Changeset 146089 in webkit

Timestamp:

Mar 18, 2013 11:09:22 AM (11 years ago)

Author:

fpizlo@apple.com

Message:

DFG string conversions and allocations should be inlined
​https://bugs.webkit.org/show_bug.cgi?id=112376

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

This turns new String(), String(), String.prototype.valueOf(), and
String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
conversions from StringObject to JSString and vice-versa, and also gives it the
ability to handle cases where a variable may be either a StringObject or a JSString.
To do this, I added StringObject to value profiling (and removed the stale
distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
handling, using some of the new functionality but also taking advantage of the
existence of Identity(String:@a).

This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
On microbenchmarks that stress new String() this is a 14x speed-up.

• CMakeLists.txt:
• DerivedSources.make:
• DerivedSources.pri:
• GNUmakefile.list.am:
• bytecode/CodeBlock.h:

(CodeBlock):
(JSC::CodeBlock::hasExitSite):
(JSC):

• bytecode/DFGExitProfile.cpp:

(JSC::DFG::ExitProfile::hasExitSite):
(DFG):

• bytecode/DFGExitProfile.h:

(ExitProfile):
(JSC::DFG::ExitProfile::hasExitSite):

• bytecode/ExitKind.cpp:

(JSC::exitKindToString):

• bytecode/ExitKind.h:
• bytecode/SpeculatedType.cpp:

(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::speculationFromClassInfo):

• bytecode/SpeculatedType.h:

(JSC):
(JSC::isStringObjectSpeculation):
(JSC::isStringOrStringObjectSpeculation):

• create_hash_table:
• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::executeEffects):

• dfg/DFGAbstractState.h:

(JSC::DFG::AbstractState::filterEdgeByUse):

• dfg/DFGByteCodeParser.cpp:

(ByteCodeParser):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
(DFG):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::putStructureStoreElimination):

• dfg/DFGEdge.h:

(JSC::DFG::Edge::shift):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
(FixupPhase):
(JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
(JSC::DFG::FixupPhase::observeUseKindOnNode):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::hasGlobalExitSite):
(Graph):
(JSC::DFG::Graph::hasExitSite):
(JSC::DFG::Graph::clobbersWorld):

• dfg/DFGNode.h:

(JSC::DFG::Node::convertToToString):
(Node):
(JSC::DFG::Node::hasStructure):
(JSC::DFG::Node::shouldSpeculateStringObject):
(JSC::DFG::Node::shouldSpeculateStringOrStringObject):

• dfg/DFGNodeType.h:

(DFG):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileToStringOnCell):
(DFG):
(JSC::DFG::SpeculativeJIT::compileNewStringObject):
(JSC::DFG::SpeculativeJIT::speculateObject):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateStringObject):
(JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
(JSC::DFG::SpeculativeJIT::speculate):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):
(SpeculativeJIT):
(JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
(DFG):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGUseKind.cpp:

(WTF::printInternal):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):

• interpreter/CallFrame.h:

(JSC::ExecState::regExpPrototypeTable):

• runtime/CommonIdentifiers.h:
• runtime/Intrinsic.h:
• runtime/JSDestructibleObject.h:

(JSDestructibleObject):
(JSC::JSDestructibleObject::classInfoOffset):

• runtime/JSGlobalData.cpp:

(JSC):
(JSC::JSGlobalData::JSGlobalData):
(JSC::JSGlobalData::~JSGlobalData):

• runtime/JSGlobalData.h:

(JSGlobalData):

• runtime/JSObject.cpp:
• runtime/JSObject.h:

(JSC):

• runtime/JSWrapperObject.h:

(JSC::JSWrapperObject::allocationSize):
(JSWrapperObject):
(JSC::JSWrapperObject::internalValueOffset):
(JSC::JSWrapperObject::internalValueCellOffset):

• runtime/StringPrototype.cpp:

(JSC):
(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):

• runtime/StringPrototype.h:

(StringPrototype):

LayoutTests:

Reviewed by Geoffrey Garen.

• fast/js/dfg-to-string-bad-toString-expected.txt: Added.
• fast/js/dfg-to-string-bad-toString.html: Added.
• fast/js/dfg-to-string-bad-valueOf-expected.txt: Added.
• fast/js/dfg-to-string-bad-valueOf.html: Added.
• fast/js/dfg-to-string-int-expected.txt: Added.
• fast/js/dfg-to-string-int-or-string-expected.txt: Added.
• fast/js/dfg-to-string-int-or-string.html: Added.
• fast/js/dfg-to-string-int.html: Added.
• fast/js/dfg-to-string-side-effect-clobbers-toString-expected.txt: Added.
• fast/js/dfg-to-string-side-effect-clobbers-toString.html: Added.
• fast/js/dfg-to-string-side-effect-expected.txt: Added.
• fast/js/dfg-to-string-side-effect.html: Added.
• fast/js/dfg-to-string-toString-becomes-bad-expected.txt: Added.
• fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype-expected.txt: Added.
• fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.html: Added.
• fast/js/dfg-to-string-toString-becomes-bad.html: Added.
• fast/js/dfg-to-string-toString-in-string-expected.txt: Added.
• fast/js/dfg-to-string-toString-in-string.html: Added.
• fast/js/dfg-to-string-valueOf-becomes-bad-expected.txt: Added.
• fast/js/dfg-to-string-valueOf-becomes-bad.html: Added.
• fast/js/dfg-to-string-valueOf-in-string-expected.txt: Added.
• fast/js/dfg-to-string-valueOf-in-string.html: Added.
• fast/js/jsc-test-list:
• fast/js/regress/script-tests/string-concat-object.js: Added.

(foo):

• fast/js/regress/script-tests/string-concat-pair-object.js: Added.

(foo):

• fast/js/regress/script-tests/string-concat-pair-simple.js: Added.

(foo):

• fast/js/regress/script-tests/string-concat-simple.js: Added.

(foo):

• fast/js/regress/script-tests/string-cons-repeat.js: Added.

(foo):

• fast/js/regress/script-tests/string-cons-tower.js: Added.

(foo):

• fast/js/regress/string-concat-object-expected.txt: Added.
• fast/js/regress/string-concat-object.html: Added.
• fast/js/regress/string-concat-pair-object-expected.txt: Added.
• fast/js/regress/string-concat-pair-object.html: Added.
• fast/js/regress/string-concat-pair-simple-expected.txt: Added.
• fast/js/regress/string-concat-pair-simple.html: Added.
• fast/js/regress/string-concat-simple-expected.txt: Added.
• fast/js/regress/string-concat-simple.html: Added.
• fast/js/regress/string-cons-repeat-expected.txt: Added.
• fast/js/regress/string-cons-repeat.html: Added.
• fast/js/regress/string-cons-tower-expected.txt: Added.
• fast/js/regress/string-cons-tower.html: Added.
• fast/js/script-tests/dfg-to-string-bad-toString.js: Added.

(String.prototype.toString):
(foo):

• fast/js/script-tests/dfg-to-string-bad-valueOf.js: Added.

(String.prototype.valueOf):
(foo):

• fast/js/script-tests/dfg-to-string-int-or-string.js: Added.

(foo):

• fast/js/script-tests/dfg-to-string-int.js: Added.

(foo):

• fast/js/script-tests/dfg-to-string-side-effect-clobbers-toString.js: Added.

(foo):

• fast/js/script-tests/dfg-to-string-side-effect.js: Added.

(foo):

• fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.js: Added.

(foo):
(.String.prototype.toString):

• fast/js/script-tests/dfg-to-string-toString-becomes-bad.js: Added.

(foo):
(.String.prototype.toString):

• fast/js/script-tests/dfg-to-string-toString-in-string.js: Added.

(foo):
(.argument.toString):

• fast/js/script-tests/dfg-to-string-valueOf-becomes-bad.js: Added.

(foo):
(.String.prototype.valueOf):

• fast/js/script-tests/dfg-to-string-valueOf-in-string.js: Added.

