Changeset 157209 in webkit

Timestamp:

Oct 9, 2013 9:24:57 PM (11 years ago)

Author:

fpizlo@apple.com

Message:

FTL should be able to do simple OSR exits using llvm.webkit.stackmap
​https://bugs.webkit.org/show_bug.cgi?id=122538

Reviewed by Oliver Hunt.

This gives the FTL the ability to OSR exit using the llvm.webkit.stackmap intrinsic.

• The FTL compiles all OSR exit calls as calls to llvm.webkit.stackmap with a unique ID, passing a requested size that is big enough for own jump replacement.

• After LLVM compilation, we parse the new LLVM stackmap section.

• For all llvm.webkit.stackmaps that we used for OSR exits, we do a jumpReplacement, which targets exit thunks that we generate.

• If an exit thunk fires, it causes JSC to compile an exit off-ramp that uses a combination of the JSC-internal OSR exit accounting (FTL::ExitValue and friends) and LLVM stackmap's accounting of where data actually ended up (register, indirect, constant) to reconstruct bytecode state.

This still has shortcomings; for example it cannot handle XMM or YMM registers. Handling
YMM registers will require adding some basic YMM support to our assemblers - really we
just need the ability to move a YMM's value into a GPR.

This patch preserves all of the old, intrinsic-less, FTL OSR exit support. Hence it
manages to pass all existing FTL tests even despite its incompleteness. I think that's
the right way to go since this is already a big patch, and anyway it would be great to
keep the intrinsic-less FTL OSR exit support so long as the LLVM side of this hasn't
landed.

• JavaScriptCore.xcodeproj/project.pbxproj:
• assembler/AbstractMacroAssembler.h:

(JSC::AbstractMacroAssembler::firstRegister):
(JSC::AbstractMacroAssembler::lastRegister):

• assembler/MacroAssembler.h:

(JSC::MacroAssembler::isStackRelated):
(JSC::MacroAssembler::firstRealRegister):
(JSC::MacroAssembler::nextRegister):
(JSC::MacroAssembler::secondRealRegister):

• assembler/MacroAssemblerX86Common.h:
• assembler/X86Assembler.h:

(JSC::X86Assembler::firstRegister):
(JSC::X86Assembler::lastRegister):

• dfg/DFGPlan.cpp:

(JSC::DFG::Plan::compileInThreadImpl):

• ftl/FTLCArgumentGetter.cpp:

(JSC::FTL::CArgumentGetter::loadNextAndBox):

• ftl/FTLCArgumentGetter.h:

(JSC::FTL::CArgumentGetter::loadNextDoubleIntoGPR):

• ftl/FTLCompile.cpp:

(JSC::FTL::mmAllocateCodeSection):
(JSC::FTL::mmAllocateDataSection):
(JSC::FTL::dumpDataSection):
(JSC::FTL::fixFunctionBasedOnStackMaps):
(JSC::FTL::compile):

• ftl/FTLExitThunkGenerator.cpp:

(JSC::FTL::ExitThunkGenerator::emitThunk):
(JSC::FTL::ExitThunkGenerator::emitThunks):

• ftl/FTLExitThunkGenerator.h:
• ftl/FTLExitValue.h:

(JSC::FTL::ExitValue::isInJSStackSomehow):
(JSC::FTL::ExitValue::valueFormat):

• ftl/FTLFail.cpp:

(JSC::FTL::fail):

• ftl/FTLIntrinsicRepository.h:
• ftl/FTLJITCode.h:
• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::generateExitThunks):
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):

• ftl/FTLOSRExit.h:
• ftl/FTLOSRExitCompilationInfo.h:

(JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStubWithOSRExitStackmap):
(JSC::FTL::compileStubWithoutOSRExitStackmap):
(JSC::FTL::compileFTLOSRExit):

• ftl/FTLSaveRestore.cpp: Added.

(JSC::FTL::bytesForGPRs):
(JSC::FTL::requiredScratchMemorySizeInBytes):
(JSC::FTL::offsetOfGPR):
(JSC::FTL::saveAllRegisters):
(JSC::FTL::restoreAllRegisters):

• ftl/FTLSaveRestore.h: Added.
• ftl/FTLStackMaps.cpp: Added.

(JSC::FTL::readObject):
(JSC::FTL::StackMaps::Constant::parse):
(JSC::FTL::StackMaps::Constant::dump):
(JSC::FTL::StackMaps::Location::parse):
(JSC::FTL::StackMaps::Location::dump):
(JSC::FTL::StackMaps::Location::involvesGPR):
(JSC::FTL::StackMaps::Location::isGPR):
(JSC::FTL::StackMaps::Location::gpr):
(JSC::FTL::StackMaps::Location::restoreInto):
(JSC::FTL::StackMaps::Record::parse):
(JSC::FTL::StackMaps::Record::dump):
(JSC::FTL::StackMaps::parse):
(JSC::FTL::StackMaps::dump):
(JSC::FTL::StackMaps::dumpMultiline):
(JSC::FTL::StackMaps::getRecordMap):
(WTF::printInternal):

• ftl/FTLStackMaps.h: Added.
• ftl/FTLState.h:
• ftl/FTLThunks.cpp:

(JSC::FTL::osrExitGenerationThunkGenerator):

• ftl/FTLValueFormat.cpp:

(JSC::FTL::reboxAccordingToFormat):

• ftl/FTLValueFormat.h:
• runtime/DataView.cpp:

(JSC::DataView::create):

• runtime/DataView.h:

(JSC::DataView::read):

