Changeset 138921 in webkit

Timestamp:

Jan 6, 2013 6:24:58 PM (11 years ago)

Author:

fpizlo@apple.com

Message:

DFG should inline closure calls
​https://bugs.webkit.org/show_bug.cgi?id=106067

Reviewed by Gavin Barraclough.

This adds initial support for inlining closure calls to the DFG. A call is considered
to be a closure call when the JSFunction* varies, but always has the same executable.
We already have closure call inline caching in both JITs, which works by checking that
the callee has an expected structure (as a cheap way of detecting that it is in fact
a JSFunction) and an expected executable. Closure call inlining uses profiling data
aggregated by CallLinkStatus to decide when to specialize the call to the particular
structure/executable, and inline the call rather than emitting a call sequence. When
we choose to do a closure inline rather than an ordinary inline, a number of things
change about how inlining is performed:

• The inline is guarded by a CheckStructure/CheckExecutable rather than a CheckFunction.

• Instead of propagating a constant value for the scope, we emit GetMyScope every time that the scope is needed, which loads the scope from a local variable. We do similar things for the callee.

• The prologue of the inlined code includes SetMyScope and SetCallee nodes to eagerly plant the scope and callee into the "true call frame", i.e. the place on the stack where the call frame would have been if the call had been actually performed. This allows GetMyScope/GetCallee to work as they would if the code wasn't inlined. It also allows for trivial handling of scope and callee for call frame reconstruction upon stack introspection and during OSR.

• A new node called GetScope is introduced, which just gets the scope of a function. This node has the expected CSE support. This allows for the SetMyScope(GetScope(@function)) sequence to set up the scope in the true call frame.

• GetMyScope/GetCallee CSE can match against SetMyScope/SetCallee, which means that the GetMyScope/GetCallee nodes emitted during parsing are often removed during CSE, if we can prove that it is safe to do so.

• Inlining heuristics are adjusted to grok the cost of inlining a closure. We are less likely to inline a closure call than we are to inline a normal call, since we end up emitting more code for closures due to CheckStructure, CheckExecutable, GetScope, SetMyScope, and SetCallee.

Additionally, I've fixed the VariableEventStream to ensure that we don't attempt to
plant Undefined into the true call frames. This was previously a harmless oversight,
but it becomes quite bad if OSR is relying on the scope/callee already having been
set and not subsequently clobbered by the OSR itself.

This is a ~60% speed-up on programs that frequently make calls to closures. It's
neutral on V8v7 and other major benchmark suites.

The lack of a definite speed-up is likely due the fact that closure inlining currently
does not do any cardinality [1] optimizations. We don't observe when a closure was
constructed within its caller, and so used the scope from its caller; and furthermore
we have no facility to detect when the scope is single. All scoped variable accesses
are assumed to be multiple instead. A subsequent step will be to ensure that closure
call inlining will be single and loving it.

[1] Single and loving it: Must-alias analysis for higher-order languages. Suresh

Jagannathan, Peter Thiemann, Stephen Weeks, and Andrew Wright. In POPL '98.

• bytecode/CallLinkStatus.cpp:

(JSC::CallLinkStatus::dump):

• bytecode/CallLinkStatus.h:

(JSC::CallLinkStatus::isClosureCall):
(CallLinkStatus):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::globalObjectFor):
(JSC):

• bytecode/CodeBlock.h:

(CodeBlock):

• bytecode/CodeOrigin.cpp:

(JSC::InlineCallFrame::dump):

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGByteCodeParser.cpp:

(ByteCodeParser):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
(JSC::DFG::ByteCodeParser::handleInlining):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::pureCSE):
(CSEPhase):
(JSC::DFG::CSEPhase::getCalleeLoadElimination):
(JSC::DFG::CSEPhase::checkExecutableElimination):
(JSC::DFG::CSEPhase::getMyScopeLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::mightInlineFunctionForClosureCall):

