
             
         case op_tear_off_activation: {
-            addToGraph(TearOffActivation, OpInfo(unmodifiedArgumentsRegister(currentInstruction[2].u.operand)), get(currentInstruction[1].u.operand), get(currentInstruction[2].u.operand));
+            addToGraph(TearOffActivation, get(currentInstruction[1].u.operand));
             NEXT_OPCODE(op_tear_off_activation);
         }
-            
+
         case op_tear_off_arguments: {
             m_graph.m_hasArguments = true;
-            addToGraph(TearOffArguments, get(unmodifiedArgumentsRegister(currentInstruction[1].u.operand)));
+            addToGraph(TearOffArguments, get(unmodifiedArgumentsRegister(currentInstruction[1].u.operand)), get(currentInstruction[2].u.operand));
             NEXT_OPCODE(op_tear_off_arguments);
         }

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -338 +338 @@
     }
     
-    VirtualRegister unmodifiedArgumentsRegister()
-    {
-        ASSERT(op() == TearOffActivation);
-        return static_cast<VirtualRegister>(m_opInfo);
-    }
-    
     VirtualRegister unlinkedLocal()
     {

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1166 +1166 @@
 }
 
-void DFG_OPERATION operationTearOffActivation(ExecState* exec, JSCell* activationCell, int32_t unmodifiedArgumentsRegister)
+void DFG_OPERATION operationTearOffActivation(ExecState* exec, JSCell* activationCell)
 {
     JSGlobalData& globalData = exec->globalData();
     NativeCallFrameTracer tracer(&globalData, exec);
-    if (!activationCell) {
-        if (JSValue v = exec->uncheckedR(unmodifiedArgumentsRegister).jsValue()) {
-            if (!exec->codeBlock()->isStrictMode())
-                asArguments(v)->tearOff(exec);
-        }
+    jsCast<JSActivation*>(activationCell)->tearOff(exec->globalData());
+}
+
+void DFG_OPERATION operationTearOffArguments(ExecState* exec, JSCell* argumentsCell, JSCell* activationCell)
+{
+    ASSERT(exec->codeBlock()->usesArguments());
+    if (activationCell) {
+        jsCast<Arguments*>(argumentsCell)->didTearOffActivation(exec->globalData(), jsCast<JSActivation*>(activationCell));
         return;
     }
-    JSActivation* activation = jsCast<JSActivation*>(activationCell);
-    activation->tearOff(exec->globalData());
-    if (JSValue v = exec->uncheckedR(unmodifiedArgumentsRegister).jsValue())
-        asArguments(v)->didTearOffActivation(exec->globalData(), activation);
-}
-
-
-void DFG_OPERATION operationTearOffArguments(ExecState* exec, JSCell* argumentsCell)
-{
-    ASSERT(exec->codeBlock()->usesArguments());
-    ASSERT(!exec->codeBlock()->needsFullScopeChain());
-    asArguments(argumentsCell)->tearOff(exec);
+    jsCast<Arguments*>(argumentsCell)->tearOff(exec);
 }
 