• runtime/Options.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (9 diffs)
• assembler/AbstractMacroAssembler.h (modified) (1 diff)
• assembler/MacroAssembler.h (modified) (1 diff)
• assembler/MacroAssemblerX86Common.h (modified) (1 diff)
• assembler/X86Assembler.h (modified) (1 diff)
• dfg/DFGPlan.cpp (modified) (2 diffs)
• ftl/FTLCArgumentGetter.cpp (modified) (2 diffs)
• ftl/FTLCArgumentGetter.h (modified) (1 diff)
• ftl/FTLCompile.cpp (modified) (9 diffs)
• ftl/FTLExitThunkGenerator.cpp (modified) (1 diff)
• ftl/FTLExitThunkGenerator.h (modified) (1 diff)
• ftl/FTLExitValue.h (modified) (2 diffs)
• ftl/FTLFail.cpp (modified) (1 diff)
• ftl/FTLIntrinsicRepository.h (modified) (1 diff)
• ftl/FTLJITCode.h (modified) (2 diffs)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (8 diffs)
• ftl/FTLOSRExit.h (modified) (1 diff)
• ftl/FTLOSRExitCompilationInfo.h (modified) (2 diffs)
• ftl/FTLOSRExitCompiler.cpp (modified) (3 diffs)
• ftl/FTLSaveRestore.cpp (added)
• ftl/FTLSaveRestore.h (added)
• ftl/FTLStackMaps.cpp (added)
• ftl/FTLStackMaps.h (added)
• ftl/FTLState.h (modified) (2 diffs)
• ftl/FTLThunks.cpp (modified) (3 diffs)
• ftl/FTLValueFormat.cpp (modified) (1 diff)
• ftl/FTLValueFormat.h (modified) (2 diffs)
• runtime/DataView.cpp (modified) (1 diff)
• runtime/DataView.h (modified) (2 diffs)
• runtime/Options.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-10-08  Filip Pizlo  <fpizlo@apple.com>
+
+        FTL should be able to do simple OSR exits using llvm.webkit.stackmap
+        https://bugs.webkit.org/show_bug.cgi?id=122538
+
+        Reviewed by Oliver Hunt.
+        
+        This gives the FTL the ability to OSR exit using the llvm.webkit.stackmap intrinsic.
+        
+        - The FTL compiles all OSR exit calls as calls to llvm.webkit.stackmap with a unique
+          ID, passing a requested size that is big enough for own jump replacement.
+        
+        - After LLVM compilation, we parse the new LLVM stackmap section.
+        
+        - For all llvm.webkit.stackmaps that we used for OSR exits, we do a jumpReplacement,
+          which targets exit thunks that we generate.
+        
+        - If an exit thunk fires, it causes JSC to compile an exit off-ramp that uses a
+          combination of the JSC-internal OSR exit accounting (FTL::ExitValue and friends) and
+          LLVM stackmap's accounting of where data actually ended up (register, indirect,
+          constant) to reconstruct bytecode state.
+        
+        This still has shortcomings; for example it cannot handle XMM or YMM registers. Handling
+        YMM registers will require adding some basic YMM support to our assemblers - really we
+        just need the ability to move a YMM's value into a GPR.
+        
+        This patch preserves all of the old, intrinsic-less, FTL OSR exit support. Hence it
+        manages to pass all existing FTL tests even despite its incompleteness. I think that's
+        the right way to go since this is already a big patch, and anyway it would be great to
+        keep the intrinsic-less FTL OSR exit support so long as the LLVM side of this hasn't
+        landed.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::firstRegister):
+        (JSC::AbstractMacroAssembler::lastRegister):
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::isStackRelated):
+        (JSC::MacroAssembler::firstRealRegister):
+        (JSC::MacroAssembler::nextRegister):
+        (JSC::MacroAssembler::secondRealRegister):
+        * assembler/MacroAssemblerX86Common.h:
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::firstRegister):
+        (JSC::X86Assembler::lastRegister):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * ftl/FTLCArgumentGetter.cpp:
+        (JSC::FTL::CArgumentGetter::loadNextAndBox):
+        * ftl/FTLCArgumentGetter.h:
+        (JSC::FTL::CArgumentGetter::loadNextDoubleIntoGPR):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::mmAllocateCodeSection):
+        (JSC::FTL::mmAllocateDataSection):
+        (JSC::FTL::dumpDataSection):
+        (JSC::FTL::fixFunctionBasedOnStackMaps):
+        (JSC::FTL::compile):
+        * ftl/FTLExitThunkGenerator.cpp:
+        (JSC::FTL::ExitThunkGenerator::emitThunk):
+        (JSC::FTL::ExitThunkGenerator::emitThunks):
+        * ftl/FTLExitThunkGenerator.h:
+        * ftl/FTLExitValue.h:
+        (JSC::FTL::ExitValue::isInJSStackSomehow):
+        (JSC::FTL::ExitValue::valueFormat):
+        * ftl/FTLFail.cpp:
+        (JSC::FTL::fail):
+        * ftl/FTLIntrinsicRepository.h:
+        * ftl/FTLJITCode.h:
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::generateExitThunks):
+        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
+        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
+        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
+        (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
+        * ftl/FTLOSRExit.h:
+        * ftl/FTLOSRExitCompilationInfo.h:
+        (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStubWithOSRExitStackmap):
+        (JSC::FTL::compileStubWithoutOSRExitStackmap):
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLSaveRestore.cpp: Added.
+        (JSC::FTL::bytesForGPRs):
+        (JSC::FTL::requiredScratchMemorySizeInBytes):
+        (JSC::FTL::offsetOfGPR):
+        (JSC::FTL::saveAllRegisters):
+        (JSC::FTL::restoreAllRegisters):
+        * ftl/FTLSaveRestore.h: Added.
+        * ftl/FTLStackMaps.cpp: Added.
+        (JSC::FTL::readObject):
+        (JSC::FTL::StackMaps::Constant::parse):
+        (JSC::FTL::StackMaps::Constant::dump):
+        (JSC::FTL::StackMaps::Location::parse):
+        (JSC::FTL::StackMaps::Location::dump):
+        (JSC::FTL::StackMaps::Location::involvesGPR):
+        (JSC::FTL::StackMaps::Location::isGPR):
+        (JSC::FTL::StackMaps::Location::gpr):
+        (JSC::FTL::StackMaps::Location::restoreInto):
+        (JSC::FTL::StackMaps::Record::parse):
+        (JSC::FTL::StackMaps::Record::dump):
+        (JSC::FTL::StackMaps::parse):
+        (JSC::FTL::StackMaps::dump):
+        (JSC::FTL::StackMaps::dumpMultiline):
+        (JSC::FTL::StackMaps::getRecordMap):
+        (WTF::printInternal):
+        * ftl/FTLStackMaps.h: Added.
+        * ftl/FTLState.h:
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::osrExitGenerationThunkGenerator):
+        * ftl/FTLValueFormat.cpp:
+        (JSC::FTL::reboxAccordingToFormat):
+        * ftl/FTLValueFormat.h:
+        * runtime/DataView.cpp:
+        (JSC::DataView::create):
+        * runtime/DataView.h:
+        (JSC::DataView::read):
+        * runtime/Options.h:
+
 2013-10-09  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -315 +315 @@