• dfg/DFGCapabilities.h:

(DFG):
(JSC::DFG::mightInlineFunctionForClosureCall):
(JSC::DFG::canInlineFunctionForClosureCall):
(JSC::DFG::canInlineFunctionFor):

• dfg/DFGNode.h:

(Node):
(JSC::DFG::Node::hasExecutable):
(JSC::DFG::Node::executable):

• dfg/DFGNodeType.h:

(DFG):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGVariableEventStream.cpp:

(JSC::DFG::VariableEventStream::reconstruct):

• runtime/Options.h:

(JSC):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CallLinkStatus.cpp (modified) (1 diff)
• bytecode/CallLinkStatus.h (modified) (2 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/CodeBlock.h (modified) (1 diff)
• bytecode/CodeOrigin.cpp (modified) (1 diff)
• dfg/DFGAbstractState.cpp (modified) (2 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (9 diffs)
• dfg/DFGCSEPhase.cpp (modified) (8 diffs)
• dfg/DFGCapabilities.cpp (modified) (1 diff)
• dfg/DFGCapabilities.h (modified) (4 diffs)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGNodeType.h (modified) (3 diffs)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (3 diffs)
• dfg/DFGVariableEventStream.cpp (modified) (1 diff)
• runtime/Options.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-01-05  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should inline closure calls
+        https://bugs.webkit.org/show_bug.cgi?id=106067
+
+        Reviewed by Gavin Barraclough.
+        
+        This adds initial support for inlining closure calls to the DFG. A call is considered
+        to be a closure call when the JSFunction* varies, but always has the same executable.
+        We already have closure call inline caching in both JITs, which works by checking that
+        the callee has an expected structure (as a cheap way of detecting that it is in fact
+        a JSFunction) and an expected executable. Closure call inlining uses profiling data
+        aggregated by CallLinkStatus to decide when to specialize the call to the particular
+        structure/executable, and inline the call rather than emitting a call sequence. When
+        we choose to do a closure inline rather than an ordinary inline, a number of things
+        change about how inlining is performed:
+        
+        - The inline is guarded by a CheckStructure/CheckExecutable rather than a
+          CheckFunction.
+        
+        - Instead of propagating a constant value for the scope, we emit GetMyScope every time
+          that the scope is needed, which loads the scope from a local variable. We do similar
+          things for the callee.
+        
+        - The prologue of the inlined code includes SetMyScope and SetCallee nodes to eagerly
+          plant the scope and callee into the "true call frame", i.e. the place on the stack
+          where the call frame would have been if the call had been actually performed. This
+          allows GetMyScope/GetCallee to work as they would if the code wasn't inlined. It
+          also allows for trivial handling of scope and callee for call frame reconstruction
+          upon stack introspection and during OSR.
+        
+        - A new node called GetScope is introduced, which just gets the scope of a function.
+          This node has the expected CSE support. This allows for the
+          SetMyScope(GetScope(@function)) sequence to set up the scope in the true call frame.
+        
+        - GetMyScope/GetCallee CSE can match against SetMyScope/SetCallee, which means that
+          the GetMyScope/GetCallee nodes emitted during parsing are often removed during CSE,
+          if we can prove that it is safe to do so.
+        
+        - Inlining heuristics are adjusted to grok the cost of inlining a closure. We are
+          less likely to inline a closure call than we are to inline a normal call, since we
+          end up emitting more code for closures due to CheckStructure, CheckExecutable,
+          GetScope, SetMyScope, and SetCallee.
+        
+        Additionally, I've fixed the VariableEventStream to ensure that we don't attempt to
+        plant Undefined into the true call frames. This was previously a harmless oversight,
+        but it becomes quite bad if OSR is relying on the scope/callee already having been
+        set and not subsequently clobbered by the OSR itself.
+        
+        This is a ~60% speed-up on programs that frequently make calls to closures. It's
+        neutral on V8v7 and other major benchmark suites.
+        
+        The lack of a definite speed-up is likely due the fact that closure inlining currently
+        does not do any cardinality [1] optimizations. We don't observe when a closure was
+        constructed within its caller, and so used the scope from its caller; and furthermore
+        we have no facility to detect when the scope is single. All scoped variable accesses
+        are assumed to be multiple instead. A subsequent step will be to ensure that closure
+        call inlining will be single and loving it.
+        
+        [1] Single and loving it: Must-alias analysis for higher-order languages. Suresh
+            Jagannathan, Peter Thiemann, Stephen Weeks, and Andrew Wright. In POPL '98.
+
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::dump):
+        * bytecode/CallLinkStatus.h:
+        (JSC::CallLinkStatus::isClosureCall):
+        (CallLinkStatus):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::globalObjectFor):
+        (JSC):
+        * bytecode/CodeBlock.h:
+        (CodeBlock):
+        * bytecode/CodeOrigin.cpp:
+        (JSC::InlineCallFrame::dump):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (ByteCodeParser):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::pureCSE):
+        (CSEPhase):
+        (JSC::DFG::CSEPhase::getCalleeLoadElimination):
+        (JSC::DFG::CSEPhase::checkExecutableElimination):
+        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
+        (JSC::DFG::CSEPhase::performNodeCSE):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::mightInlineFunctionForClosureCall):
+        * dfg/DFGCapabilities.h:
+        (DFG):
+        (JSC::DFG::mightInlineFunctionForClosureCall):
+        (JSC::DFG::canInlineFunctionForClosureCall):
+        (JSC::DFG::canInlineFunctionFor):
+        * dfg/DFGNode.h:
+        (Node):
+        (JSC::DFG::Node::hasExecutable):
+        (JSC::DFG::Node::executable):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGVariableEventStream.cpp:
+        (JSC::DFG::VariableEventStream::reconstruct):
+        * runtime/Options.h:
+        (JSC):
+
 2013-01-05  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.cpp