(foo):
(.argument.valueOf):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/dfg-to-string-bad-toString-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-bad-toString.html (added)
• LayoutTests/fast/js/dfg-to-string-bad-valueOf-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-bad-valueOf.html (added)
• LayoutTests/fast/js/dfg-to-string-int-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-int-or-string-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-int-or-string.html (added)
• LayoutTests/fast/js/dfg-to-string-int.html (added)
• LayoutTests/fast/js/dfg-to-string-side-effect-clobbers-toString-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-side-effect-clobbers-toString.html (added)
• LayoutTests/fast/js/dfg-to-string-side-effect-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-side-effect.html (added)
• LayoutTests/fast/js/dfg-to-string-toString-becomes-bad-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.html (added)
• LayoutTests/fast/js/dfg-to-string-toString-becomes-bad.html (added)
• LayoutTests/fast/js/dfg-to-string-toString-in-string-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-toString-in-string.html (added)
• LayoutTests/fast/js/dfg-to-string-valueOf-becomes-bad-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-valueOf-becomes-bad.html (added)
• LayoutTests/fast/js/dfg-to-string-valueOf-in-string-expected.txt (added)
• LayoutTests/fast/js/dfg-to-string-valueOf-in-string.html (added)
• LayoutTests/fast/js/jsc-test-list (modified) (1 diff)
• LayoutTests/fast/js/regress/script-tests/string-concat-object.js (added)
• LayoutTests/fast/js/regress/script-tests/string-concat-pair-object.js (added)
• LayoutTests/fast/js/regress/script-tests/string-concat-pair-simple.js (added)
• LayoutTests/fast/js/regress/script-tests/string-concat-simple.js (added)
• LayoutTests/fast/js/regress/script-tests/string-cons-repeat.js (added)
• LayoutTests/fast/js/regress/script-tests/string-cons-tower.js (added)
• LayoutTests/fast/js/regress/string-concat-object-expected.txt (added)
• LayoutTests/fast/js/regress/string-concat-object.html (added)
• LayoutTests/fast/js/regress/string-concat-pair-object-expected.txt (added)
• LayoutTests/fast/js/regress/string-concat-pair-object.html (added)
• LayoutTests/fast/js/regress/string-concat-pair-simple-expected.txt (added)
• LayoutTests/fast/js/regress/string-concat-pair-simple.html (added)
• LayoutTests/fast/js/regress/string-concat-simple-expected.txt (added)
• LayoutTests/fast/js/regress/string-concat-simple.html (added)
• LayoutTests/fast/js/regress/string-cons-repeat-expected.txt (added)
• LayoutTests/fast/js/regress/string-cons-repeat.html (added)
• LayoutTests/fast/js/regress/string-cons-tower-expected.txt (added)
• LayoutTests/fast/js/regress/string-cons-tower.html (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-bad-toString.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-bad-valueOf.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-int-or-string.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-int.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-side-effect-clobbers-toString.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-side-effect.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-toString-becomes-bad.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-toString-in-string.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-valueOf-becomes-bad.js (added)
• LayoutTests/fast/js/script-tests/dfg-to-string-valueOf-in-string.js (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/DerivedSources.make (modified) (2 diffs)
• Source/JavaScriptCore/DerivedSources.pri (modified) (1 diff)
• Source/JavaScriptCore/GNUmakefile.list.am (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/DFGExitProfile.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/DFGExitProfile.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/ExitKind.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/ExitKind.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/SpeculatedType.cpp (modified) (6 diffs)
• Source/JavaScriptCore/bytecode/SpeculatedType.h (modified) (3 diffs)
• Source/JavaScriptCore/create_hash_table (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractState.cpp (modified) (7 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractState.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (7 diffs)
• Source/JavaScriptCore/dfg/DFGCSEPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGEdge.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (6 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (6 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGUseKind.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGUseKind.h (modified) (2 diffs)
• Source/JavaScriptCore/interpreter/CallFrame.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/Intrinsic.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSDestructibleObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalData.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSGlobalData.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSWrapperObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/StringPrototype.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/StringPrototype.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-03-18  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG string conversions and allocations should be inlined
+        https://bugs.webkit.org/show_bug.cgi?id=112376
+
+        Reviewed by Geoffrey Garen.
+
+        * fast/js/dfg-to-string-bad-toString-expected.txt: Added.
+        * fast/js/dfg-to-string-bad-toString.html: Added.
+        * fast/js/dfg-to-string-bad-valueOf-expected.txt: Added.
+        * fast/js/dfg-to-string-bad-valueOf.html: Added.
+        * fast/js/dfg-to-string-int-expected.txt: Added.
+        * fast/js/dfg-to-string-int-or-string-expected.txt: Added.
+        * fast/js/dfg-to-string-int-or-string.html: Added.
+        * fast/js/dfg-to-string-int.html: Added.
+        * fast/js/dfg-to-string-side-effect-clobbers-toString-expected.txt: Added.
+        * fast/js/dfg-to-string-side-effect-clobbers-toString.html: Added.
+        * fast/js/dfg-to-string-side-effect-expected.txt: Added.
+        * fast/js/dfg-to-string-side-effect.html: Added.
+        * fast/js/dfg-to-string-toString-becomes-bad-expected.txt: Added.
+        * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype-expected.txt: Added.
+        * fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.html: Added.
+        * fast/js/dfg-to-string-toString-becomes-bad.html: Added.
+        * fast/js/dfg-to-string-toString-in-string-expected.txt: Added.
+        * fast/js/dfg-to-string-toString-in-string.html: Added.
+        * fast/js/dfg-to-string-valueOf-becomes-bad-expected.txt: Added.
+        * fast/js/dfg-to-string-valueOf-becomes-bad.html: Added.
+        * fast/js/dfg-to-string-valueOf-in-string-expected.txt: Added.
+        * fast/js/dfg-to-string-valueOf-in-string.html: Added.
+        * fast/js/jsc-test-list:
+        * fast/js/regress/script-tests/string-concat-object.js: Added.
+        (foo):
+        * fast/js/regress/script-tests/string-concat-pair-object.js: Added.
+        (foo):
+        * fast/js/regress/script-tests/string-concat-pair-simple.js: Added.
+        (foo):
+        * fast/js/regress/script-tests/string-concat-simple.js: Added.
+        (foo):
+        * fast/js/regress/script-tests/string-cons-repeat.js: Added.
+        (foo):
+        * fast/js/regress/script-tests/string-cons-tower.js: Added.
+        (foo):
+        * fast/js/regress/string-concat-object-expected.txt: Added.
+        * fast/js/regress/string-concat-object.html: Added.
+        * fast/js/regress/string-concat-pair-object-expected.txt: Added.
+        * fast/js/regress/string-concat-pair-object.html: Added.
+        * fast/js/regress/string-concat-pair-simple-expected.txt: Added.
+        * fast/js/regress/string-concat-pair-simple.html: Added.
+        * fast/js/regress/string-concat-simple-expected.txt: Added.
+        * fast/js/regress/string-concat-simple.html: Added.
+        * fast/js/regress/string-cons-repeat-expected.txt: Added.
+        * fast/js/regress/string-cons-repeat.html: Added.
+        * fast/js/regress/string-cons-tower-expected.txt: Added.
+        * fast/js/regress/string-cons-tower.html: Added.
+        * fast/js/script-tests/dfg-to-string-bad-toString.js: Added.
+        (String.prototype.toString):
+        (foo):
+        * fast/js/script-tests/dfg-to-string-bad-valueOf.js: Added.
+        (String.prototype.valueOf):
+        (foo):
+        * fast/js/script-tests/dfg-to-string-int-or-string.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-to-string-int.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-to-string-side-effect-clobbers-toString.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-to-string-side-effect.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype.js: Added.
+        (foo):
+        (.String.prototype.toString):
+        * fast/js/script-tests/dfg-to-string-toString-becomes-bad.js: Added.
+        (foo):
+        (.String.prototype.toString):
+        * fast/js/script-tests/dfg-to-string-toString-in-string.js: Added.
+        (foo):
+        (.argument.toString):
+        * fast/js/script-tests/dfg-to-string-valueOf-becomes-bad.js: Added.
+        (foo):
+        (.String.prototype.valueOf):
+        * fast/js/script-tests/dfg-to-string-valueOf-in-string.js: Added.
+        (foo):
+        (.argument.valueOf):
+
 2013-03-18  Dean Jackson  <dino@apple.com>
 

trunk/LayoutTests/fast/js/jsc-test-list

@@ -195 +195 @@
 fast/js/dfg-string-stricteq
 fast/js/dfg-tear-off-arguments-not-activation
+fast/js/dfg-to-string-bad-toString
+fast/js/dfg-to-string-bad-valueOf
+fast/js/dfg-to-string-int-or-string
+fast/js/dfg-to-string-int
+fast/js/dfg-to-string-side-effect
+fast/js/dfg-to-string-side-effect-clobbers-toString
+fast/js/dfg-to-string-toString-becomes-bad-with-dictionary-string-prototype
+fast/js/dfg-to-string-toString-becomes-bad
+fast/js/dfg-to-string-toString-in-string
+fast/js/dfg-to-string-valueOf-becomes-bad
+fast/js/dfg-to-string-valueOf-in-string
 fast/js/dfg-uint16array
 fast/js/dfg-uint32-to-number-in-middle-of-copy-propagation

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -334 +334 @@
     runtime/RegExpPrototype.cpp
     runtime/StringConstructor.cpp
-    runtime/StringPrototype.cpp
 )
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-03-15  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG string conversions and allocations should be inlined
+        https://bugs.webkit.org/show_bug.cgi?id=112376
+
+        Reviewed by Geoffrey Garen.
+        
+        This turns new String(), String(), String.prototype.valueOf(), and
+        String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
+        conversions from StringObject to JSString and vice-versa, and also gives it the
+        ability to handle cases where a variable may be either a StringObject or a JSString.
+        To do this, I added StringObject to value profiling (and removed the stale
+        distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
+        handling, using some of the new functionality but also taking advantage of the
+        existence of Identity(String:@a).
+        
+        This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
+        On microbenchmarks that stress new String() this is a 14x speed-up.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * DerivedSources.pri:
+        * GNUmakefile.list.am:
+        * bytecode/CodeBlock.h:
+        (CodeBlock):
+        (JSC::CodeBlock::hasExitSite):
+        (JSC):
+        * bytecode/DFGExitProfile.cpp:
+        (JSC::DFG::ExitProfile::hasExitSite):
+        (DFG):
+        * bytecode/DFGExitProfile.h:
+        (ExitProfile):
+        (JSC::DFG::ExitProfile::hasExitSite):
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindToString):
+        * bytecode/ExitKind.h:
+        * bytecode/SpeculatedType.cpp:
+        (JSC::dumpSpeculation):
+        (JSC::speculationToAbbreviatedString):
+        (JSC::speculationFromClassInfo):
+        * bytecode/SpeculatedType.h:
+        (JSC):
+        (JSC::isStringObjectSpeculation):
+        (JSC::isStringOrStringObjectSpeculation):
+        * create_hash_table:
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::executeEffects):
+        * dfg/DFGAbstractState.h:
+        (JSC::DFG::AbstractState::filterEdgeByUse):
+        * dfg/DFGByteCodeParser.cpp:
+        (ByteCodeParser):
+        (JSC::DFG::ByteCodeParser::handleCall):
+        (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
+        (DFG):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::putStructureStoreElimination):
+        * dfg/DFGEdge.h:
+        (JSC::DFG::Edge::shift):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
+        (FixupPhase):
+        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
+        (JSC::DFG::FixupPhase::observeUseKindOnNode):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::hasGlobalExitSite):
+        (Graph):
+        (JSC::DFG::Graph::hasExitSite):
+        (JSC::DFG::Graph::clobbersWorld):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToToString):
+        (Node):
+        (JSC::DFG::Node::hasStructure):
+        (JSC::DFG::Node::shouldSpeculateStringObject):
+        (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
+        (DFG):
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
+        (JSC::DFG::SpeculativeJIT::speculateObject):
+        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
+        (JSC::DFG::SpeculativeJIT::speculateString):
+        (JSC::DFG::SpeculativeJIT::speculateStringObject):
+        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        (SpeculativeJIT):
+        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
+        (DFG):
+        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGUseKind.cpp:
+        (WTF::printInternal):
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::typeFilterFor):
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::regExpPrototypeTable):
+        * runtime/CommonIdentifiers.h:
+        * runtime/Intrinsic.h:
+        * runtime/JSDestructibleObject.h:
+        (JSDestructibleObject):
+        (JSC::JSDestructibleObject::classInfoOffset):
+        * runtime/JSGlobalData.cpp:
+        (JSC):
+        (JSC::JSGlobalData::JSGlobalData):
+        (JSC::JSGlobalData::~JSGlobalData):
+        * runtime/JSGlobalData.h:
+        (JSGlobalData):
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+        (JSC):
+        * runtime/JSWrapperObject.h:
+        (JSC::JSWrapperObject::allocationSize):
+        (JSWrapperObject):
+        (JSC::JSWrapperObject::internalValueOffset):
+        (JSC::JSWrapperObject::internalValueCellOffset):
+        * runtime/StringPrototype.cpp:
+        (JSC):
+        (JSC::StringPrototype::finishCreation):
+        (JSC::StringPrototype::create):
+        * runtime/StringPrototype.h:
+        (StringPrototype):
+
 2013-03-18  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/DerivedSources.make