 void DFG_OPERATION operationTearOffInlinedArguments(
-    ExecState* exec, JSCell* argumentsCell, InlineCallFrame* inlineCallFrame)
-{
-    // This should only be called when the inline code block uses arguments but does not
-    // need a full scope chain. We could assert it, except that the assertion would be
-    // rather expensive and may cause side effects that would greatly diverge debug-mode
-    // behavior from release-mode behavior, since getting the code block of an inline
-    // call frame implies call frame reification.
-    asArguments(argumentsCell)->tearOff(exec, inlineCallFrame);
+    ExecState* exec, JSCell* argumentsCell, JSCell* activationCell, InlineCallFrame* inlineCallFrame)
+{
+    ASSERT_UNUSED(activationCell, !activationCell); // Currently, we don't inline functions with activations.
+    jsCast<Arguments*>(argumentsCell)->tearOff(exec, inlineCallFrame);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -99 +99 @@
 typedef void DFG_OPERATION (*V_DFGOperation_EC)(ExecState*, JSCell*);
 typedef void DFG_OPERATION (*V_DFGOperation_ECIcf)(ExecState*, JSCell*, InlineCallFrame*);
+typedef void DFG_OPERATION (*V_DFGOperation_ECCIcf)(ExecState*, JSCell*, JSCell*, InlineCallFrame*);
 typedef void DFG_OPERATION (*V_DFGOperation_ECJJ)(ExecState*, JSCell*, EncodedJSValue, EncodedJSValue);
 typedef void DFG_OPERATION (*V_DFGOperation_ECZ)(ExecState*, JSCell*, int32_t);
+typedef void DFG_OPERATION (*V_DFGOperation_ECC)(ExecState*, JSCell*, JSCell*);
 typedef void DFG_OPERATION (*V_DFGOperation_EJCI)(ExecState*, EncodedJSValue, JSCell*, Identifier*);
 typedef void DFG_OPERATION (*V_DFGOperation_EJJJ)(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue);
@@ -174 +176 @@
 JSCell* DFG_OPERATION operationCreateArguments(ExecState*) WTF_INTERNAL;
 JSCell* DFG_OPERATION operationCreateInlinedArguments(ExecState*, InlineCallFrame*) WTF_INTERNAL;
-void DFG_OPERATION operationTearOffActivation(ExecState*, JSCell*, int32_t unmodifiedArgumentsRegister) WTF_INTERNAL;
-void DFG_OPERATION operationTearOffArguments(ExecState*, JSCell*) WTF_INTERNAL;
-void DFG_OPERATION operationTearOffInlinedArguments(ExecState*, JSCell*, InlineCallFrame*) WTF_INTERNAL;
+void DFG_OPERATION operationTearOffActivation(ExecState*, JSCell*) WTF_INTERNAL;
+void DFG_OPERATION operationTearOffArguments(ExecState*, JSCell*, JSCell*) WTF_INTERNAL;
+void DFG_OPERATION operationTearOffInlinedArguments(ExecState*, JSCell*, JSCell*, InlineCallFrame*) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationGetArgumentsLength(ExecState*, int32_t) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationGetInlinedArgumentByVal(ExecState*, int32_t, InlineCallFrame*, int32_t) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1354 +1354 @@
         return appendCallWithExceptionCheck(operation);
     }
+    JITCompiler::Call callOperation(V_DFGOperation_ECCIcf operation, GPRReg arg1, GPRReg arg2, InlineCallFrame* arg3)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImmPtr(arg3));
+        return appendCallWithExceptionCheck(operation);
+    }
     JITCompiler::Call callOperation(V_DFGOperation_EJPP operation, GPRReg arg1, GPRReg arg2, void* pointer)
     {
@@ -1387 +1392 @@
     {
         m_jit.setupArgumentsWithExecState(arg1, TrustedImm32(arg2));
+        return appendCallWithExceptionCheck(operation);
+    }
+    JITCompiler::Call callOperation(V_DFGOperation_ECC operation, GPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
         return appendCallWithExceptionCheck(operation);
     }
@@ -1652 +1662 @@
         return appendCallWithExceptionCheck(operation);
     }
+    JITCompiler::Call callOperation(V_DFGOperation_ECCIcf operation, GPRReg arg1, GPRReg arg2, InlineCallFrame* inlineCallFrame)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImmPtr(inlineCallFrame));
+        return appendCallWithExceptionCheck(operation);
+    }
     JITCompiler::Call callOperation(V_DFGOperation_EJPP operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, void* pointer)
     {
@@ -1672 +1687 @@
         return appendCallWithExceptionCheck(operation);
     }
+    JITCompiler::Call callOperation(V_DFGOperation_ECC operation, GPRReg arg1, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2);
+        return appendCallWithExceptionCheck(operation);
+    }
     JITCompiler::Call callOperation(V_DFGOperation_EPZJ operation, GPRReg arg1, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
     {
@@ -1696 +1716 @@
     {
         return callOperation(operation, arg1, arg2);
+    }
+    template<typename FunctionType, typename ArgumentType1, typename ArgumentType2, typename ArgumentType3>
+    JITCompiler::Call callOperation(FunctionType operation, NoResultTag, ArgumentType1 arg1, ArgumentType2 arg2, ArgumentType3 arg3)
+    {
+        return callOperation(operation, arg1, arg2, arg3);
     }
     template<typename FunctionType, typename ArgumentType1, typename ArgumentType2, typename ArgumentType3, typename ArgumentType4>