@@ -120 +120 @@
 }
 
-void CallLinkStatus::dump(PrintStream& out)
+void CallLinkStatus::dump(PrintStream& out) const
 {
     if (!isSet()) {

trunk/Source/JavaScriptCore/bytecode/CallLinkStatus.h

@@ -105 +105 @@
     
     bool couldTakeSlowPath() const { return m_couldTakeSlowPath; }
-    bool isClosureCall() const { return !m_callTarget; }
+    bool isClosureCall() const { return m_executable && !m_callTarget; }
     
     JSValue callTarget() const { return m_callTarget; }
@@ -116 +116 @@
     bool canOptimize() const { return (m_callTarget || m_executable) && !m_couldTakeSlowPath; }
     
-    void dump(PrintStream&);
+    void dump(PrintStream&) const;
     
 private:

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -2934 +2934 @@
 #endif
 
+JSGlobalObject* CodeBlock::globalObjectFor(CodeOrigin codeOrigin)
+{
+    if (!codeOrigin.inlineCallFrame)
+        return globalObject();
+    return jsCast<FunctionExecutable*>(codeOrigin.inlineCallFrame->executable.get())->generatedBytecode().globalObject();
+}
+
 unsigned CodeBlock::reoptimizationRetryCounter() const
 {

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -937 +937 @@
         JSGlobalObject* globalObject() { return m_globalObject.get(); }
         
-        JSGlobalObject* globalObjectFor(CodeOrigin codeOrigin)
-        {
-            if (!codeOrigin.inlineCallFrame)
-                return globalObject();
-            // FIXME: if we ever inline based on executable not function, this code will need to change.
-            return codeOrigin.inlineCallFrame->callee->scope()->globalObject();
-        }
+        JSGlobalObject* globalObjectFor(CodeOrigin);
 
         // Jump Tables

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp

@@ -87 +87 @@
     else
         out.print(", closure call");
+    out.print(", stack >= r", stackOffset);
     out.print(">");
 }