@@ -1 @@
-# Copyright (C) 2006, 2007, 2008, 2009, 2011 Apple Inc. All rights reserved.
+# Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -56 +56 @@
     RegExpObject.lut.h \
     StringConstructor.lut.h \
-    StringPrototype.lut.h \
     docs/bytecode.html \
     udis86_itab.h \

trunk/Source/JavaScriptCore/DerivedSources.pri

@@ -25 +25 @@
     runtime/RegExpPrototype.cpp \
     runtime/StringConstructor.cpp \
-    runtime/StringPrototype.cpp \
 
 KEYWORDLUT_FILES += \

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -29 +29 @@
         DerivedSources/JavaScriptCore/RegExpPrototype.lut.h \
         DerivedSources/JavaScriptCore/StringConstructor.lut.h \
-        DerivedSources/JavaScriptCore/StringPrototype.lut.h \
         DerivedSources/JavaScriptCore/LLIntDesiredOffsets.h \
         DerivedSources/JavaScriptCore/LLIntAssembly.h

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -788 +788 @@
             return m_exitProfile.add(site);
         }
+        
+        bool hasExitSite(const DFG::FrequentExitSite& site) const { return m_exitProfile.hasExitSite(site); }
 
         DFG::ExitProfile& exitProfile() { return m_exitProfile; }
@@ -1390 +1392 @@
         return baselineCodeBlock;
     }
-    
+
     inline int CodeBlock::argumentIndexAfterCapture(size_t argument)
     {

trunk/Source/JavaScriptCore/bytecode/DFGExitProfile.cpp

@@ -71 +71 @@
 }
 
+bool ExitProfile::hasExitSite(const FrequentExitSite& site) const
+{
+    if (!m_frequentExitSites)
+        return false;
+    
+    for (unsigned i = m_frequentExitSites->size(); i--;) {
+        if (m_frequentExitSites->at(i) == site)
+            return true;
+    }
+    return false;
+}
+
 QueryableExitProfile::QueryableExitProfile(const ExitProfile& profile)
 {

trunk/Source/JavaScriptCore/bytecode/DFGExitProfile.h

@@ -134 +134 @@
     Vector<FrequentExitSite> exitSitesFor(unsigned bytecodeIndex);
     
+    // This is O(n) and should be called on less-frequently executed code paths
+    // in the compiler. It should be strictly cheaper than building a
+    // QueryableExitProfile, if you really expect this to be called infrequently
+    // and you believe that there are few exit sites.
+    bool hasExitSite(const FrequentExitSite&) const;
+    bool hasExitSite(ExitKind kind) const
+    {
+        return hasExitSite(FrequentExitSite(kind));
+    }
+    bool hasExitSite(unsigned bytecodeIndex, ExitKind kind) const
+    {
+        return hasExitSite(FrequentExitSite(bytecodeIndex, kind));
+    }
+    
 private:
     friend class QueryableExitProfile;

trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -65 +65 @@
     case ArgumentsEscaped:
         return "ArgumentsEscaped";
+    case NotStringObject:
+        return "NotStringObject";
     case Uncountable:
         return "Uncountable";

trunk/Source/JavaScriptCore/bytecode/ExitKind.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -45 +45 @@
     InadequateCoverage, // We exited because we ended up in code that didn't have profiling coverage.
     ArgumentsEscaped, // We exited because arguments escaped but we didn't expect them to.
+    NotStringObject, // We exited because we shouldn't have attempted to optimize string object access.
     Uncountable, // We exited for none of the above reasons, and we should not count it. Most uses of this should be viewed as a FIXME.
     UncountableWatchpoint // We exited because of a watchpoint, which isn't counted because watchpoints do tracking themselves.

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2012, 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 #include "JSFunction.h"
 #include "Operations.h"
+#include "StringObject.h"
 #include "ValueProfile.h"
 #include <wtf/BoundsCheckedPointer.h>
@@ -121 +122 @@
         isTop = false;
     
-    if (value & SpecMyArguments)
-        myOut.print("Myarguments");
-    else
-        isTop = false;
-    
-    if (value & SpecForeignArguments)
-        myOut.print("Foreignarguments");
+    if (value & SpecArguments)
+        myOut.print("Arguments");
     else
         isTop = false;
@@ -133 +129 @@
     if (value & SpecString)
         myOut.print("String");
+    else
+        isTop = false;
+    
+    if (value & SpecStringObject)
+        myOut.print("Stringobject");
     else
         isTop = false;
@@ -198 +199 @@
     if (isFloat64ArraySpeculation(prediction))
         return "<Float64array>";
-    if (isMyArgumentsSpeculation(prediction))
-        return "<Myarguments>";
     if (isArgumentsSpeculation(prediction))
         return "<Arguments>";
+    if (isStringObjectSpeculation(prediction))
+        return "<StringObject>";
+    if (isStringOrStringObjectSpeculation(prediction))
+        return "<StringOrStringObject>";
     if (isObjectSpeculation(prediction))
         return "<Object>";
@@ -233 +236 @@
     
     if (classInfo == &Arguments::s_info)
-        return SpecArguments; // Cannot distinguish between MyArguments and ForeignArguments at this stage. That happens in the flow analysis.
+        return SpecArguments;
+    
+    if (classInfo == &StringObject::s_info)
+        return SpecStringObject;
     
     if (classInfo->isSubClassOf(&JSFunction::s_info))
         return SpecFunction;
-
     
     if (classInfo->typedArrayStorageType != TypedArrayNone) {

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2012, 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -50 +50 @@
 static const SpeculatedType SpecFloat32Array      = 0x00000800; // It's definitely an Uint16Array or one of its subclasses.
 static const SpeculatedType SpecFloat64Array      = 0x00001000; // It's definitely an Uint16Array or one of its subclasses.
-static const SpeculatedType SpecMyArguments       = 0x00002000; // It's definitely an Arguments object, and it's definitely the one for my current frame.
-static const SpeculatedType SpecForeignArguments  = 0x00004000; // It's definitely an Arguments object, and it's definitely not mine.
-static const SpeculatedType SpecArguments         = 0x00006000; // It's definitely an Arguments object.
+static const SpeculatedType SpecArguments         = 0x00002000; // It's definitely an Arguments object.
+static const SpeculatedType SpecStringObject      = 0x00004000; // It's definitely a StringObject.
 static const SpeculatedType SpecObjectOther       = 0x00008000; // It's definitely an object but not JSFinalObject, JSArray, or JSFunction.
 static const SpeculatedType SpecObject            = 0x0000ffff; // Bitmask used for testing for any kind of object prediction.
@@ -215 +214 @@
 }
 
-inline bool isMyArgumentsSpeculation(SpeculatedType value)
-{
-    return value == SpecMyArguments;
+inline bool isStringObjectSpeculation(SpeculatedType value)
+{
+    return value == SpecStringObject;
+}
+
+inline bool isStringOrStringObjectSpeculation(SpeculatedType value)
+{
+    return !!value && !(value & ~(SpecString | SpecStringObject));
 }
 

trunk/Source/JavaScriptCore/create_hash_table

@@ -272 +272 @@
 
         my $intrinsic = "NoIntrinsic";
-        $intrinsic = "CharCodeAtIntrinsic" if ($key eq "charCodeAt");
-        $intrinsic = "CharAtIntrinsic" if ($key eq "charAt");
         $intrinsic = "FromCharCodeIntrinsic" if ($key eq "fromCharCode");
         if ($name eq "mathTable") {

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -34 +34 @@
 #include "Operations.h"
 #include "PutByIdStatus.h"
+#include "StringObject.h"
 
 namespace JSC { namespace DFG {
@@ -770 +771 @@
             break;
         }
-        forNode(node).set(SpecString);
+        forNode(node).set(m_graph.m_globalData.stringStructure.get());
         break;
     }
@@ -858 +859 @@
     case StringCharAt:
         node->setCanExit(true);
-        forNode(node).set(SpecString);
+        forNode(node).set(m_graph.m_globalData.stringStructure.get());
         break;
             
@@ -877 +878 @@
             break;
         case Array::String:
-            forNode(node).set(SpecString);
+            forNode(node).set(m_graph.m_globalData.stringStructure.get());
             break;
         case Array::Arguments:
@@ -1032 +1033 @@
         }
         
-        if (node->child1().useKind() == Int32Use) {
-            forNode(node).set(SpecInt32);
-            break;
-        }
-
+        ASSERT(node->child1().useKind() == UntypedUse);
+        
         AbstractValue& source = forNode(node->child1());
         AbstractValue& destination = forNode(node);
@@ -1061 +1059 @@
         // deal since we don't do any optimization on those currently.
         