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4024 +4024 @@
     case TearOffActivation: {
         JSValueOperand activationValue(this, node.child1());
-        JSValueOperand argumentsValue(this, node.child2());
         
         GPRReg activationValueTagGPR = activationValue.tagGPR();
         GPRReg activationValuePayloadGPR = activationValue.payloadGPR();
-        GPRReg argumentsValueTagGPR = argumentsValue.tagGPR();
-        
-        JITCompiler::JumpList created;
-        created.append(m_jit.branch32(JITCompiler::NotEqual, activationValueTagGPR, TrustedImm32(JSValue::EmptyValueTag)));
-        created.append(m_jit.branch32(JITCompiler::NotEqual, argumentsValueTagGPR, TrustedImm32(JSValue::EmptyValueTag)));
-        
+
+        JITCompiler::Jump created = m_jit.branch32(JITCompiler::NotEqual, activationValueTagGPR, TrustedImm32(JSValue::EmptyValueTag));
+
         addSlowPathGenerator(
             slowPathCall(
-                created, this, operationTearOffActivation, NoResult, activationValuePayloadGPR,
-                static_cast<int32_t>(node.unmodifiedArgumentsRegister())));
+                created, this, operationTearOffActivation, NoResult, activationValuePayloadGPR));
         
         noResult(m_compileIndex);
@@ -4044 +4039 @@
         
     case TearOffArguments: {
-        JSValueOperand argumentsValue(this, node.child1());
-        GPRReg argumentsValueTagGPR = argumentsValue.tagGPR();
-        GPRReg argumentsValuePayloadGPR = argumentsValue.payloadGPR();
-        
-        JITCompiler::Jump created = m_jit.branch32(
-            JITCompiler::NotEqual, argumentsValueTagGPR, TrustedImm32(JSValue::EmptyValueTag));
+        JSValueOperand unmodifiedArgumentsValue(this, node.child1());
+        JSValueOperand activationValue(this, node.child2());
+        GPRReg unmodifiedArgumentsValuePayloadGPR = unmodifiedArgumentsValue.payloadGPR();
+        GPRReg activationValuePayloadGPR = activationValue.payloadGPR();
+        
+        JITCompiler::Jump created = m_jit.branchTest32(
+            JITCompiler::NonZero, unmodifiedArgumentsValuePayloadGPR);
         
         if (node.codeOrigin.inlineCallFrame) {
@@ -4055 +4051 @@
                 slowPathCall(
                     created, this, operationTearOffInlinedArguments, NoResult,
-                    argumentsValuePayloadGPR, node.codeOrigin.inlineCallFrame));
+                    unmodifiedArgumentsValuePayloadGPR, activationValuePayloadGPR, node.codeOrigin.inlineCallFrame));
         } else {
             addSlowPathGenerator(
                 slowPathCall(
                     created, this, operationTearOffArguments, NoResult,
-                    argumentsValuePayloadGPR));
+                    unmodifiedArgumentsValuePayloadGPR, activationValuePayloadGPR));
         }
         

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3973 +3973 @@
         break;
     }
-        
+
     case TearOffActivation: {
         ASSERT(!node.codeOrigin.inlineCallFrame);
 
         JSValueOperand activationValue(this, node.child1());
-        JSValueOperand argumentsValue(this, node.child2());
         GPRReg activationValueGPR = activationValue.gpr();
-        GPRReg argumentsValueGPR = argumentsValue.gpr();
-        
-        JITCompiler::JumpList created;
-        created.append(m_jit.branchTestPtr(JITCompiler::NonZero, activationValueGPR));
-        created.append(m_jit.branchTestPtr(JITCompiler::NonZero, argumentsValueGPR));
+
+        JITCompiler::Jump created = m_jit.branchTestPtr(JITCompiler::NonZero, activationValueGPR);
         
         addSlowPathGenerator(
             slowPathCall(
-                created, this, operationTearOffActivation, NoResult, activationValueGPR,
-                static_cast<int32_t>(node.unmodifiedArgumentsRegister())));
+                created, this, operationTearOffActivation, NoResult, activationValueGPR));
         