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1383 +1383 @@
         forNode(nodeIndex).set(SpecFunction);
         break;
-            
+        
+    case SetCallee:
+    case SetMyScope:
+        node.setCanExit(false);
+        break;
+            
+    case GetScope: // FIXME: We could get rid of these if we know that the JSFunction is a constant. https://bugs.webkit.org/show_bug.cgi?id=106202
     case GetMyScope:
     case SkipTopScope:
@@ -1456 +1462 @@
         forNode(nodeIndex).set(SpecInt32);
         break;
+        
+    case CheckExecutable: {
+        // FIXME: We could track executables in AbstractValue, which would allow us to get rid of these checks
+        // more thoroughly. https://bugs.webkit.org/show_bug.cgi?id=106200
+        // FIXME: We could eliminate these entirely if we know the exact value that flows into this.
+        // https://bugs.webkit.org/show_bug.cgi?id=106201
+        forNode(node.child1()).filter(SpecCell);
+        node.setCanExit(true);
+        break;
+    }
 
     case CheckStructure:

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -160 +160 @@
     // Handle calls. This resolves issues surrounding inlining and intrinsics.
     void handleCall(Interpreter*, Instruction* currentInstruction, NodeType op, CodeSpecializationKind);
-    void emitFunctionCheck(JSFunction* expectedFunction, NodeIndex callTarget, int registerOffset, CodeSpecializationKind);
+    void emitFunctionChecks(const CallLinkStatus&, NodeIndex callTarget, int registerOffset, CodeSpecializationKind);
     // Handle inlining. Return true if it succeeded, false if we need to plant a call.
-    bool handleInlining(bool usesResult, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction*, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind);
+    bool handleInlining(bool usesResult, NodeIndex callTargetNodeIndex, int resultOperand, const CallLinkStatus&, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind);
     // Handle setting the result of an intrinsic.
     void setIntrinsicResult(bool usesResult, int resultOperand, NodeIndex);
@@ -1330 +1330 @@
     }
         
-    JSFunction* expectedFunction = callLinkStatus.function();
-    if (!expectedFunction) {
-        // For now we have no way of reasoning about what it means to not have a specific function. This will
-        // change soon, though.
-        
-        addCall(interpreter, currentInstruction, op);
-        return;
-    }
-        
     Intrinsic intrinsic = callLinkStatus.intrinsicFor(kind);
     if (intrinsic != NoIntrinsic) {
-        if (!callLinkStatus.isProved())
-            emitFunctionCheck(expectedFunction, callTarget, registerOffset, kind);
+        emitFunctionChecks(callLinkStatus, callTarget, registerOffset, kind);
             
         if (handleIntrinsic(usesResult, resultOperand, intrinsic, registerOffset, argumentCountIncludingThis, prediction)) {
@@ -1351 +1341 @@
                 addToGraph(Phantom, callTarget);
             }
-                
+            
             return;
         }
-    } else if (handleInlining(usesResult, callTarget, resultOperand, callLinkStatus.isProved(), expectedFunction, registerOffset, argumentCountIncludingThis, nextOffset, kind))
+    } else if (handleInlining(usesResult, callTarget, resultOperand, callLinkStatus, registerOffset, argumentCountIncludingThis, nextOffset, kind))
         return;
     