+        clobberWorld(node->codeOrigin, indexInBlock);
+        
         SpeculatedType type = source.m_type;
         if (type & ~(SpecNumber | SpecString | SpecBoolean)) {
@@ -1069 +1069 @@
         break;
     }
+        
+    case ToString: {
+        switch (node->child1().useKind()) {
+        case StringObjectUse:
+            // This also filters that the StringObject has the primordial StringObject
+            // structure.
+            forNode(node->child1()).filter(m_graph.globalObjectFor(node->codeOrigin)->stringObjectStructure());
+            node->setCanExit(true); // We could be more precise but it's likely not worth it.
+            break;
+        case StringOrStringObjectUse:
+            node->setCanExit(true); // We could be more precise but it's likely not worth it.
+            break;
+        case CellUse:
+        case UntypedUse:
+            clobberWorld(node->codeOrigin, indexInBlock);
+            break;
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+        forNode(node).set(m_graph.m_globalData.stringStructure.get());
+        break;
+    }
+        
+    case NewStringObject: {
+        ASSERT(node->structure()->classInfo() == &StringObject::s_info);
+        forNode(node).set(node->structure());
+        break;
+    }
             
     case StrCat:
-        forNode(node).set(SpecString);
+        forNode(node).set(m_graph.m_globalData.stringStructure.get());
         break;
             

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.h

@@ -191 +191 @@
         case KnownNumberUse:
         case KnownCellUse:
+        case KnownStringUse:
             ASSERT(!(forNode(edge).m_type & ~typeFilterFor(edge.useKind())));
             break;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -40 +40 @@
 #include "PutByIdStatus.h"
 #include "ResolveGlobalStatus.h"
+#include "StringConstructor.h"
 #include <wtf/CommaPrinter.h>
 #include <wtf/HashMap.h>
@@ -165 +166 @@
     void handleCall(Interpreter*, Instruction* currentInstruction, NodeType op, CodeSpecializationKind);
     void emitFunctionChecks(const CallLinkStatus&, Node* callTarget, int registerOffset, CodeSpecializationKind);
+    void emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind);
     // Handle inlining. Return true if it succeeded, false if we need to plant a call.
     bool handleInlining(bool usesResult, Node* callTargetNode, int resultOperand, const CallLinkStatus&, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind);
@@ -1207 +1209 @@
 
     if (InternalFunction* function = callLinkStatus.internalFunction()) {
-        if (handleConstantInternalFunction(usesResult, resultOperand, function, registerOffset, argumentCountIncludingThis, prediction, kind))
+        if (handleConstantInternalFunction(usesResult, resultOperand, function, registerOffset, argumentCountIncludingThis, prediction, kind)) {
+            // This phantoming has to be *after* the code for the intrinsic, to signify that
+            // the inputs must be kept alive whatever exits the intrinsic may do.
+            addToGraph(Phantom, callTarget);
+            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, kind);
             return;
-            
+        }
+        
         // Can only handle this using the generic call handler.
         addCall(interpreter, currentInstruction, op);
@@ -1220 +1227 @@
             
         if (handleIntrinsic(usesResult, resultOperand, intrinsic, registerOffset, argumentCountIncludingThis, prediction)) {
-            // Need to keep all inputs alive for OSR, and need to ensure that we get
-            // backwards propagation of NodeUsedAsValue. Note that inlining doesn't
-            // need to do this because it already Flushes the arguments, which has a
-            // similar effect.
+            // This phantoming has to be *after* the code for the intrinsic, to signify that
+            // the inputs must be kept alive whatever exits the intrinsic may do.
             addToGraph(Phantom, callTarget);
-            for (int i = 0; i < argumentCountIncludingThis; ++i)
-                addToGraph(Phantom, get(registerOffset + argumentToOperand(i)));
-            
+            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, kind);
             return;
         }
@@ -1260 +1263 @@
         addToGraph(CheckExecutable, OpInfo(callLinkStatus.executable()), callTarget, thisArgument);
     }
+}
+
+void ByteCodeParser::emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind kind)
+{
+    for (int i = kind == CodeForCall ? 0 : 1; i < argumentCountIncludingThis; ++i)
+        addToGraph(Phantom, get(registerOffset + argumentToOperand(i)));
 }
 
@@ -1629 +1638 @@
     
     UNUSED_PARAM(prediction); // Remove this once we do more things.
-    UNUSED_PARAM(kind); // Remove this once we do more things.
     
     if (function->classInfo() == &ArrayConstructor::s_info) {
@@ -1644 +1652 @@
             usesResult, resultOperand,
             addToGraph(Node::VarArg, NewArray, OpInfo(ArrayWithUndecided), OpInfo(0)));
+        return true;
+    } else if (function->classInfo() == &StringConstructor::s_info) {
+        Node* result;
+        
+        if (argumentCountIncludingThis <= 1)
+            result = cellConstant(m_globalData->smallStrings.emptyString());
+        else
+            result = addToGraph(ToString, get(registerOffset + argumentToOperand(1)));
+        
+        if (kind == CodeForConstruct)
+            result = addToGraph(NewStringObject, OpInfo(function->globalObject()->stringObjectStructure()), result);
+        
+        setIntrinsicResult(usesResult, resultOperand, result);
         return true;
     }

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

@@ -577 +577 @@
             case ReallocatePropertyStorage:
             case TypeOf:
+            case ToString:
+            case NewStringObject:
                 return 0;
                 

trunk/Source/JavaScriptCore/dfg/DFGEdge.h

@@ -149 +149 @@
     
 #if USE(JSVALUE64)
-    static uint32_t shift() { return 5; }
+    static uint32_t shift() { return 6; }
     
     static uintptr_t makeWord(Node* node, UseKind useKind, ProofStatus proofStatus)

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -527 +527 @@
             
         case ToPrimitive: {
-            if (node->child1()->shouldSpeculateInteger())
+            if (node->child1()->shouldSpeculateInteger()) {
                 setUseKindAndUnboxIfProfitable<Int32Use>(node->child1());
+                node->convertToIdentity();
+                break;
+            }
+            
+            if (node->child1()->shouldSpeculateString()) {
+                setUseKindAndUnboxIfProfitable<StringUse>(node->child1());
+                node->convertToIdentity();
+                break;
+            }
+            
+            if (node->child1()->shouldSpeculateStringObject()
+                && canOptimizeStringObjectAccess(node->codeOrigin)) {
+                setUseKindAndUnboxIfProfitable<StringObjectUse>(node->child1());
+                node->convertToToString();
+                break;
+            }
+            
+            if (node->child1()->shouldSpeculateStringOrStringObject()
+                && canOptimizeStringObjectAccess(node->codeOrigin)) {
+                setUseKindAndUnboxIfProfitable<StringOrStringObjectUse>(node->child1());
+                node->convertToToString();
+                break;
+            }
+            
             // FIXME: Add string speculation here.
             // https://bugs.webkit.org/show_bug.cgi?id=110175
+            break;
+        }
+            
+        case ToString: {
+            if (node->child1()->shouldSpeculateString()) {
+                setUseKindAndUnboxIfProfitable<StringUse>(node->child1());
+                node->convertToIdentity();
+                break;
+            }
+            
+            if (node->child1()->shouldSpeculateStringObject()
+                && canOptimizeStringObjectAccess(node->codeOrigin)) {
+                setUseKindAndUnboxIfProfitable<StringObjectUse>(node->child1());
+                break;
+            }
+            
+            if (node->child1()->shouldSpeculateStringOrStringObject()
+                && canOptimizeStringObjectAccess(node->codeOrigin)) {
+                setUseKindAndUnboxIfProfitable<StringOrStringObjectUse>(node->child1());
+                break;
+            }
+            
+            if (node->child1()->shouldSpeculateCell()) {
+                setUseKindAndUnboxIfProfitable<CellUse>(node->child1());
+                break;
+            }
+            
+            break;
+        }
+            
+        case NewStringObject: {
+            setUseKindAndUnboxIfProfitable<KnownStringUse>(node->child1());
             break;
         }
@@ -807 +863 @@
     }
     
+    bool isStringPrototypeMethodSane(Structure* stringPrototypeStructure, const Identifier& ident)
+    {
+        unsigned attributesUnused;
+        JSCell* specificValue;
+        PropertyOffset offset = stringPrototypeStructure->get(
+            globalData(), ident, attributesUnused, specificValue);
+        if (!isValidOffset(offset))
+            return false;
+        
+        if (!specificValue)
+            return false;
+        
+        if (!specificValue->inherits(&JSFunction::s_info))
+            return false;
+        
+        JSFunction* function = jsCast<JSFunction*>(specificValue);
+        if (function->executable()->intrinsicFor(CodeForCall) != StringPrototypeValueOfIntrinsic)
+            return false;
+        
+        return true;
+    }
+    
+    bool canOptimizeStringObjectAccess(const CodeOrigin& codeOrigin)
+    {
+        if (m_graph.hasExitSite(codeOrigin, NotStringObject))
+            return false;
+        
+        Structure* stringObjectStructure = m_graph.globalObjectFor(codeOrigin)->stringObjectStructure();
+        ASSERT(stringObjectStructure->storedPrototype().isObject());
+        ASSERT(stringObjectStructure->storedPrototype().asCell()->classInfo() == &StringPrototype::s_info);
+        
+        JSObject* stringPrototypeObject = asObject(stringObjectStructure->storedPrototype());
+        Structure* stringPrototypeStructure = stringPrototypeObject->structure();
+        if (stringPrototypeStructure->transitionWatchpointSetHasBeenInvalidated())
+            return false;
+        
+        if (stringPrototypeStructure->isDictionary())
+            return false;
+        
+        // We're being conservative here. We want DFG's ToString on StringObject to be
+        // used in both numeric contexts (that would call valueOf()) and string contexts
+        // (that would call toString()). We don't want the DFG to have to distinguish
+        // between the two, just because that seems like it would get confusing. So we
+        // just require both methods to be sane.
+        if (!isStringPrototypeMethodSane(stringPrototypeStructure, globalData().propertyNames->valueOf))
+            return false;
+        if (!isStringPrototypeMethodSane(stringPrototypeStructure, globalData().propertyNames->toString))
+            return false;
+        
+        return true;
+    }
+    
     void fixupSetLocalsInBlock(BasicBlock* block)
     {
@@ -975 +1083 @@
         case ObjectUse:
         case StringUse:
+        case KnownStringUse:
+        case StringObjectUse:
+        case StringOrStringObjectUse:
             if (alwaysUnboxSimplePrimitives()
                 || isCellSpeculation(variable->prediction()))