         noResult(m_compileIndex);
         break;
     }
-        
+
     case TearOffArguments: {
-        JSValueOperand argumentsValue(this, node.child1());
-        GPRReg argumentsValueGPR = argumentsValue.gpr();
-        
-        JITCompiler::Jump created = m_jit.branchTestPtr(JITCompiler::NonZero, argumentsValueGPR);
-        
+        JSValueOperand unmodifiedArgumentsValue(this, node.child1());
+        JSValueOperand activationValue(this, node.child2());
+        GPRReg unmodifiedArgumentsValueGPR = unmodifiedArgumentsValue.gpr();
+        GPRReg activationValueGPR = activationValue.gpr();
+
+        JITCompiler::Jump created = m_jit.branchTestPtr(JITCompiler::NonZero, unmodifiedArgumentsValueGPR);
+
         if (node.codeOrigin.inlineCallFrame) {
             addSlowPathGenerator(
                 slowPathCall(
                     created, this, operationTearOffInlinedArguments, NoResult,
-                    argumentsValueGPR, node.codeOrigin.inlineCallFrame));
+                    unmodifiedArgumentsValueGPR, activationValueGPR, node.codeOrigin.inlineCallFrame));
         } else {
             addSlowPathGenerator(
                 slowPathCall(
-                    created, this, operationTearOffArguments, NoResult, argumentsValueGPR));
+                    created, this, operationTearOffArguments, NoResult, unmodifiedArgumentsValueGPR, activationValueGPR));
         }
         

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -4476 +4476 @@
     }
     DEFINE_OPCODE(op_tear_off_activation) {
-        /* tear_off_activation activation(r) arguments(r)
+        /* tear_off_activation activation(r)
 
            Copy locals and named parameters from the register file to the heap.
-           Point the bindings in 'activation' and 'arguments' to this new backing
-           store. (Note that 'arguments' may not have been created. If created,
-           'arguments' already holds a copy of any extra / unnamed parameters.)
+           Point the bindings in 'activation' to this new backing store.
 
            This opcode appears before op_ret in functions that require full scope chains.
@@ -4487 +4485 @@
 
         int activation = vPC[1].u.operand;
-        int arguments = vPC[2].u.operand;
         ASSERT(codeBlock->needsFullScopeChain());
         JSValue activationValue = callFrame->r(activation).jsValue();
-        if (activationValue) {
+        if (activationValue)
             asActivation(activationValue)->tearOff(*globalData);
 
-            if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue())
-                asArguments(argumentsValue)->didTearOffActivation(*globalData, asActivation(activationValue));
-        } else if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue()) {
-            if (!codeBlock->isStrictMode())
-                asArguments(argumentsValue)->tearOff(callFrame);
-        }
-
         vPC += OPCODE_LENGTH(op_tear_off_activation);
         NEXT_INSTRUCTION();
     }
     DEFINE_OPCODE(op_tear_off_arguments) {
-        /* tear_off_arguments arguments(r)
+        /* tear_off_arguments arguments(r) activation(r)
 
            Copy named parameters from the register file to the heap. Point the
-           bindings in 'arguments' to this new backing store. (Note that
-           'arguments' may not have been created. If created, 'arguments' already
-           holds a copy of any extra / unnamed parameters.)
+           bindings in 'arguments' to this new backing store. (If 'activation'
+           was also copied to the heap, 'arguments' will point to its storage.)
 
            This opcode appears before op_ret in functions that don't require full
@@ -4515 +4504 @@
         */
 
-        int src1 = vPC[1].u.operand;
-        ASSERT(!codeBlock->needsFullScopeChain() && codeBlock->ownerExecutable()->usesArguments());
-
-        if (JSValue arguments = callFrame->r(unmodifiedArgumentsRegister(src1)).jsValue())
-            asArguments(arguments)->tearOff(callFrame);
+        int arguments = vPC[1].u.operand;
+        int activation = vPC[2].u.operand;
+        ASSERT(codeBlock->usesArguments());
+        if (JSValue argumentsValue = callFrame->r(unmodifiedArgumentsRegister(arguments)).jsValue()) {
+            if (JSValue activationValue = callFrame->r(activation).jsValue())
+                asArguments(argumentsValue)->didTearOffActivation(callFrame->globalData(), asActivation(activationValue));
+            else
+                asArguments(argumentsValue)->tearOff(callFrame);
+        }
 