                 0F9D339617FFC4E60073C2BC /* DFGFlushedAt.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F9D339417FFC4E60073C2BC /* DFGFlushedAt.cpp */; };
                 0F9D339717FFC4E60073C2BC /* DFGFlushedAt.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F9D339517FFC4E60073C2BC /* DFGFlushedAt.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F9D339A1803ADB70073C2BC /* FTLStackMaps.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F9D33981803ADB70073C2BC /* FTLStackMaps.cpp */; };
+                0F9D339B1803ADB70073C2BC /* FTLStackMaps.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F9D33991803ADB70073C2BC /* FTLStackMaps.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F9FB4F417FCB91700CB67F8 /* DFGStackLayoutPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F9FB4F217FCB91700CB67F8 /* DFGStackLayoutPhase.cpp */; };
                 0F9FB4F517FCB91700CB67F8 /* DFGStackLayoutPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F9FB4F317FCB91700CB67F8 /* DFGStackLayoutPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -373 +375 @@
                 0FC81516140511B500CFA603 /* VTableSpectrum.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FC815121405118600CFA603 /* VTableSpectrum.cpp */; };
                 0FCCAE4516D0CF7400D0C65B /* ParserError.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCCAE4316D0CF6E00D0C65B /* ParserError.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0FCEFAAB1804C13E00472CE4 /* FTLSaveRestore.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FCEFAA91804C13E00472CE4 /* FTLSaveRestore.cpp */; };
+                0FCEFAAC1804C13E00472CE4 /* FTLSaveRestore.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCEFAAA1804C13E00472CE4 /* FTLSaveRestore.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0FD2C92416D01EE900C7803F /* StructureInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD2C92316D01EE900C7803F /* StructureInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0FD3C82614115D4000FD81CB /* DFGDriver.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FD3C82014115CF800FD81CB /* DFGDriver.cpp */; };
@@ -1529 +1533 @@
                 0F9D339417FFC4E60073C2BC /* DFGFlushedAt.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGFlushedAt.cpp; path = dfg/DFGFlushedAt.cpp; sourceTree = "<group>"; };
                 0F9D339517FFC4E60073C2BC /* DFGFlushedAt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGFlushedAt.h; path = dfg/DFGFlushedAt.h; sourceTree = "<group>"; };
+                0F9D33981803ADB70073C2BC /* FTLStackMaps.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLStackMaps.cpp; path = ftl/FTLStackMaps.cpp; sourceTree = "<group>"; };
+                0F9D33991803ADB70073C2BC /* FTLStackMaps.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLStackMaps.h; path = ftl/FTLStackMaps.h; sourceTree = "<group>"; };
                 0F9FB4F217FCB91700CB67F8 /* DFGStackLayoutPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStackLayoutPhase.cpp; path = dfg/DFGStackLayoutPhase.cpp; sourceTree = "<group>"; };
                 0F9FB4F317FCB91700CB67F8 /* DFGStackLayoutPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStackLayoutPhase.h; path = dfg/DFGStackLayoutPhase.h; sourceTree = "<group>"; };
@@ -1599 +1605 @@
                 0FCB408515C0A3C30048932B /* SlotVisitorInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SlotVisitorInlines.h; sourceTree = "<group>"; };
                 0FCCAE4316D0CF6E00D0C65B /* ParserError.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ParserError.h; sourceTree = "<group>"; };
+                0FCEFAA91804C13E00472CE4 /* FTLSaveRestore.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLSaveRestore.cpp; path = ftl/FTLSaveRestore.cpp; sourceTree = "<group>"; };
+                0FCEFAAA1804C13E00472CE4 /* FTLSaveRestore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLSaveRestore.h; path = ftl/FTLSaveRestore.h; sourceTree = "<group>"; };
                 0FD2C92316D01EE900C7803F /* StructureInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureInlines.h; sourceTree = "<group>"; };
                 0FD3C82014115CF800FD81CB /* DFGDriver.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGDriver.cpp; path = dfg/DFGDriver.cpp; sourceTree = "<group>"; };
@@ -2641 +2649 @@
                                 0FEA0A291709629600BB722C /* FTLOutput.cpp */,
                                 0FEA0A06170513DB00BB722C /* FTLOutput.h */,
+                                0FCEFAA91804C13E00472CE4 /* FTLSaveRestore.cpp */,
+                                0FCEFAAA1804C13E00472CE4 /* FTLSaveRestore.h */,
+                                0F9D33981803ADB70073C2BC /* FTLStackMaps.cpp */,
+                                0F9D33991803ADB70073C2BC /* FTLStackMaps.h */,
                                 0FEA0A151706BB9000BB722C /* FTLState.cpp */,
                                 0FEA0A07170513DB00BB722C /* FTLState.h */,
@@ -4305 +4317 @@
                                 0F2B66FB17B6B5AB00A7AE3F /* JSTypedArrayConstructors.h in Headers */,
                                 0F2B66FD17B6B5AB00A7AE3F /* JSTypedArrayPrototypes.h in Headers */,
+                                0FCEFAAC1804C13E00472CE4 /* FTLSaveRestore.h in Headers */,
                                 0F2B66FF17B6B5AB00A7AE3F /* JSTypedArrays.h in Headers */,
                                 6507D29E0E871E5E00D7D896 /* JSTypeInfo.h in Headers */,
@@ -4500 +4513 @@
                                 C2DF44301707AC0100A5CA96 /* SuperRegion.h in Headers */,
                                 BC18C46B0E16F5CD00B34460 /* SymbolTable.h in Headers */,
+                                0F9D339B1803ADB70073C2BC /* FTLStackMaps.h in Headers */,
                                 A784A26411D16622005776AC /* SyntaxChecker.h in Headers */,
                                 0F572D4F16879FDD00E57FBD /* ThunkGenerator.h in Headers */,
@@ -5250 +5264 @@
                                 14280850107EC0D70013E7B2 /* Operations.cpp in Sources */,
                                 A7BDAEC817F4EA1400F6140C /* ArrayIteratorPrototype.cpp in Sources */,
+                                0FCEFAAB1804C13E00472CE4 /* FTLSaveRestore.cpp in Sources */,
                                 0FE228EE1436AB2C00196C48 /* Options.cpp in Sources */,
                                 148F21BC107EC54D0042EC2C /* Parser.cpp in Sources */,
@@ -5347 +5362 @@
                                 86704B8612DBA33700A9FE7B /* YarrJIT.cpp in Sources */,
                                 86704B8912DBA33700A9FE7B /* YarrPattern.cpp in Sources */,
+                                0F9D339A1803ADB70073C2BC /* FTLStackMaps.cpp in Sources */,
                                 86704B4212DB8A8100A9FE7B /* YarrSyntaxChecker.cpp in Sources */,
                         );

trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h

@@ -75 +75 @@
 
     typedef typename AssemblerType::RegisterID RegisterID;
+    
+    static RegisterID firstRegister() { return AssemblerType::firstRegister(); }
+    static RegisterID lastRegister() { return AssemblerType::lastRegister(); }
 
     // Section 1: MacroAssembler operand types

trunk/Source/JavaScriptCore/assembler/MacroAssembler.h

@@ -67 +67 @@
 class MacroAssembler : public MacroAssemblerBase {
 public:
+
+    static bool isStackRelated(RegisterID reg)
+    {
+        return reg == stackPointerRegister || reg == framePointerRegister;
+    }
+    
+    static RegisterID firstRealRegister()
+    {
+        RegisterID firstRegister = MacroAssembler::firstRegister();
+        while (MacroAssembler::isStackRelated(firstRegister))
+            firstRegister = static_cast<RegisterID>(firstRegister + 1);
+        return firstRegister;
+    }
+    
+    static RegisterID nextRegister(RegisterID reg)
+    {
+        RegisterID result = static_cast<RegisterID>(reg + 1);
+        while (MacroAssembler::isStackRelated(result))
+            result = static_cast<RegisterID>(result + 1);
+        return result;
+    }
+    
+    static RegisterID secondRealRegister()
+    {
+        return nextRegister(firstRealRegister());
+    }
 
     using MacroAssemblerBase::pop;

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -98 +98 @@
     static const RegisterID stackPointerRegister = X86Registers::esp;
     static const RegisterID framePointerRegister = X86Registers::ebp;
-
+    
     static bool shouldBlindForSpecificArch(uint32_t value) { return value >= 0x00ffffff; }
 #if CPU(X86_64)

trunk/Source/JavaScriptCore/assembler/X86Assembler.h

@@ -127 +127 @@
 public:
     typedef X86Registers::RegisterID RegisterID;
+    static RegisterID firstRegister() { return X86Registers::eax; }
+    static RegisterID lastRegister()
+    {
+#if CPU(X86_64)
+        return X86Registers::r15;
+#else
+        return X86Registers::edi;
+#endif
+    }
+    
     typedef X86Registers::XMMRegisterID XMMRegisterID;
     typedef XMMRegisterID FPRegisterID;

trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp

@@ -265 +265 @@
             beforeFTL = currentTimeMS();
         
-        if (Options::llvmAlwaysFails()) {
+        if (Options::llvmAlwaysFailsBeforeCompile()) {
             FTL::fail(state);
             return FTLPath;
@@ -271 +271 @@
         
         FTL::compile(state);
+
+        if (Options::llvmAlwaysFailsBeforeLink()) {
+            FTL::fail(state);
+            return FTLPath;
+        }
+        
         FTL::link(state);
         return FTLPath;

trunk/Source/JavaScriptCore/ftl/FTLCArgumentGetter.cpp

@@ -53 +53 @@
     
     switch (format) {
-    case ValueFormatInt32: {
+    case ValueFormatInt32:
+    case ValueFormatUInt32:
         loadNext32(destination);
-        m_jit.or64(GPRInfo::tagTypeNumberRegister, destination);
         break;
-    }
-            
-    case ValueFormatUInt32: {
-        loadNext32(destination);
-        m_jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch2);
-        m_jit.boxInt52(destination, destination, scratch1, FPRInfo::fpRegT0);
-        m_jit.move64ToDouble(scratch2, FPRInfo::fpRegT0);
-        break;
-    }
         
-    case ValueFormatInt52: {
-        loadNext64(destination);
-        m_jit.rshift64(AssemblyHelpers::TrustedImm32(JSValue::int52ShiftAmount), destination);
-        m_jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch2);
-        m_jit.boxInt52(destination, destination, scratch1, FPRInfo::fpRegT0);
-        m_jit.move64ToDouble(scratch2, FPRInfo::fpRegT0);
-        break;
-    }
-            
-    case ValueFormatStrictInt52: {
-        loadNext64(destination);
-        m_jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch2);
-        m_jit.boxInt52(destination, destination, scratch1, FPRInfo::fpRegT0);
-        m_jit.move64ToDouble(scratch2, FPRInfo::fpRegT0);
-        break;
-    }
-            
-    case ValueFormatBoolean: {
-        loadNext8(destination);
-        m_jit.or32(MacroAssembler::TrustedImm32(ValueFalse), destination);
-        break;
-    }
-            
-    case ValueFormatJSValue: {
+    case ValueFormatInt52:
+    case ValueFormatStrictInt52:
+    case ValueFormatJSValue:
         loadNext64(destination);
         break;
-    }
             
-    case ValueFormatDouble: {
-        m_jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch1);
-        loadNextDouble(FPRInfo::fpRegT0);
-        m_jit.boxDouble(FPRInfo::fpRegT0, destination);
-        m_jit.move64ToDouble(scratch1, FPRInfo::fpRegT0);
+    case ValueFormatBoolean:
+        loadNext8(destination);
         break;
-    }
+            
+    case ValueFormatDouble:
+        loadNextDoubleIntoGPR(destination);
+        break;
             
     default:
@@ -107 +76 @@
         break;
     }
+    
+    reboxAccordingToFormat(format, m_jit, destination, scratch1, scratch2);
 }
 

trunk/Source/JavaScriptCore/ftl/FTLCArgumentGetter.h

@@ -101 +101 @@
     }
     
+    void loadNextDoubleIntoGPR(GPRReg destination)
+    {
+        if (m_fprArgumentIndex < FPRInfo::numberOfArgumentRegisters) {
+            m_jit.moveDoubleTo64(FPRInfo::toArgumentRegister(m_fprArgumentIndex++), destination);
+            return;
+        }
+        
+        m_jit.load64(nextAddress(), destination);
+    }
+    
     void loadNextDouble(FPRReg destination)
     {

trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp

@@ -32 +32 @@
 #include "CCallHelpers.h"
 #include "DFGCommon.h"
+#include "DataView.h"
 #include "Disassembler.h"
+#include "FTLExitThunkGenerator.h"
 #include "FTLJITCode.h"
+#include "FTLThunks.h"
 #include "JITStubs.h"
 #include "LinkBuffer.h"
+#include "RepatchBuffer.h"
 #include <wtf/LLVMHeaders.h>
 