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -377 +377 @@
     }
     
+    bool hasGlobalExitSite(const CodeOrigin& codeOrigin, ExitKind exitKind)
+    {
+        return baselineCodeBlockFor(codeOrigin)->hasExitSite(FrequentExitSite(exitKind));
+    }
+    
+    bool hasExitSite(const CodeOrigin& codeOrigin, ExitKind exitKind)
+    {
+        return baselineCodeBlockFor(codeOrigin)->hasExitSite(FrequentExitSite(codeOrigin.bytecodeIndex, exitKind));
+    }
+    
     int argumentsRegisterFor(const CodeOrigin& codeOrigin)
     {
@@ -523 +533 @@
         case PutByValAlias:
             return !byValIsPure(node);
+        case ToString:
+            switch (node->child1().useKind()) {
+            case StringObjectUse:
+            case StringOrStringObjectUse:
+                return false;
+            case CellUse:
+            case UntypedUse:
+                return true;
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+                return true;
+            }
         default:
             RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -350 +350 @@
     }
     
+    void convertToToString()
+    {
+        ASSERT(m_op == ToPrimitive);
+        m_op = ToString;
+    }
+    
     JSCell* weakConstant()
     {
@@ -845 +851 @@
         case ArrayifyToStructure:
         case NewObject:
+        case NewStringObject:
             return true;
         default:
@@ -1121 +1128 @@
     }
  
+    bool shouldSpeculateStringObject()
+    {
+        return isStringObjectSpeculation(prediction());
+    }
+    
+    bool shouldSpeculateStringOrStringObject()
+    {
+        return isStringOrStringObjectSpeculation(prediction());
+    }
+    
     bool shouldSpeculateFinalObject()
     {

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -223 +223 @@
     macro(LogicalNot, NodeResultBoolean) \
     macro(ToPrimitive, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
+    macro(ToString, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
+    macro(NewStringObject, NodeResultJS) \
     macro(StrCat, NodeResultJS | NodeMustGenerate | NodeHasVarArgs | NodeClobbersWorld) \
     \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -1546 +1546 @@
 
     return string->value(exec).impl();
+}
+
+JSCell* DFG_OPERATION operationNewStringObject(ExecState* exec, JSString* string, Structure* structure)
+{
+    JSGlobalData& globalData = exec->globalData();
+    NativeCallFrameTracer tracer(&globalData, exec);
+    
+    return StringObject::create(exec, structure, string);
+}
+
+JSCell* DFG_OPERATION operationToStringOnCell(ExecState* exec, JSCell* cell)
+{
+    JSGlobalData& globalData = exec->globalData();
+    NativeCallFrameTracer tracer(&globalData, exec);
+    
+    return JSValue(cell).toString(exec);
+}
+
+JSCell* DFG_OPERATION operationToString(ExecState* exec, EncodedJSValue value)
+{
+    JSGlobalData& globalData = exec->globalData();
+    NativeCallFrameTracer tracer(&globalData, exec);
+
+    return JSValue::decode(value).toString(exec);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -86 +86 @@
 typedef JSCell* DFG_OPERATION (*C_DFGOperation_ECC)(ExecState*, JSCell*, JSCell*);
 typedef JSCell* DFG_OPERATION (*C_DFGOperation_EIcf)(ExecState*, InlineCallFrame*);
+typedef JSCell* DFG_OPERATION (*C_DFGOperation_EJ)(ExecState*, EncodedJSValue);
+typedef JSCell* DFG_OPERATION (*C_DFGOperation_EJssSt)(ExecState*, JSString*, Structure*);
 typedef JSCell* DFG_OPERATION (*C_DFGOperation_EOZ)(ExecState*, JSObject*, int32_t);
 typedef JSCell* DFG_OPERATION (*C_DFGOperation_ESt)(ExecState*, Structure*);
@@ -213 +215 @@
 char* DFG_OPERATION operationEnsureArrayStorage(ExecState*, JSCell*);
 StringImpl* DFG_OPERATION operationResolveRope(ExecState*, JSString*);
+JSCell* DFG_OPERATION operationNewStringObject(ExecState*, JSString*, Structure*);
+JSCell* DFG_OPERATION operationToStringOnCell(ExecState*, JSCell*);
+JSCell* DFG_OPERATION operationToString(ExecState*, EncodedJSValue);
 
 // This method is used to lookup an exception hander, keyed by faultLocation, which is

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -414 +414 @@
         
         case StringCharAt:
-        case StrCat: {
+        case StrCat:
+        case ToString: {
             changed |= setPrediction(SpecString);
             break;
@@ -437 +438 @@
                     changed |= mergePrediction(child);
             }
+            break;
+        }
+            
+        case NewStringObject: {
+            changed |= setPrediction(SpecStringObject);
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -3923 +3923 @@
 }
 
+void SpeculativeJIT::compileToStringOnCell(Node* node)
+{
+    SpeculateCellOperand op1(this, node->child1());
+    GPRReg op1GPR = op1.gpr();
+    
+    switch (node->child1().useKind()) {
+    case StringObjectUse: {
+        GPRTemporary result(this);
+        GPRReg resultGPR = result.gpr();
+        
+        if (!m_state.forNode(node->child1()).m_currentKnownStructure.isSubsetOf(StructureSet(m_jit.globalObjectFor(node->codeOrigin)->stringObjectStructure()))) {
+            speculateStringObject(op1GPR);
+            m_state.forNode(node->child1()).filter(SpecStringObject);
+        }
+        m_jit.loadPtr(JITCompiler::Address(op1GPR, JSWrapperObject::internalValueCellOffset()), resultGPR);
+        cellResult(resultGPR, node);
+        break;
+    }
+        
+    case StringOrStringObjectUse: {
+        GPRTemporary result(this);
+        GPRReg resultGPR = result.gpr();
+        
+        m_jit.loadPtr(JITCompiler::Address(op1GPR, JSCell::structureOffset()), resultGPR);
+        JITCompiler::Jump isString = m_jit.branchPtr(
+            JITCompiler::Equal, resultGPR, TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
+        
+        speculateStringObjectForStructure(resultGPR);
+        
+        m_jit.loadPtr(JITCompiler::Address(op1GPR, JSWrapperObject::internalValueCellOffset()), resultGPR);
+        
+        JITCompiler::Jump done = m_jit.jump();
+        isString.link(&m_jit);
+        m_jit.move(op1GPR, resultGPR);
+        done.link(&m_jit);
+        
+        m_state.forNode(node->child1()).filter(SpecString | SpecStringObject);
+        
+        cellResult(resultGPR, node);
+        break;
+    }
+        
+    case CellUse: {
+        GPRResult result(this);
+        GPRReg resultGPR = result.gpr();
+        
+        // We flush registers instead of silent spill/fill because in this mode we
+        // believe that most likely the input is not a string, and we need to take
+        // slow path.
+        flushRegisters();
+        JITCompiler::Jump done;
+        if (node->child1()->prediction() & SpecString) {
+            done = m_jit.branchPtr(
+                JITCompiler::Equal,
+                JITCompiler::Address(op1GPR, JSCell::structureOffset()),
+                TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
+        }
+        callOperation(operationToStringOnCell, resultGPR, op1GPR);
+        if (done.isSet())
+            done.link(&m_jit);
+        cellResult(resultGPR, node);
+        break;
+    }
+        
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+}
+
+void SpeculativeJIT::compileNewStringObject(Node* node)
+{
+    SpeculateCellOperand operand(this, node->child1());
+    
+    GPRTemporary result(this);
+    GPRTemporary scratch1(this);
+    GPRTemporary scratch2(this);
+
+    GPRReg operandGPR = operand.gpr();
+    GPRReg resultGPR = result.gpr();
+    GPRReg scratch1GPR = scratch1.gpr();
+    GPRReg scratch2GPR = scratch2.gpr();
+    
+    JITCompiler::JumpList slowPath;
+    
+    emitAllocateJSObject<StringObject>(
+        resultGPR, TrustedImmPtr(node->structure()), TrustedImmPtr(0), scratch1GPR, scratch2GPR,
+        slowPath);
+    
+    m_jit.storePtr(
+        TrustedImmPtr(&StringObject::s_info),
+        JITCompiler::Address(resultGPR, JSDestructibleObject::classInfoOffset()));
+#if USE(JSVALUE64)
+    m_jit.store64(
+        operandGPR, JITCompiler::Address(resultGPR, JSWrapperObject::internalValueOffset()));
+#else
+    m_jit.store32(
+        TrustedImm32(JSValue::CellTag),
+        JITCompiler::Address(resultGPR, JSWrapperObject::internalValueOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+    m_jit.store32(
+        operandGPR,
+        JITCompiler::Address(resultGPR, JSWrapperObject::internalValueOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
+#endif
+    
+    addSlowPathGenerator(slowPathCall(
+        slowPath, this, operationNewStringObject, resultGPR, operandGPR, node->structure()));
+    
+    cellResult(resultGPR, node);
+}
+
 void SpeculativeJIT::speculateInt32(Edge edge)
 {
@@ -3974 +4083 @@
     
     SpeculateCellOperand operand(this, edge);
+    GPRReg gpr = operand.gpr();
     DFG_TYPE_CHECK(
-        JSValueSource::unboxedCell(operand.gpr()), edge, SpecObject, m_jit.branchPtr(
+        JSValueSource::unboxedCell(gpr), edge, SpecObject, m_jit.branchPtr(
             MacroAssembler::Equal, 
-            MacroAssembler::Address(operand.gpr(), JSCell::structureOffset()), 
+            MacroAssembler::Address(gpr, JSCell::structureOffset()), 
             MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
 }
@@ -3994 +4104 @@
         MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister);
     DFG_TYPE_CHECK(
-        JSValueRegs(operand.gpr()), edge, (~SpecCell) | SpecObject, m_jit.branchPtr(
+        JSValueRegs(gpr), edge, (~SpecCell) | SpecObject, m_jit.branchPtr(
             MacroAssembler::Equal, 
             MacroAssembler::Address(gpr, JSCell::structureOffset()), 
@@ -4043 +4153 @@
     