         vPC += OPCODE_LENGTH(op_tear_off_arguments);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -560 +560 @@
 void JIT::emit_op_tear_off_activation(Instruction* currentInstruction)
 {
-    unsigned activation = currentInstruction[1].u.operand;
-    unsigned arguments = currentInstruction[2].u.operand;
-    Jump activationCreated = branchTestPtr(NonZero, addressFor(activation));
-    Jump argumentsNotCreated = branchTestPtr(Zero, addressFor(arguments));
-    activationCreated.link(this);
+    int activation = currentInstruction[1].u.operand;
+    Jump activationNotCreated = branchTestPtr(Zero, addressFor(activation));
     JITStubCall stubCall(this, cti_op_tear_off_activation);
     stubCall.addArgument(activation, regT2);
-    stubCall.addArgument(unmodifiedArgumentsRegister(arguments), regT2);
-    stubCall.call();
-    argumentsNotCreated.link(this);
+    stubCall.call();
+    activationNotCreated.link(this);
 }
 
 void JIT::emit_op_tear_off_arguments(Instruction* currentInstruction)
 {
-    unsigned dst = currentInstruction[1].u.operand;
+    int dst = currentInstruction[1].u.operand;
+    int activation = currentInstruction[2].u.operand;
 
     Jump argsNotCreated = branchTestPtr(Zero, Address(callFrameRegister, sizeof(Register) * (unmodifiedArgumentsRegister(dst))));
     JITStubCall stubCall(this, cti_op_tear_off_arguments);
     stubCall.addArgument(unmodifiedArgumentsRegister(dst), regT2);
+    stubCall.addArgument(activation, regT2);
     stubCall.call();
     argsNotCreated.link(this);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -704 +704 @@
 {
     unsigned activation = currentInstruction[1].u.operand;
-    unsigned arguments = currentInstruction[2].u.operand;
-    Jump activationCreated = branch32(NotEqual, tagFor(activation), TrustedImm32(JSValue::EmptyValueTag));
-    Jump argumentsNotCreated = branch32(Equal, tagFor(arguments), TrustedImm32(JSValue::EmptyValueTag));
-    activationCreated.link(this);
+    Jump activationNotCreated = branch32(Equal, tagFor(activation), TrustedImm32(JSValue::EmptyValueTag));
     JITStubCall stubCall(this, cti_op_tear_off_activation);
-    stubCall.addArgument(currentInstruction[1].u.operand);
-    stubCall.addArgument(unmodifiedArgumentsRegister(currentInstruction[2].u.operand));
+    stubCall.addArgument(activation);
     stubCall.call();
-    argumentsNotCreated.link(this);
+    activationNotCreated.link(this);
 }
 
@@ -718 +714 @@
 {
     int dst = currentInstruction[1].u.operand;
+    int activation = currentInstruction[1].u.operand;
 
     Jump argsNotCreated = branch32(Equal, tagFor(unmodifiedArgumentsRegister(dst)), TrustedImm32(JSValue::EmptyValueTag));
     JITStubCall stubCall(this, cti_op_tear_off_arguments);
     stubCall.addArgument(unmodifiedArgumentsRegister(dst));
+    stubCall.addArgument(activation);
     stubCall.call();
     argsNotCreated.link(this);

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -2312 +2312 @@
     STUB_INIT_STACK_FRAME(stackFrame);
 