@@ -43 +47 @@
 
 static uint8_t* mmAllocateCodeSection(
-    void* opaqueState, uintptr_t size, unsigned alignment, unsigned sectionID,
-    const char* sectionName)
-{
-    UNUSED_PARAM(sectionID);
-    UNUSED_PARAM(sectionName);
+    void* opaqueState, uintptr_t size, unsigned alignment, unsigned, const char* sectionName)
+{
     
     State& state = *static_cast<State*>(opaqueState);
@@ -58 +59 @@
     
     state.jitCode->addHandle(result);
+    state.codeSectionNames.append(sectionName);
     
     return static_cast<uint8_t*>(result->start());
@@ -67 +69 @@
 {
     UNUSED_PARAM(sectionID);
-    UNUSED_PARAM(sectionName);
     UNUSED_PARAM(isReadOnly);
 
@@ -77 +78 @@
         (size + sizeof(LSectionWord) - 1) / sizeof(LSectionWord));
     
-    state.jitCode->addDataSection(section);
+    if (!strcmp(sectionName, "__js_stackmaps"))
+        state.stackmapsSection = section;
+    else {
+        state.jitCode->addDataSection(section);
+        state.dataSectionNames.append(sectionName);
+    }
     
     return bitwise_cast<uint8_t*>(section.data());
@@ -89 +95 @@
 static void mmDestroy(void*)
 {
+}
+
+static void dumpDataSection(RefCountedArray<LSectionWord> section, const char* prefix)
+{
+    for (unsigned j = 0; j < section.size(); ++j) {
+        char buf[32];
+        snprintf(buf, sizeof(buf), "0x%lx", static_cast<unsigned long>(bitwise_cast<uintptr_t>(section.data() + j)));
+        dataLogF("%s%16s: 0x%016llx\n", prefix, buf, static_cast<long long>(section[j]));
+    }
+}
+
+static void fixFunctionBasedOnStackMaps(
+    State& state, CodeBlock* codeBlock, JITCode* jitCode, GeneratedFunction generatedFunction,
+    StackMaps::RecordMap& recordMap)
+{
+    VM& vm = state.graph.m_vm;
+    MacroAssemblerCodeRef osrExitThunk =
+        vm.getCTIStub(osrExitGenerationThunkGenerator);
+    CodeLocationLabel target = CodeLocationLabel(osrExitThunk.code());
+
+    ExitThunkGenerator exitThunkGenerator(state);
+    exitThunkGenerator.emitThunks();
+    if (exitThunkGenerator.didThings()) {
+        OwnPtr<LinkBuffer> linkBuffer = adoptPtr(new LinkBuffer(
+            vm, &exitThunkGenerator, codeBlock, JITCompilationMustSucceed));
+        
+        ASSERT(state.osrExit.size() == state.jitCode->osrExit.size());
+        
+        for (unsigned i = 0; i < state.osrExit.size(); ++i) {
+            OSRExitCompilationInfo& info = state.osrExit[i];
+            OSRExit& exit = jitCode->osrExit[i];
+            
+            linkBuffer->link(info.m_thunkJump, target);
+            
+            info.m_thunkAddress = linkBuffer->locationOf(info.m_thunkLabel);
+            
+            exit.m_patchableCodeOffset = linkBuffer->offsetOf(info.m_thunkJump);
+        }
+        
+        state.finalizer->initializeExitThunksLinkBuffer(linkBuffer.release());
+    }
+
+    RepatchBuffer repatchBuffer(codeBlock);
+    
+    for (unsigned exitIndex = jitCode->osrExit.size(); exitIndex--;) {
+        OSRExitCompilationInfo& info = state.osrExit[exitIndex];
+        OSRExit& exit = jitCode->osrExit[exitIndex];
+        StackMaps::Record& record = recordMap.find(exit.m_stackmapID)->value;
+        
+        repatchBuffer.replaceWithJump(
+            CodeLocationLabel(
+                bitwise_cast<char*>(generatedFunction) + record.instructionOffset),
+            info.m_thunkAddress);
+    }
 }
 
@@ -144 +204 @@
 
     if (shouldShowDisassembly()) {
-        // FIXME: fourthTier: FTL memory allocator should be able to tell us which of
-        // these things is actually code or data.
-        // https://bugs.webkit.org/show_bug.cgi?id=116189
         for (unsigned i = 0; i < state.jitCode->handles().size(); ++i) {
             ExecutableMemoryHandle* handle = state.jitCode->handles()[i].get();
@@ -152 +209 @@
                 "Generated LLVM code for ",
                 CodeBlockWithJITType(state.graph.m_codeBlock, JITCode::DFGJIT),
-                " #", i, ":\n");
+                " #", i, ", ", state.codeSectionNames[i], ":\n");
             disassemble(
                 MacroAssemblerCodePtr(handle->start()), handle->sizeInBytes(),
@@ -163 +220 @@
                 "Generated LLVM data section for ",
                 CodeBlockWithJITType(state.graph.m_codeBlock, JITCode::DFGJIT),
-                " #", i, ":\n");
-            for (unsigned j = 0; j < section.size(); ++j) {
-                char buf[32];
-                snprintf(buf, sizeof(buf), "0x%lx", static_cast<unsigned long>(bitwise_cast<uintptr_t>(section.data() + j)));
-                dataLogF("    %16s: 0x%016llx\n", buf, static_cast<long long>(section[j]));
+                " #", i, ", ", state.dataSectionNames[i], ":\n");
+            dumpDataSection(section, "    ");
+        }
+    }
+    
+    if (state.stackmapsSection.size()) {
+        if (shouldShowDisassembly()) {
+            dataLog(
+                "Generated LLVM stackmaps section for ",
+                CodeBlockWithJITType(state.graph.m_codeBlock, JITCode::DFGJIT), ":\n");
+            dataLog("    Raw data:\n");
+            dumpDataSection(state.stackmapsSection, "    ");
+        }
+        
+        RefPtr<DataView> stackmapsData = DataView::create(
+            ArrayBuffer::create(state.stackmapsSection.data(), state.stackmapsSection.byteSize()));
+        state.jitCode->stackmaps.parse(stackmapsData.get());
+    
+        if (shouldShowDisassembly()) {
+            dataLog("    Structured data:\n");
+            state.jitCode->stackmaps.dumpMultiline(WTF::dataFile(), "        ");
+        }
+        
+        StackMaps::RecordMap recordMap = state.jitCode->stackmaps.getRecordMap();
+        fixFunctionBasedOnStackMaps(
+            state, state.graph.m_codeBlock, state.jitCode.get(), state.generatedFunction,
+            recordMap);
+        
+        if (shouldShowDisassembly()) {
+            for (unsigned i = 0; i < state.jitCode->handles().size(); ++i) {
+                if (state.codeSectionNames[i] != "__text")
+                    continue;
+                
+                ExecutableMemoryHandle* handle = state.jitCode->handles()[i].get();
+                dataLog(
+                    "Generated LLVM code after stackmap-based fix-up for ",
+                    CodeBlockWithJITType(state.graph.m_codeBlock, JITCode::DFGJIT),
+                    " #", i, ", ", state.codeSectionNames[i], ":\n");
+                disassemble(
+                    MacroAssemblerCodePtr(handle->start()), handle->sizeInBytes(),
+                    "    ", WTF::dataFile(), LLVMSubset);
             }
         }
     }
+    
+    state.module = 0; // We no longer own the module.
 }
 