@@ -1360 +1350 @@
 }
 
-void ByteCodeParser::emitFunctionCheck(JSFunction* expectedFunction, NodeIndex callTarget, int registerOffset, CodeSpecializationKind kind)
+void ByteCodeParser::emitFunctionChecks(const CallLinkStatus& callLinkStatus, NodeIndex callTarget, int registerOffset, CodeSpecializationKind kind)
 {
+    if (callLinkStatus.isProved())
+        return;
+    
+    ASSERT(callLinkStatus.canOptimize());
+    
     NodeIndex thisArgument;
     if (kind == CodeForCall)
@@ -1367 +1362 @@
     else
         thisArgument = NoNode;
-    addToGraph(CheckFunction, OpInfo(expectedFunction), callTarget, thisArgument);
+
+    if (JSFunction* function = callLinkStatus.function())
+        addToGraph(CheckFunction, OpInfo(function), callTarget, thisArgument);
+    else {
+        ASSERT(callLinkStatus.structure());
+        ASSERT(callLinkStatus.executable());
+        
+        addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(callLinkStatus.structure())), callTarget);
+        addToGraph(CheckExecutable, OpInfo(callLinkStatus.executable()), callTarget, thisArgument);
+    }
 }
 
-bool ByteCodeParser::handleInlining(bool usesResult, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction* expectedFunction, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind kind)
+bool ByteCodeParser::handleInlining(bool usesResult, NodeIndex callTargetNodeIndex, int resultOperand, const CallLinkStatus& callLinkStatus, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind kind)
 {
     // First, the really simple checks: do we have an actual JS function?
-    if (!expectedFunction)
+    if (!callLinkStatus.executable())
         return false;
-    if (expectedFunction->isHostFunction())
+    if (callLinkStatus.executable()->isHostFunction())
         return false;
     
-    FunctionExecutable* executable = expectedFunction->jsExecutable();
+    FunctionExecutable* executable = jsCast<FunctionExecutable*>(callLinkStatus.executable());
     
     // Does the number of arguments we're passing match the arity of the target? We currently
@@ -1407 +1411 @@
     if (!codeBlock)
         return false;
-    if (!canInlineFunctionFor(codeBlock, kind))
+    if (!canInlineFunctionFor(codeBlock, kind, callLinkStatus.isClosureCall()))
         return false;
     
@@ -1417 +1421 @@
     // by checking the callee (if necessary) and making sure that arguments and the callee
     // are flushed.
-    if (!certainAboutExpectedFunction)
-        emitFunctionCheck(expectedFunction, callTargetNodeIndex, registerOffset, kind);
+    emitFunctionChecks(callLinkStatus, callTargetNodeIndex, registerOffset, kind);
     
     // FIXME: Don't flush constants!
@@ -1440 +1443 @@
     InlineStackEntry inlineStackEntry(
         this, codeBlock, codeBlock, m_graph.m_blocks.size() - 1,
-        expectedFunction, (VirtualRegister)m_inlineStackTop->remapOperand(
+        callLinkStatus.function(), (VirtualRegister)m_inlineStackTop->remapOperand(
             usesResult ? resultOperand : InvalidVirtualRegister),
         (VirtualRegister)inlineCallFrameStart, argumentCountIncludingThis, kind);
@@ -1451 +1454 @@
 
     addToGraph(InlineStart, OpInfo(argumentPositionStart));
+    if (callLinkStatus.isClosureCall()) {
+        addToGraph(SetCallee, callTargetNodeIndex);
+        addToGraph(SetMyScope, addToGraph(GetScope, callTargetNodeIndex));
+    }
     
     parseCodeBlock();

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

@@ -90 +90 @@
     }
 
-    enum InlineCallFrameRequirement { RequireSameInlineCallFrame, DoNotCareAboutInlineCallFrame };
-    template<InlineCallFrameRequirement inlineCallFrameRequirement>
-    NodeIndex genericPureCSE(Node& node)
+    NodeIndex pureCSE(Node& node)
     {
         NodeIndex child1 = canonicalize(node.child1());
@@ -111 +109 @@
             
             if (node.arithNodeFlags() != otherNode.arithNodeFlags())
-                continue;
-            
-            if (inlineCallFrameRequirement == RequireSameInlineCallFrame
-                && node.codeOrigin.inlineCallFrame != otherNode.codeOrigin.inlineCallFrame)
                 continue;
             