-    CallFrame* callFrame = stackFrame.callFrame;
-    ASSERT(callFrame->codeBlock()->needsFullScopeChain());
-    JSValue activationValue = stackFrame.args[0].jsValue();
-    if (!activationValue) {
-        if (JSValue v = stackFrame.args[1].jsValue()) {
-            if (!callFrame->codeBlock()->isStrictMode())
-                asArguments(v)->tearOff(callFrame);
-        }
+    ASSERT(stackFrame.callFrame->codeBlock()->needsFullScopeChain());
+    jsCast<JSActivation*>(stackFrame.args[0].jsValue())->tearOff(*stackFrame.globalData);
+}
+
+DEFINE_STUB_FUNCTION(void, op_tear_off_arguments)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    CallFrame* callFrame = stackFrame.callFrame;
+    ASSERT(callFrame->codeBlock()->usesArguments());
+    Arguments* arguments = jsCast<Arguments*>(stackFrame.args[0].jsValue());
+    if (JSValue activationValue = stackFrame.args[1].jsValue()) {
+        arguments->didTearOffActivation(callFrame->globalData(), jsCast<JSActivation*>(activationValue));
         return;
     }
-    JSActivation* activation = asActivation(stackFrame.args[0].jsValue());
-    activation->tearOff(*stackFrame.globalData);
-    if (JSValue v = stackFrame.args[1].jsValue())
-        asArguments(v)->didTearOffActivation(*stackFrame.globalData, activation);
-}
-
-DEFINE_STUB_FUNCTION(void, op_tear_off_arguments)
-{
-    STUB_INIT_STACK_FRAME(stackFrame);
-
-    CallFrame* callFrame = stackFrame.callFrame;
-    ASSERT(callFrame->codeBlock()->usesArguments() && !callFrame->codeBlock()->needsFullScopeChain());
-    asArguments(stackFrame.args[0].jsValue())->tearOff(callFrame);
+    arguments->tearOff(callFrame);
 }
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -1455 +1455 @@
     LLINT_BEGIN();
     ASSERT(exec->codeBlock()->needsFullScopeChain());
-    JSValue activationValue = LLINT_OP(1).jsValue();
-    if (!activationValue) {
-        if (JSValue v = exec->uncheckedR(unmodifiedArgumentsRegister(pc[2].u.operand)).jsValue()) {
-            if (!exec->codeBlock()->isStrictMode())
-                asArguments(v)->tearOff(exec);
-        }
-        LLINT_END();
-    }
-    JSActivation* activation = asActivation(activationValue);
-    activation->tearOff(globalData);
-    if (JSValue v = exec->uncheckedR(unmodifiedArgumentsRegister(pc[2].u.operand)).jsValue())
-        asArguments(v)->didTearOffActivation(globalData, activation);
+    jsCast<JSActivation*>(LLINT_OP(1).jsValue())->tearOff(globalData);
     LLINT_END();
 }
@@ -1473 +1462 @@
 {
     LLINT_BEGIN();
-    ASSERT(exec->codeBlock()->usesArguments() && !exec->codeBlock()->needsFullScopeChain());
-    asArguments(exec->uncheckedR(unmodifiedArgumentsRegister(pc[1].u.operand)).jsValue())->tearOff(exec);
+    ASSERT(exec->codeBlock()->usesArguments());
+    Arguments* arguments = jsCast<Arguments*>(exec->uncheckedR(unmodifiedArgumentsRegister(pc[1].u.operand)).jsValue());
+    if (JSValue activationValue = LLINT_OP_C(2).jsValue())
+        arguments->didTearOffActivation(globalData, jsCast<JSActivation*>(activationValue));
+    else
+        arguments->tearOff(exec);
     LLINT_END();
 }

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1640 +1640 @@
     traceExecution()
     loadi 4[PC], t0
-    loadi 8[PC], t1
-    bineq TagOffset[cfr, t0, 8], EmptyValueTag, .opTearOffActivationCreated
-    bieq TagOffset[cfr, t1, 8], EmptyValueTag, .opTearOffActivationNotCreated
-.opTearOffActivationCreated:
+    bieq TagOffset[cfr, t0, 8], EmptyValueTag, .opTearOffActivationNotCreated
     callSlowPath(_llint_slow_path_tear_off_activation)
 .opTearOffActivationNotCreated:
-    dispatch(3)
+    dispatch(2)
 
 
@@ -1656 +1653 @@
     callSlowPath(_llint_slow_path_tear_off_arguments)
 .opTearOffArgumentsNotCreated:
-    dispatch(2)
+    dispatch(3)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1484 +1484 @@
     traceExecution()
     loadis 8[PB, PC, 8], t0
-    loadis 16[PB, PC, 8], t1
-    btpnz [cfr, t0, 8], .opTearOffActivationCreated
-    btpz [cfr, t1, 8], .opTearOffActivationNotCreated
-.opTearOffActivationCreated:
+    btpz [cfr, t0, 8], .opTearOffActivationNotCreated
     callSlowPath(_llint_slow_path_tear_off_activation)
 .opTearOffActivationNotCreated:
-    dispatch(3)
+    dispatch(2)
 
 
@@ -1500 +1497 @@
     callSlowPath(_llint_slow_path_tear_off_arguments)
 .opTearOffArgumentsNotCreated:
-    dispatch(2)
+    dispatch(3)