trunk/Source/JavaScriptCore/ftl/FTLExitThunkGenerator.cpp

@@ -52 +52 @@
     
     info.m_thunkLabel = label();
-    move(TrustedImm32(index), GPRInfo::nonArgGPR0);
+    if (Options::ftlOSRExitUsesStackmap())
+        push(TrustedImm32(index));
+    else
+        move(TrustedImm32(index), GPRInfo::nonArgGPR0);
     info.m_thunkJump = patchableJump();
     
     m_didThings = true;
+}
+
+void ExitThunkGenerator::emitThunks()
+{
+    for (unsigned i = 0; i < m_state.osrExit.size(); ++i)
+        emitThunk(i);
 }
 

trunk/Source/JavaScriptCore/ftl/FTLExitThunkGenerator.h

@@ -44 +44 @@
     
     void emitThunk(unsigned index);
+    void emitThunks();
     
     bool didThings() const { return m_didThings; }

trunk/Source/JavaScriptCore/ftl/FTLExitValue.h

@@ -127 +127 @@
         case ExitValueInJSStack:
         case ExitValueInJSStackAsInt32:
+        case ExitValueInJSStackAsInt52:
         case ExitValueInJSStackAsDouble:
             return true;
@@ -153 +154 @@
         return VirtualRegister(u.virtualRegister);
     }
-    
+
+    // If it's in the JSStack somehow, this will tell you what format it's in, in a manner
+    // that is compatible with exitArgument().format(). If it's a constant or it's dead, it
+    // will claim to be a JSValue. If it's an argument then it will tell you the argument's
+    // format.
+    ValueFormat valueFormat() const
+    {
+        switch (kind()) {
+        case InvalidExitValue:
+            RELEASE_ASSERT_NOT_REACHED();
+            return InvalidValueFormat;
+            
+        case ExitValueDead:
+        case ExitValueConstant:
+        case ExitValueInJSStack:
+            return ValueFormatJSValue;
+            
+        case ExitValueArgument:
+            return exitArgument().format();
+            
+        case ExitValueInJSStackAsInt32:
+            return ValueFormatInt32;
+            
+        case ExitValueInJSStackAsInt52:
+            return ValueFormatInt52;
+            
+        case ExitValueInJSStackAsDouble:
+            return ValueFormatDouble;
+        }
+        
+        RELEASE_ASSERT_NOT_REACHED();
+        return InvalidValueFormat;
+    }
+
     void dump(PrintStream&) const;
     void dumpInContext(PrintStream&, DumpContext*) const;

trunk/Source/JavaScriptCore/ftl/FTLFail.cpp

@@ -41 +41 @@
     state.graph.m_plan.finalizer = adoptPtr(new FailedFinalizer(state.graph.m_plan));
     
-    LLVMDisposeModule(state.module);
+    if (state.module)
+        LLVMDisposeModule(state.module);
 }
 

trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h

@@ -45 +45 @@
     macro(subWithOverflow32, "llvm.ssub.with.overflow.i32", functionType(structType(m_context, int32, boolean), int32, int32)) \
     macro(subWithOverflow64, "llvm.ssub.with.overflow.i64", functionType(structType(m_context, int64, boolean), int64, int64)) \
+    macro(webkitStackmap, "llvm.webkit.stackmap", functionType(voidType, int32, int32, Variadic)) \
     macro(trap, "llvm.trap", functionType(voidType)) \
     macro(osrExit, "webkit_osr_exit", functionType(voidType, boolean, int32, Variadic))

trunk/Source/JavaScriptCore/ftl/FTLJITCode.h

@@ -33 +33 @@
 #include "DFGCommonData.h"
 #include "FTLOSRExit.h"
+#include "FTLStackMaps.h"
 #include "JITCode.h"
 #include <wtf/LLVMHeaders.h>
@@ -68 +69 @@
     DFG::CommonData common;
     SegmentedVector<OSRExit, 8> osrExit;
+    StackMaps stackmaps;
     
 private:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -53 +53 @@
 static int compileCounter;
 
+static bool generateExitThunks()
+{
+    return !Options::useLLVMOSRExitIntrinsic() && !Options::ftlOSRExitUsesStackmap();
+}
+
 // Using this instead of typeCheck() helps to reduce the load on LLVM, by creating
 // significantly less dead code.
@@ -76 +81 @@
         , m_state(state.graph)
         , m_interpreter(state.graph, m_state)
+        , m_stackmapIDs(0)
     {
     }
@@ -3257 +3263 @@
             m_out.branch(failCondition, failCase, continuation);
 