@@ -140 +134 @@
     }
     
-    NodeIndex pureCSE(Node& node)
-    {
-        return genericPureCSE<DoNotCareAboutInlineCallFrame>(node);
-    }
-    
-    NodeIndex pureCSERequiringSameInlineCallFrame(Node& node)
-    {
-        return genericPureCSE<RequireSameInlineCallFrame>(node);
-    }
-    
     NodeIndex constantCSE(Node& node)
     {
@@ -178 +162 @@
             
             return index;
+        }
+        return NoNode;
+    }
+    
+    NodeIndex getCalleeLoadElimination(InlineCallFrame* inlineCallFrame)
+    {
+        for (unsigned i = m_indexInBlock; i--;) {
+            NodeIndex index = m_currentBlock->at(i);
+            Node& node = m_graph[index];
+            if (!node.shouldGenerate())
+                continue;
+            if (node.codeOrigin.inlineCallFrame != inlineCallFrame)
+                continue;
+            switch (node.op()) {
+            case GetCallee:
+                return index;
+            case SetCallee:
+                return node.child1().index();
+            default:
+                break;
+            }
         }
         return NoNode;
@@ -413 +418 @@
             Node& node = m_graph[index];
             if (node.op() == CheckFunction && node.child1() == child1 && node.function() == function)
+                return true;
+        }
+        return false;
+    }
+    
+    bool checkExecutableElimination(ExecutableBase* executable, NodeIndex child1)
+    {
+        for (unsigned i = endIndexForPureCSE(); i--;) {
+            NodeIndex index = m_currentBlock->at(i);
+            if (index == child1)
+                break;
+
+            Node& node = m_graph[index];
+            if (node.op() == CheckExecutable && node.child1() == child1 && node.executable() == executable)
                 return true;
         }
@@ -831 +850 @@
             case GetMyScope:
                 return index;
+            case SetMyScope:
+                return node.child1().index();
             default:
                 break;
@@ -1145 +1166 @@
         case SkipScope:
         case GetScopeRegisters:
+        case GetScope:
             setReplacement(pureCSE(node));
             break;
             
         case GetCallee:
-            setReplacement(pureCSERequiringSameInlineCallFrame(node));
+            setReplacement(getCalleeLoadElimination(node.codeOrigin.inlineCallFrame));
             break;
 
@@ -1352 +1374 @@
             break;
                 
+        case CheckExecutable:
+            if (checkExecutableElimination(node.executable(), node.child1().index()))
+                eliminate();
+            break;
+                
         case CheckArray:
             if (checkArrayElimination(node.child1().index(), node.arrayMode()))

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -54 +54 @@
 {
     return codeBlock->instructionCount() <= Options::maximumFunctionForCallInlineCandidateInstructionCount()
+        && !codeBlock->ownerExecutable()->needsActivation();
+}
+bool mightInlineFunctionForClosureCall(CodeBlock* codeBlock)
+{
+    return codeBlock->instructionCount() <= Options::maximumFunctionForClosureCallInlineCandidateInstructionCount()
         && !codeBlock->ownerExecutable()->needsActivation();
 }

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -45 +45 @@
 bool mightCompileFunctionForConstruct(CodeBlock*);
 bool mightInlineFunctionForCall(CodeBlock*);
+bool mightInlineFunctionForClosureCall(CodeBlock*);
 bool mightInlineFunctionForConstruct(CodeBlock*);
 
@@ -273 +274 @@
 inline bool mightCompileFunctionForConstruct(CodeBlock*) { return false; }
 inline bool mightInlineFunctionForCall(CodeBlock*) { return false; }
+inline bool mightInlineFunctionForClosureCall(CodeBlock*) { return false; }
 inline bool mightInlineFunctionForConstruct(CodeBlock*) { return false; }
 