     SpeculateCellOperand operand(this, edge);
+    GPRReg gpr = operand.gpr();
     DFG_TYPE_CHECK(
-        JSValueSource::unboxedCell(operand.gpr()), edge, SpecString, m_jit.branchPtr(
+        JSValueSource::unboxedCell(gpr), edge, SpecString, m_jit.branchPtr(
             MacroAssembler::NotEqual, 
-            MacroAssembler::Address(operand.gpr(), JSCell::structureOffset()), 
+            MacroAssembler::Address(gpr, JSCell::structureOffset()), 
             MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get())));
+}
+
+void SpeculativeJIT::speculateStringObject(GPRReg gpr)
+{
+    speculateStringObjectForStructure(JITCompiler::Address(gpr, JSCell::structureOffset()));
+}
+
+void SpeculativeJIT::speculateStringObject(Edge edge)
+{
+    if (!needsTypeCheck(edge, SpecStringObject))
+        return;
+    
+    SpeculateCellOperand operand(this, edge);
+    GPRReg gpr = operand.gpr();
+    if (!needsTypeCheck(edge, SpecStringObject))
+        return;
+    
+    speculateStringObject(gpr);
+    m_state.forNode(edge).filter(SpecStringObject);
+}
+
+void SpeculativeJIT::speculateStringOrStringObject(Edge edge)
+{
+    if (!needsTypeCheck(edge, SpecString | SpecStringObject))
+        return;
+    
+    SpeculateCellOperand operand(this, edge);
+    GPRReg gpr = operand.gpr();
+    if (!needsTypeCheck(edge, SpecString | SpecStringObject))
+        return;
+    
+    GPRTemporary structure(this);
+    GPRReg structureGPR = structure.gpr();
+    
+    m_jit.loadPtr(JITCompiler::Address(gpr, JSCell::structureOffset()), structureGPR);
+    
+    JITCompiler::Jump isString = m_jit.branchPtr(
+        JITCompiler::Equal, structureGPR, TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
+    
+    speculateStringObjectForStructure(structureGPR);
+    
+    isString.link(&m_jit);
+    
+    m_state.forNode(edge).filter(SpecString | SpecStringObject);
 }
 
@@ -4108 +4263 @@
         ASSERT(!needsTypeCheck(edge, SpecCell));
         break;
+    case KnownStringUse:
+        ASSERT(!needsTypeCheck(edge, SpecString));
+        break;
     case Int32Use:
         speculateInt32(edge);
@@ -4132 +4290 @@
         speculateString(edge);
         break;
+    case StringObjectUse:
+        speculateStringObject(edge);
+        break;
+    case StringOrStringObjectUse:
+        speculateStringOrStringObject(edge);
+        break;
     case NotCellUse:
         speculateNotCell(edge);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1086 +1086 @@
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(C_DFGOperation_EJssSt operation, GPRReg result, GPRReg arg1, Structure* structure)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, TrustedImmPtr(structure));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(C_DFGOperation_EJ operation, GPRReg result, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(arg1);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(S_DFGOperation_J operation, GPRReg result, GPRReg arg1)
     {
@@ -1472 +1482 @@
     {
         m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(C_DFGOperation_EJssSt operation, GPRReg result, GPRReg arg1, Structure* structure)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, TrustedImmPtr(structure));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(C_DFGOperation_EJ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload)
+    {
+        m_jit.setupArgumentsWithExecState(arg1Payload, arg1Tag);
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
@@ -2031 +2051 @@
     void emitObjectOrOtherBranch(Edge value, BlockIndex taken, BlockIndex notTaken);
     void emitBranch(Node*);
+    
+    void compileToStringOnCell(Node*);
+    void compileNewStringObject(Node*);
     
     void compileIntegerCompare(Node*, MacroAssembler::RelationalCondition);
@@ -2205 +2228 @@
     void speculateObjectOrOther(Edge);
     void speculateString(Edge);
+    template<typename StructureLocationType>
+    void speculateStringObjectForStructure(StructureLocationType);
+    void speculateStringObject(GPRReg);
+    void speculateStringObject(Edge);
+    void speculateStringOrStringObject(Edge);
     void speculateNotCell(Edge);
     void speculateOther(Edge);
@@ -2839 +2867 @@
     {
         ASSERT(m_jit);
-        ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || (edge.useKind() == CellUse || edge.useKind() == KnownCellUse || edge.useKind() == ObjectUse || edge.useKind() == StringUse));
+        ASSERT_UNUSED(mode, mode == ManualOperandSpeculation || (edge.useKind() == CellUse || edge.useKind() == KnownCellUse || edge.useKind() == ObjectUse || edge.useKind() == StringUse || edge.useKind() == KnownStringUse || edge.useKind() == StringObjectUse || edge.useKind() == StringOrStringObjectUse));
         if (jit->isFilled(node()))
             gpr();
@@ -2925 +2953 @@
 };
 
+template<typename StructureLocationType>
+void SpeculativeJIT::speculateStringObjectForStructure(StructureLocationType structureLocation)
+{
+    Structure* stringObjectStructure =
+        m_jit.globalObjectFor(m_currentNode->codeOrigin)->stringObjectStructure();
+    Structure* stringPrototypeStructure = stringObjectStructure->storedPrototype().asCell()->structure();
+    ASSERT(stringPrototypeStructure->transitionWatchpointSetIsStillValid());
+    
+    speculationCheck(
+        NotStringObject, JSValueRegs(), 0,
+        m_jit.branchPtr(
+            JITCompiler::NotEqual, structureLocation, TrustedImmPtr(stringObjectStructure)));
+    stringPrototypeStructure->addTransitionWatchpoint(speculationWatchpoint(NotStringObject));
+}
+
 #define DFG_TYPE_CHECK(source, edge, typesPassedThrough, jumpToFail) do { \
         if (!needsTypeCheck((edge), (typesPassedThrough)))              \

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -1100 +1100 @@
     AbstractValue& value = m_state.forNode(edge);
     SpeculatedType type = value.m_type;
-    ASSERT(edge.useKind() != KnownCellUse || !(value.m_type & ~SpecCell));
+    ASSERT((edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell));
     value.filter(SpecCell);
     VirtualRegister virtualRegister = edge->virtualRegister();
@@ -3259 +3259 @@
         
     case ToPrimitive: {
-        switch (node->child1().useKind()) {
-        case Int32Use: {
-            // It's really profitable to speculate integer, since it's really cheap,
-            // it means we don't have to do any real work, and we emit a lot less code.
-            
-            SpeculateIntegerOperand op1(this, node->child1());
-            GPRTemporary result(this, op1);
-            
-            ASSERT(op1.format() == DataFormatInteger);
-            m_jit.move(op1.gpr(), result.gpr());
-            
-            integerResult(result.gpr(), node);
-            break;
-        }
-
-        case UntypedUse: {
+        RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
+        JSValueOperand op1(this, node->child1());
+        GPRTemporary resultTag(this, op1);
+        GPRTemporary resultPayload(this, op1, false);
+        
+        GPRReg op1TagGPR = op1.tagGPR();
+        GPRReg op1PayloadGPR = op1.payloadGPR();
+        GPRReg resultTagGPR = resultTag.gpr();
+        GPRReg resultPayloadGPR = resultPayload.gpr();
+        
+        op1.use();
+        
+        if (!(m_state.forNode(node->child1()).m_type & ~(SpecNumber | SpecBoolean))) {
+            m_jit.move(op1TagGPR, resultTagGPR);
+            m_jit.move(op1PayloadGPR, resultPayloadGPR);
+        } else {
+            MacroAssembler::Jump alreadyPrimitive = m_jit.branch32(MacroAssembler::NotEqual, op1TagGPR, TrustedImm32(JSValue::CellTag));
+            MacroAssembler::Jump notPrimitive = m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1PayloadGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
+            
+            alreadyPrimitive.link(&m_jit);
+            m_jit.move(op1TagGPR, resultTagGPR);
+            m_jit.move(op1PayloadGPR, resultPayloadGPR);
+            
+            addSlowPathGenerator(
+                slowPathCall(
+                    notPrimitive, this, operationToPrimitive,
+                    JSValueRegs(resultTagGPR, resultPayloadGPR), op1TagGPR, op1PayloadGPR));
+        }
+        
+        jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly);
+        break;
+    }
+        
+    case ToString: {
+        if (node->child1().useKind() == UntypedUse) {
             JSValueOperand op1(this, node->child1());
-            GPRTemporary resultTag(this, op1);
-            GPRTemporary resultPayload(this, op1, false);
-        
+            GPRReg op1PayloadGPR = op1.payloadGPR();
             GPRReg op1TagGPR = op1.tagGPR();
-            GPRReg op1PayloadGPR = op1.payloadGPR();
-            GPRReg resultTagGPR = resultTag.gpr();
-            GPRReg resultPayloadGPR = resultPayload.gpr();
-        
-            op1.use();
-        
-            if (!(m_state.forNode(node->child1()).m_type & ~(SpecNumber | SpecBoolean))) {
-                m_jit.move(op1TagGPR, resultTagGPR);
-                m_jit.move(op1PayloadGPR, resultPayloadGPR);
-            } else {
-                MacroAssembler::Jump alreadyPrimitive = m_jit.branch32(MacroAssembler::NotEqual, op1TagGPR, TrustedImm32(JSValue::CellTag));
-                MacroAssembler::Jump notPrimitive = m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1PayloadGPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
-            
-                alreadyPrimitive.link(&m_jit);
-                m_jit.move(op1TagGPR, resultTagGPR);
-                m_jit.move(op1PayloadGPR, resultPayloadGPR);
-            
-                addSlowPathGenerator(
-                    slowPathCall(
-                        notPrimitive, this, operationToPrimitive,
-                        JSValueRegs(resultTagGPR, resultPayloadGPR), op1TagGPR, op1PayloadGPR));
+            
+            GPRResult result(this);
+            GPRReg resultGPR = result.gpr();
+            
+            flushRegisters();
+            
+            JITCompiler::Jump done;
+            if (node->child1()->prediction() & SpecString) {
+                JITCompiler::Jump slowPath = m_jit.branch32(
+                    JITCompiler::NotEqual, op1TagGPR, TrustedImm32(JSValue::CellTag));
+                done = m_jit.branchPtr(
+                    JITCompiler::Equal,
+                    JITCompiler::Address(op1PayloadGPR, JSCell::structureOffset()),
+                    TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
+                slowPath.link(&m_jit);
             }
-        
-            jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly);
-            break;
-        }
-            
-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            break;
-        }
+            callOperation(operationToString, resultGPR, op1TagGPR, op1PayloadGPR);
+            if (done.isSet())
+                done.link(&m_jit);
+            cellResult(resultGPR, node);
+            break;
+        }
+        
+        compileToStringOnCell(node);
+        break;
+    }
+        
+    case NewStringObject: {
+        compileNewStringObject(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -1126 +1126 @@
     AbstractValue& value = m_state.forNode(edge);
     SpeculatedType type = value.m_type;
-    ASSERT(edge.useKind() != KnownCellUse || !(value.m_type & ~SpecCell));
+    ASSERT((edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell));
     value.filter(SpecCell);
     VirtualRegister virtualRegister = edge->virtualRegister();
@@ -3189 +3189 @@
         