-            m_out.appendTo(m_prologue);
-            info.m_thunkAddress = buildAlloca(m_out.m_builder, m_out.intPtr);
+            if (generateExitThunks()) {
+                m_out.appendTo(m_prologue);
+                info.m_thunkAddressValue = buildAlloca(m_out.m_builder, m_out.intPtr);
+            }
         
             lastNext = m_out.appendTo(failCase, continuation);
@@ -3266 +3274 @@
             m_out.call(
                 m_out.intToPtr(
-                    m_out.get(info.m_thunkAddress),
+                    m_out.get(info.m_thunkAddressValue),
                     pointerType(functionType(m_out.voidType))));
         } else
@@ -3276 +3284 @@
             m_out.appendTo(continuation, lastNext);
         
-            m_exitThunkGenerator.emitThunk(index);
+            if (generateExitThunks())
+                m_exitThunkGenerator.emitThunk(index);
         }
     }
@@ -3342 +3351 @@
         }
         
+        if (Options::ftlOSRExitUsesStackmap()) {
+            exit.m_stackmapID = m_stackmapIDs++;
+            arguments.insert(0, m_out.constInt32(MacroAssembler::maxJumpReplacementSize()));
+            arguments.insert(0, m_out.constInt32(exit.m_stackmapID));
+        
+            m_out.call(m_out.webkitStackmapIntrinsic(), arguments);
+            return;
+        }
+        
         m_out.call(
             m_out.intToPtr(
-                m_out.get(info.m_thunkAddress),
+                m_out.get(info.m_thunkAddressValue),
                 pointerType(functionType(m_out.voidType, argumentTypes))),
             arguments);
@@ -3500 +3518 @@
                     m_out.constIntPtr(
                         linkBuffer->locationOf(info.m_thunkLabel).executableAddress()),
-                    info.m_thunkAddress);
+                    info.m_thunkAddressValue);
             
                 exit.m_patchableCodeOffset = linkBuffer->offsetOf(info.m_thunkJump);
@@ -3697 +3715 @@
     Node* m_node;
     SpeculationDirection m_direction;
+    
+    uint32_t m_stackmapIDs;
 };
 

trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h

@@ -166 +166 @@
     Operands<ExitValue> m_values;
     
+    uint32_t m_stackmapID;
+    
     CodeLocationJump codeLocationForRepatch(CodeBlock* ftlCodeBlock) const;
     

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompilationInfo.h

@@ -38 +38 @@
 struct OSRExitCompilationInfo {
     OSRExitCompilationInfo()
-        : m_thunkAddress(0)
+        : m_thunkAddressValue(0)
     {
     }
@@ -44 +44 @@
     MacroAssembler::Label m_thunkLabel;
     MacroAssembler::PatchableJump m_thunkJump;
-    LValue m_thunkAddress;
+    CodeLocationLabel m_thunkAddress;
+    LValue m_thunkAddressValue;
 };
 

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

@@ -35 +35 @@
 #include "FTLJITCode.h"
 #include "FTLOSRExit.h"
+#include "FTLSaveRestore.h"
 #include "Operations.h"
 #include "RepatchBuffer.h"
@@ -42 +43 @@
 using namespace DFG;
 