@@ -318 +320 @@
 }
 
+inline bool canInlineFunctionForClosureCall(CodeBlock* codeBlock)
+{
+    return mightInlineFunctionForClosureCall(codeBlock) && canInlineOpcodes(codeBlock);
+}
+
 inline bool canInlineFunctionForConstruct(CodeBlock* codeBlock)
 {
@@ -331 +338 @@
 }
 
-inline bool canInlineFunctionFor(CodeBlock* codeBlock, CodeSpecializationKind kind)
-{
+inline bool canInlineFunctionFor(CodeBlock* codeBlock, CodeSpecializationKind kind, bool isClosureCall)
+{
+    if (isClosureCall) {
+        ASSERT(kind == CodeForCall);
+        return canInlineFunctionForClosureCall(codeBlock);
+    }
     if (kind == CodeForCall)
         return canInlineFunctionForCall(codeBlock);

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -703 +703 @@
         return result;
     }
+    
+    bool hasExecutable()
+    {
+        return op() == CheckExecutable;
+    }
+    
+    ExecutableBase* executable()
+    {
+        return jsCast<ExecutableBase*>(reinterpret_cast<JSCell*>(m_opInfo));
+    }
 
     bool hasStructureTransitionData()

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -53 +53 @@
     macro(CreateThis, NodeResultJS) /* Note this is not MustGenerate since we're returning it anyway. */ \
     macro(GetCallee, NodeResultJS) \
+    macro(SetCallee, NodeMustGenerate) \
     \
     /* Nodes for local variable access. These nodes are linked together using Phi nodes. */\
@@ -125 +126 @@
     macro(PutByIdDirect, NodeMustGenerate | NodeClobbersWorld) \
     macro(CheckStructure, NodeMustGenerate) \
+    macro(CheckExecutable, NodeMustGenerate) \
     macro(ForwardCheckStructure, NodeMustGenerate) \
     /* Transition watchpoints are a contract between the party setting the watchpoint */\
@@ -151 +153 @@
     macro(PutByOffset, NodeMustGenerate) \
     macro(GetArrayLength, NodeResultInt32) \
+    macro(GetScope, NodeResultJS) \
     macro(GetMyScope, NodeResultJS) \
+    macro(SetMyScope, NodeMustGenerate) \
     macro(SkipTopScope, NodeResultJS) \
     macro(SkipScope, NodeResultJS) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -768 +768 @@
             break;
 
+        case SetCallee:
+        case SetMyScope:
+            changed |= m_graph[node.child1()].mergeFlags(NodeUsedAsValue);
+            break;
+            
+        case GetScope:
+            changed |= m_graph[node.child1()].mergeFlags(NodeUsedAsValue);
+            changed |= setPrediction(SpecCellOther);
+            break;
+
 #ifndef NDEBUG
         // These get ignored because they don't return anything.
@@ -778 +788 @@
         case SetArgument:
         case CheckStructure:
+        case CheckExecutable:
         case ForwardCheckStructure:
         case StructureTransitionWatchpoint:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3970 +3970 @@
     }
         
+    case SetCallee: {
+        SpeculateCellOperand callee(this, node.child1());
+        m_jit.storePtr(callee.gpr(), JITCompiler::payloadFor(static_cast<VirtualRegister>(node.codeOrigin.stackOffset() + static_cast<int>(JSStack::Callee))));
+        noResult(m_compileIndex);
+        break;
+    }
+        
+    case GetScope: {
+        SpeculateCellOperand function(this, node.child1());
+        GPRTemporary result(this, function);
+        m_jit.loadPtr(JITCompiler::Address(function.gpr(), JSFunction::offsetOfScopeChain()), result.gpr());
+        cellResult(result.gpr(), m_compileIndex);
+        break;
+    }
+        
     case GetMyScope: {
         GPRTemporary result(this);
@@ -3976 +3991 @@
         m_jit.loadPtr(JITCompiler::payloadFor(static_cast<VirtualRegister>(node.codeOrigin.stackOffset() + static_cast<int>(JSStack::ScopeChain))), resultGPR);
         cellResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case SetMyScope: {
+        SpeculateCellOperand callee(this, node.child1());
+        m_jit.storePtr(callee.gpr(), JITCompiler::payloadFor(static_cast<VirtualRegister>(node.codeOrigin.stackOffset() + static_cast<int>(JSStack::ScopeChain))));
+        noResult(m_compileIndex);
         break;
     }
@@ -4143 +4165 @@
     }
 