     case ToPrimitive: {
-        switch (node->child1().useKind()) {
-        case Int32Use: {
-            // It's really profitable to speculate integer, since it's really cheap,
-            // it means we don't have to do any real work, and we emit a lot less code.
-            
-            SpeculateIntegerOperand op1(this, node->child1());
-            GPRTemporary result(this, op1);
-            
-            m_jit.move(op1.gpr(), result.gpr());
-            if (op1.format() == DataFormatInteger)
-                m_jit.or64(GPRInfo::tagTypeNumberRegister, result.gpr());
-            
-            jsValueResult(result.gpr(), node);
-            break;
-        }
-        
-        case UntypedUse: {
+        RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
+        JSValueOperand op1(this, node->child1());
+        GPRTemporary result(this, op1);
+        
+        GPRReg op1GPR = op1.gpr();
+        GPRReg resultGPR = result.gpr();
+        
+        op1.use();
+        
+        if (!(m_state.forNode(node->child1()).m_type & ~(SpecNumber | SpecBoolean)))
+            m_jit.move(op1GPR, resultGPR);
+        else {
+            MacroAssembler::Jump alreadyPrimitive = m_jit.branchTest64(MacroAssembler::NonZero, op1GPR, GPRInfo::tagMaskRegister);
+            MacroAssembler::Jump notPrimitive = m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
+            
+            alreadyPrimitive.link(&m_jit);
+            m_jit.move(op1GPR, resultGPR);
+            
+            addSlowPathGenerator(
+                slowPathCall(notPrimitive, this, operationToPrimitive, resultGPR, op1GPR));
+        }
+        
+        jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
+        break;
+    }
+        
+    case ToString: {
+        if (node->child1().useKind() == UntypedUse) {
             JSValueOperand op1(this, node->child1());
-            GPRTemporary result(this, op1);
-        
             GPRReg op1GPR = op1.gpr();
+            
+            GPRResult result(this);
             GPRReg resultGPR = result.gpr();
-        
-            op1.use();
-        
-            if (!(m_state.forNode(node->child1()).m_type & ~(SpecNumber | SpecBoolean)))
-                m_jit.move(op1GPR, resultGPR);
-            else {
-                MacroAssembler::Jump alreadyPrimitive = m_jit.branchTest64(MacroAssembler::NonZero, op1GPR, GPRInfo::tagMaskRegister);
-                MacroAssembler::Jump notPrimitive = m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR, JSCell::structureOffset()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
-            
-                alreadyPrimitive.link(&m_jit);
-                m_jit.move(op1GPR, resultGPR);
-            
-                addSlowPathGenerator(
-                    slowPathCall(notPrimitive, this, operationToPrimitive, resultGPR, op1GPR));
+            
+            flushRegisters();
+            
+            JITCompiler::Jump done;
+            if (node->child1()->prediction() & SpecString) {
+                JITCompiler::Jump slowPath = m_jit.branchTest64(
+                    JITCompiler::NonZero, op1GPR, GPRInfo::tagMaskRegister);
+                done = m_jit.branchPtr(
+                    JITCompiler::Equal,
+                    JITCompiler::Address(op1GPR, JSCell::structureOffset()),
+                    TrustedImmPtr(m_jit.globalData()->stringStructure.get()));
+                slowPath.link(&m_jit);
             }
-        
-            jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
-            break;
-        }
-            
-        default:
-            RELEASE_ASSERT_NOT_REACHED();
-            break;
-        }
+            callOperation(operationToString, resultGPR, op1GPR);
+            if (done.isSet())
+                done.link(&m_jit);
+            cellResult(resultGPR, node);
+            break;
+        }
+        
+        compileToStringOnCell(node);
+        break;
+    }
+        
+    case NewStringObject: {
+        compileNewStringObject(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGUseKind.cpp

@@ -72 +72 @@
         out.print("String");
         break;
+    case KnownStringUse:
+        out.print("KnownString");
+        break;
+    case StringObjectUse:
+        out.print("StringObject");
+        break;
+    case StringOrStringObjectUse:
+        out.print("StringOrStringObject");
+        break;
     case NotCellUse:
         out.print("NotCell");

trunk/Source/JavaScriptCore/dfg/DFGUseKind.h

@@ -49 +49 @@
     ObjectOrOtherUse,
     StringUse,
+    KnownStringUse,
+    StringObjectUse,
+    StringOrStringObjectUse,
     NotCellUse,
     OtherUse,
@@ -77 +80 @@
         return SpecObject | SpecOther;
     case StringUse:
+    case KnownStringUse:
         return SpecString;
+    case StringObjectUse:
+        return SpecStringObject;
+    case StringOrStringObjectUse:
+        return SpecString | SpecStringObject;
     case NotCellUse:
         return ~SpecCell;

trunk/Source/JavaScriptCore/interpreter/CallFrame.h

@@ -95 +95 @@
         static const HashTable* regExpConstructorTable(CallFrame* callFrame) { return callFrame->globalData().regExpConstructorTable; }
         static const HashTable* regExpPrototypeTable(CallFrame* callFrame) { return callFrame->globalData().regExpPrototypeTable; }
-        static const HashTable* stringTable(CallFrame* callFrame) { return callFrame->globalData().stringTable; }
         static const HashTable* stringConstructorTable(CallFrame* callFrame) { return callFrame->globalData().stringConstructorTable; }
 

trunk/Source/JavaScriptCore/runtime/Intrinsic.h

@@ -48 +48 @@
     RegExpExecIntrinsic,
     RegExpTestIntrinsic,
+    StringPrototypeValueOfIntrinsic
 };
 

trunk/Source/JavaScriptCore/runtime/JSDestructibleObject.h

@@ -15 +15 @@
 
     const ClassInfo* classInfo() const { return m_classInfo; }
+    
+    static ptrdiff_t classInfoOffset() { return OBJECT_OFFSETOF(JSDestructibleObject, m_classInfo); }
 
 protected:

trunk/Source/JavaScriptCore/runtime/JSGlobalData.cpp

@@ -98 +98 @@
 extern const HashTable regExpConstructorTable;
 extern const HashTable regExpPrototypeTable;
-extern const HashTable stringTable;
 extern const HashTable stringConstructorTable;
 
@@ -159 +158 @@
     , regExpConstructorTable(fastNew<HashTable>(JSC::regExpConstructorTable))
     , regExpPrototypeTable(fastNew<HashTable>(JSC::regExpPrototypeTable))
-    , stringTable(fastNew<HashTable>(JSC::stringTable))
     , stringConstructorTable(fastNew<HashTable>(JSC::stringConstructorTable))
     , identifierTable(globalDataType == Default ? wtfThreadData().currentIdentifierTable() : createIdentifierTable())
@@ -289 +287 @@
     regExpConstructorTable->deleteTable();
     regExpPrototypeTable->deleteTable();
-    stringTable->deleteTable();
     stringConstructorTable->deleteTable();
 
@@ -308 +305 @@
     fastDelete(const_cast<HashTable*>(regExpConstructorTable));
     fastDelete(const_cast<HashTable*>(regExpPrototypeTable));
-    fastDelete(const_cast<HashTable*>(stringTable));
     fastDelete(const_cast<HashTable*>(stringConstructorTable));
 

trunk/Source/JavaScriptCore/runtime/JSGlobalData.h

@@ -231 +231 @@
         const HashTable* regExpConstructorTable;
         const HashTable* regExpPrototypeTable;
-        const HashTable* stringTable;
         const HashTable* stringConstructorTable;
         

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009, 2012 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2006, 2008, 2009, 2012, 2013 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel (eric@webkit.org)
  *
@@ -31 +31 @@
 #include "DatePrototype.h"
 #include "ErrorConstructor.h"
+#include "Executable.h"
 #include "GetterSetter.h"
 #include "IndexingHeaderInlines.h"

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -1455 +1455 @@
 // Use this macro from within finishCreation() methods in prototypes. This assumes
 // you've defined variables called exec, globalObject, and globalData, and they
-// have the expected meanings. This also assumes that the function you're defining
-// doesn't have an intrinsic.
+// have the expected meanings.
+#define JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, attributes, length, intrinsic) \
+    putDirectNativeFunction(\
+        exec, globalObject, Identifier(exec, #jsName), (length), cppName, \
+        (intrinsic), (attributes))
+
+// As above, but this assumes that the function you're defining doesn't have an
+// intrinsic.
 #define JSC_NATIVE_FUNCTION(jsName, cppName, attributes, length) \
-    putDirectNativeFunction(exec, globalObject, globalData.propertyNames->jsName, (length), cppName, NoIntrinsic, (attributes))
+    JSC_NATIVE_INTRINSIC_FUNCTION(jsName, cppName, (attributes), (length), NoIntrinsic)
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSWrapperObject.h

@@ -33 +33 @@
         typedef JSDestructibleObject Base;
 
+        static size_t allocationSize(size_t inlineCapacity)
+        {
+            ASSERT_UNUSED(inlineCapacity, !inlineCapacity);
+            return sizeof(JSWrapperObject);
+        }
+
         JSValue internalValue() const;
         void setInternalValue(JSGlobalData&, JSValue);
@@ -39 +45 @@
         { 
             return Structure::create(globalData, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), &s_info);
+        }
+        
+        static ptrdiff_t internalValueOffset() { return OBJECT_OFFSETOF(JSWrapperObject, m_internalValue); }
+        static ptrdiff_t internalValueCellOffset()
+        {
+#if USE(JSVALUE64)
+            return internalValueOffset();
+#else
+            return internalValueOffset() + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload);
+#endif
         }
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
- *  Copyright (C) 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004, 2005, 2006, 2007, 2008, 2013 Apple Inc. All rights reserved.
  *  Copyright (C) 2009 Torch Mobile, Inc.
  *
@@ -83 +83 @@
 static EncodedJSValue JSC_HOST_CALL stringProtoFuncTrimRight(ExecState*);
 
-}
-
-#include "StringPrototype.lut.h"
-
-namespace JSC {
-
-const ClassInfo StringPrototype::s_info = { "String", &StringObject::s_info, 0, ExecState::stringTable, CREATE_METHOD_TABLE(StringPrototype) };
-
-/* Source for StringPrototype.lut.h
-@begin stringTable 26
-    toString              stringProtoFuncToString          DontEnum|Function       0
-    valueOf               stringProtoFuncToString          DontEnum|Function       0
-    charAt                stringProtoFuncCharAt            DontEnum|Function       1
-    charCodeAt            stringProtoFuncCharCodeAt        DontEnum|Function       1
-    concat                stringProtoFuncConcat            DontEnum|Function       1
-    indexOf               stringProtoFuncIndexOf           DontEnum|Function       1
-    lastIndexOf           stringProtoFuncLastIndexOf       DontEnum|Function       1
-    match                 stringProtoFuncMatch             DontEnum|Function       1
-    replace               stringProtoFuncReplace           DontEnum|Function       2
-    search                stringProtoFuncSearch            DontEnum|Function       1
-    slice                 stringProtoFuncSlice             DontEnum|Function       2
-    split                 stringProtoFuncSplit             DontEnum|Function       2
-    substr                stringProtoFuncSubstr            DontEnum|Function       2
-    substring             stringProtoFuncSubstring         DontEnum|Function       2
-    toLowerCase           stringProtoFuncToLowerCase       DontEnum|Function       0
-    toUpperCase           stringProtoFuncToUpperCase       DontEnum|Function       0
-    localeCompare         stringProtoFuncLocaleCompare     DontEnum|Function       1
-
-    # toLocaleLowerCase and toLocaleUpperCase are currently identical to toLowerCase and toUpperCase
-    toLocaleLowerCase     stringProtoFuncToLowerCase       DontEnum|Function       0
-    toLocaleUpperCase     stringProtoFuncToUpperCase       DontEnum|Function       0
-
-    big                   stringProtoFuncBig               DontEnum|Function       0
-    small                 stringProtoFuncSmall             DontEnum|Function       0
-    blink                 stringProtoFuncBlink             DontEnum|Function       0
-    bold                  stringProtoFuncBold              DontEnum|Function       0
-    fixed                 stringProtoFuncFixed             DontEnum|Function       0
-    italics               stringProtoFuncItalics           DontEnum|Function       0
-    strike                stringProtoFuncStrike            DontEnum|Function       0
-    sub                   stringProtoFuncSub               DontEnum|Function       0
-    sup                   stringProtoFuncSup               DontEnum|Function       0
-    fontcolor             stringProtoFuncFontcolor         DontEnum|Function       1
-    fontsize              stringProtoFuncFontsize          DontEnum|Function       1
-    anchor                stringProtoFuncAnchor            DontEnum|Function       1
-    link                  stringProtoFuncLink              DontEnum|Function       1
-    trim                  stringProtoFuncTrim              DontEnum|Function       0
-    trimLeft              stringProtoFuncTrimLeft          DontEnum|Function       0
-    trimRight             stringProtoFuncTrimRight         DontEnum|Function       0
-@end
-*/
+const ClassInfo StringPrototype::s_info = { "String", &StringObject::s_info, 0, 0, CREATE_METHOD_TABLE(StringPrototype) };
 
 // ECMA 15.5.4
@@ -140 +91 @@
 }
 
-void StringPrototype::finishCreation(ExecState* exec, JSGlobalObject*, JSString* nameAndMessage)
-{
-    Base::finishCreation(exec->globalData(), nameAndMessage);
+void StringPrototype::finishCreation(ExecState* exec, JSGlobalObject* globalObject, JSString* nameAndMessage)
+{
+    JSGlobalData& globalData = exec->globalData();
+    
+    Base::finishCreation(globalData, nameAndMessage);
     ASSERT(inherits(&s_info));
+
+    JSC_NATIVE_INTRINSIC_FUNCTION(toString, stringProtoFuncToString, DontEnum, 0, StringPrototypeValueOfIntrinsic);
+    JSC_NATIVE_INTRINSIC_FUNCTION(valueOf, stringProtoFuncToString, DontEnum, 0, StringPrototypeValueOfIntrinsic);
+    JSC_NATIVE_INTRINSIC_FUNCTION(charAt, stringProtoFuncCharAt, DontEnum, 1, CharAtIntrinsic);
+    JSC_NATIVE_INTRINSIC_FUNCTION(charCodeAt, stringProtoFuncCharCodeAt, DontEnum, 1, CharCodeAtIntrinsic);
+    JSC_NATIVE_FUNCTION(concat, stringProtoFuncConcat, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(indexOf, stringProtoFuncIndexOf, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(lastIndexOf, stringProtoFuncLastIndexOf, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(match, stringProtoFuncMatch, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(replace, stringProtoFuncReplace, DontEnum, 2);
+    JSC_NATIVE_FUNCTION(search, stringProtoFuncSearch, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(slice, stringProtoFuncSlice, DontEnum, 2);
+    JSC_NATIVE_FUNCTION(split, stringProtoFuncSplit, DontEnum, 2);
+    JSC_NATIVE_FUNCTION(substr, stringProtoFuncSubstr, DontEnum, 2);
+    JSC_NATIVE_FUNCTION(substring, stringProtoFuncSubstring, DontEnum, 2);
+    JSC_NATIVE_FUNCTION(toLowerCase, stringProtoFuncToLowerCase, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(toUpperCase, stringProtoFuncToUpperCase, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(localeCompare, stringProtoFuncLocaleCompare, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(toLocaleLowerCase, stringProtoFuncToLowerCase, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(toLocaleUpperCase, stringProtoFuncToUpperCase, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(big, stringProtoFuncBig, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(small, stringProtoFuncSmall, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(blink, stringProtoFuncBlink, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(bold, stringProtoFuncBold, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(fixed, stringProtoFuncFixed, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(italics, stringProtoFuncItalics, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(strike, stringProtoFuncStrike, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(sub, stringProtoFuncSub, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(sup, stringProtoFuncSup, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(fontcolor, stringProtoFuncFontcolor, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(fontsize, stringProtoFuncFontsize, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(anchor, stringProtoFuncAnchor, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(link, stringProtoFuncLink, DontEnum, 1);
+    JSC_NATIVE_FUNCTION(trim, stringProtoFuncTrim, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(trimLeft, stringProtoFuncTrimLeft, DontEnum, 0);
+    JSC_NATIVE_FUNCTION(trimRight, stringProtoFuncTrimRight, DontEnum, 0);
 
     // The constructor will be added later, after StringConstructor has been built
@@ -149 +138 @@
 }
 
-bool StringPrototype::getOwnPropertySlot(JSCell* cell, ExecState* exec, PropertyName propertyName, PropertySlot &slot)
-{
-    return getStaticFunctionSlot<StringObject>(exec, ExecState::stringTable(exec), jsCast<StringPrototype*>(cell), propertyName, slot);
-}
-
-bool StringPrototype::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
-{
-    return getStaticFunctionDescriptor<StringObject>(exec, ExecState::stringTable(exec), jsCast<StringPrototype*>(object), propertyName, descriptor);
+StringPrototype* StringPrototype::create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure)
+{
+    JSString* empty = jsEmptyString(exec);
+    StringPrototype* prototype = new (NotNull, allocateCell<StringPrototype>(*exec->heap())) StringPrototype(exec, structure);
+    prototype->finishCreation(exec, globalObject, empty);
+    return prototype;
 }
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007, 2008, 2013 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -35 +35 @@
         typedef StringObject Base;
 
-        static StringPrototype* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure)
-        {
-            JSString* empty = jsEmptyString(exec);
-            StringPrototype* prototype = new (NotNull, allocateCell<StringPrototype>(*exec->heap())) StringPrototype(exec, structure);
-            prototype->finishCreation(exec, globalObject, empty);
-            return prototype;
-        }
-
-        static bool getOwnPropertySlot(JSCell*, ExecState*, PropertyName, PropertySlot&);
-        static bool getOwnPropertyDescriptor(JSObject*, ExecState*, PropertyName, PropertyDescriptor&);
+        static StringPrototype* create(ExecState*, JSGlobalObject*, Structure*);
 
         static Structure* createStructure(JSGlobalData& globalData, JSGlobalObject* globalObject, JSValue prototype)
@@ -55 +46 @@
     protected:
         void finishCreation(ExecState*, JSGlobalObject*, JSString*);
-        static const unsigned StructureFlags = OverridesGetOwnPropertySlot | StringObject::StructureFlags;
+        static const unsigned StructureFlags = StringObject::StructureFlags;
 
     };