+    case CheckExecutable: {
+        SpeculateCellOperand function(this, node.child1());
+        speculationCheck(BadExecutable, JSValueSource::unboxedCell(function.gpr()), node.child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node.executable()));
+        noResult(m_compileIndex);
+        break;
+    }
+        
     case CheckStructure:
     case ForwardCheckStructure: {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3922 +3922 @@
     }
         
+    case SetCallee: {
+        SpeculateCellOperand callee(this, node.child1());
+        m_jit.storePtr(callee.gpr(), JITCompiler::addressFor(static_cast<VirtualRegister>(node.codeOrigin.stackOffset() + static_cast<int>(JSStack::Callee))));
+        noResult(m_compileIndex);
+        break;
+    }
+        
+    case GetScope: {
+        SpeculateCellOperand function(this, node.child1());
+        GPRTemporary result(this, function);
+        m_jit.loadPtr(JITCompiler::Address(function.gpr(), JSFunction::offsetOfScopeChain()), result.gpr());
+        cellResult(result.gpr(), m_compileIndex);
+        break;
+    }
+        
     case GetMyScope: {
         GPRTemporary result(this);
@@ -3928 +3943 @@
         m_jit.loadPtr(JITCompiler::addressFor(static_cast<VirtualRegister>(node.codeOrigin.stackOffset() + static_cast<int>(JSStack::ScopeChain))), resultGPR);
         cellResult(resultGPR, m_compileIndex);
+        break;
+    }
+        
+    case SetMyScope: {
+        SpeculateCellOperand callee(this, node.child1());
+        m_jit.storePtr(callee.gpr(), JITCompiler::addressFor(static_cast<VirtualRegister>(node.codeOrigin.stackOffset() + static_cast<int>(JSStack::ScopeChain))));
+        noResult(m_compileIndex);
         break;
     }
@@ -4081 +4103 @@
         break;
     }
+        
+    case CheckExecutable: {
+        SpeculateCellOperand function(this, node.child1());
+        speculationCheck(BadExecutable, JSValueRegs(function.gpr()), node.child1(), m_jit.branchWeakPtr(JITCompiler::NotEqual, JITCompiler::Address(function.gpr(), JSFunction::offsetOfExecutable()), node.executable()));
+        noResult(m_compileIndex);
+        break;
+    }
+        
     case CheckStructure:
     case ForwardCheckStructure: {

trunk/Source/JavaScriptCore/dfg/DFGVariableEventStream.cpp

@@ -283 +283 @@
             ValueRecovery::displacedInJSStack(static_cast<VirtualRegister>(info->u.virtualReg), info->format);
     }
+    
+    // Step 5: Make sure that for locals that coincide with true call frame headers, the exit compiler knows
+    // that those values don't have to be recovered. Signal this by using ValueRecovery::alreadyInJSStack()
+    for (InlineCallFrame* inlineCallFrame = codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->caller.inlineCallFrame) {
+        for (unsigned i = JSStack::CallFrameHeaderSize; i--;)
+            valueRecoveries.setLocal(inlineCallFrame->stackOffset - i - 1, ValueRecovery::alreadyInJSStack());
+    }
 }
 

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -81 +81 @@
     \
     v(unsigned, maximumFunctionForCallInlineCandidateInstructionCount, 180) \
+    v(unsigned, maximumFunctionForClosureCallInlineCandidateInstructionCount, 100) \
     v(unsigned, maximumFunctionForConstructInlineCandidateInstructionCount, 100) \
     \