-static void compileStub(
+// This implements two flavors of OSR exit: one that involves having LLVM intrinsics to help
+// OSR exit, and one that doesn't. The one that doesn't will get killed off, so we don't attempt
+// to share code between the two.
+
+static void compileStubWithOSRExitStackmap(
+    unsigned exitID, JITCode* jitCode, OSRExit& exit, VM* vm, CodeBlock* codeBlock)
+{
+    StackMaps::Record* record;
+    
+    for (unsigned i = jitCode->stackmaps.records.size(); i--;) {
+        record = &jitCode->stackmaps.records[i];
+        if (record->patchpointID == exit.m_stackmapID)
+            break;
+    }
+    
+    RELEASE_ASSERT(record->patchpointID == exit.m_stackmapID);
+    
+    CCallHelpers jit(vm, codeBlock);
+    
+    // We need scratch space to save all registers and to build up the JSStack.
+    // Use a scratch buffer to transfer all values.
+    ScratchBuffer* scratchBuffer = vm->scratchBufferForSize(sizeof(EncodedJSValue) * exit.m_values.size() + requiredScratchMemorySizeInBytes());
+    EncodedJSValue* scratch = scratchBuffer ? static_cast<EncodedJSValue*>(scratchBuffer->dataBuffer()) : 0;
+    char* registerScratch = bitwise_cast<char*>(scratch + exit.m_values.size());
+    
+    saveAllRegisters(jit, registerScratch);
+    
+    // Bring the stack back into a sane form.
+    jit.pop(GPRInfo::regT0);
+    
+    // Get the call frame and tag thingies.
+    record->locations[0].restoreInto(jit, jitCode->stackmaps, registerScratch, GPRInfo::callFrameRegister);
+    jit.move(MacroAssembler::TrustedImm64(TagTypeNumber), GPRInfo::tagTypeNumberRegister);
+    jit.move(MacroAssembler::TrustedImm64(TagMask), GPRInfo::tagMaskRegister);
+    
+    // Do some value profiling.
+    if (exit.m_profileValueFormat != InvalidValueFormat) {
+        record->locations[1].restoreInto(jit, jitCode->stackmaps, registerScratch, GPRInfo::regT0);
+        reboxAccordingToFormat(
+            exit.m_profileValueFormat, jit, GPRInfo::regT0, GPRInfo::regT1, GPRInfo::regT2);
+        
+        if (exit.m_kind == BadCache || exit.m_kind == BadIndexingType) {
+            CodeOrigin codeOrigin = exit.m_codeOriginForExitProfile;
+            if (ArrayProfile* arrayProfile = jit.baselineCodeBlockFor(codeOrigin)->getArrayProfile(codeOrigin.bytecodeIndex)) {
+                jit.loadPtr(MacroAssembler::Address(GPRInfo::regT0, JSCell::structureOffset()), GPRInfo::regT1);
+                jit.storePtr(GPRInfo::regT1, arrayProfile->addressOfLastSeenStructure());
+                jit.load8(MacroAssembler::Address(GPRInfo::regT1, Structure::indexingTypeOffset()), GPRInfo::regT1);
+                jit.move(MacroAssembler::TrustedImm32(1), GPRInfo::regT2);
+                jit.lshift32(GPRInfo::regT1, GPRInfo::regT2);
+                jit.or32(GPRInfo::regT2, MacroAssembler::AbsoluteAddress(arrayProfile->addressOfArrayModes()));
+            }
+        }
+        
+        if (!!exit.m_valueProfile)
+            jit.store64(GPRInfo::regT0, exit.m_valueProfile.getSpecFailBucket(0));
+    }
+
+    // Save all state from wherever the exit data tells us it was, into the appropriate place in
+    // the scratch buffer. This doesn't rebox any values yet.
+    
+    for (unsigned index = exit.m_values.size(); index--;) {
+        ExitValue value = exit.m_values[index];
+        
+        switch (value.kind()) {
+        case ExitValueDead:
+            jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsUndefined())), GPRInfo::regT0);
+            break;
+            
+        case ExitValueConstant:
+            jit.move(MacroAssembler::TrustedImm64(JSValue::encode(value.constant())), GPRInfo::regT0);
+            break;
+            
+        case ExitValueArgument:
+            record->locations[value.exitArgument().argument()].restoreInto(
+                jit, jitCode->stackmaps, registerScratch, GPRInfo::regT0);
+            break;
+            
+        case ExitValueInJSStack:
+        case ExitValueInJSStackAsInt32:
+        case ExitValueInJSStackAsInt52:
+        case ExitValueInJSStackAsDouble:
+            jit.load64(AssemblyHelpers::addressFor(value.virtualRegister()), GPRInfo::regT0);
+            break;
+            
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
+        
+        jit.store64(GPRInfo::regT0, scratch + index);
+    }
+    
+    // Now get state out of the scratch buffer and place it back into the stack. This part does
+    // all reboxing.
+    for (unsigned index = exit.m_values.size(); index--;) {
+        int operand = exit.m_values.operandForIndex(index);
+        ExitValue value = exit.m_values[index];
+        
+        jit.load64(scratch + index, GPRInfo::regT0);
+        reboxAccordingToFormat(
+            value.valueFormat(), jit, GPRInfo::regT0, GPRInfo::regT1, GPRInfo::regT2);
+        jit.store64(GPRInfo::regT0, AssemblyHelpers::addressFor(operand));
+    }
+    
+    handleExitCounts(jit, exit);
+    reifyInlinedCallFrames(jit, exit);
+    
+    jit.move(MacroAssembler::framePointerRegister, MacroAssembler::stackPointerRegister);
+    jit.pop(MacroAssembler::framePointerRegister);
+    jit.pop(GPRInfo::nonArgGPR0); // ignore the result.
+    
+    if (exit.m_lastSetOperand.isValid()) {
+        jit.load64(
+            AssemblyHelpers::addressFor(exit.m_lastSetOperand), GPRInfo::cachedResultRegister);
+    }
+    
+    adjustAndJumpToTarget(jit, exit);
+    
+    LinkBuffer patchBuffer(*vm, &jit, codeBlock);
+    exit.m_code = FINALIZE_CODE_IF(
+        shouldShowDisassembly(),
+        patchBuffer,
+        ("FTL OSR exit #%u (bc#%u, %s) from %s, with operands = %s",
+            exitID, exit.m_codeOrigin.bytecodeIndex,
+            exitKindToString(exit.m_kind), toCString(*codeBlock).data(),
+            toCString(ignoringContext<DumpContext>(exit.m_values)).data()));
+}
+
+static void compileStubWithoutOSRExitStackmap(
     unsigned exitID, OSRExit& exit, VM* vm, CodeBlock* codeBlock)
 {
@@ -220 +349 @@
     DeferGCForAWhile deferGC(vm->heap);
 
-    OSRExit& exit = codeBlock->jitCode()->ftl()->osrExit[exitID];
+    JITCode* jitCode = codeBlock->jitCode()->ftl();
+    OSRExit& exit = jitCode->osrExit[exitID];
     
     prepareCodeOriginForOSRExit(exec, exit.m_codeOrigin);
     
-    compileStub(exitID, exit, vm, codeBlock);
+    if (Options::ftlOSRExitUsesStackmap())
+        compileStubWithOSRExitStackmap(exitID, jitCode, exit, vm, codeBlock);
+    else
+        compileStubWithoutOSRExitStackmap(exitID, exit, vm, codeBlock);
     
     RepatchBuffer repatchBuffer(codeBlock);

trunk/Source/JavaScriptCore/ftl/FTLState.h

@@ -37 +37 @@
 #include "FTLJITFinalizer.h"
 #include "FTLOSRExitCompilationInfo.h"
+#include "FTLStackMaps.h"
 #include <wtf/Noncopyable.h>
 
@@ -58 +59 @@
     GeneratedFunction generatedFunction;
     JITFinalizer* finalizer;
+    Vector<CString> codeSectionNames;
+    Vector<CString> dataSectionNames;
+    RefCountedArray<LSectionWord> stackmapsSection;
     
     void dumpState(const char* when);

trunk/Source/JavaScriptCore/ftl/FTLThunks.cpp

@@ -29 +29 @@
 #if ENABLE(FTL_JIT)
 
+#include "AssemblyHelpers.h"
 #include "FPRInfo.h"
 #include "FTLOSRExitCompiler.h"
+#include "FTLSaveRestore.h"
 #include "GPRInfo.h"
 #include "LinkBuffer.h"
-#include "MacroAssembler.h"
 
 namespace JSC { namespace FTL {
@@ -41 +42 @@
 MacroAssemblerCodeRef osrExitGenerationThunkGenerator(VM* vm)
 {
-    MacroAssembler jit;
+    AssemblyHelpers jit(vm, 0);
+    
+    // Note that in the ftlOSRExitUsesStackmap() case, the "return address" will be the
+    // OSR exit ID.
     
     // Pretend that we're a C call frame.
@@ -49 +53 @@
     jit.push(GPRInfo::regT0);
     
-    size_t scratchSize = sizeof(EncodedJSValue) * (GPRInfo::numberOfArgumentRegisters + FPRInfo::numberOfArgumentRegisters);
-    ScratchBuffer* scratchBuffer = vm->scratchBufferForSize(scratchSize);
-    EncodedJSValue* buffer = static_cast<EncodedJSValue*>(scratchBuffer->dataBuffer());
+    if (!Options::ftlOSRExitUsesStackmap())
+        jit.poke(GPRInfo::nonArgGPR0, 1);
     
-    for (unsigned i = 0; i < GPRInfo::numberOfArgumentRegisters; ++i)
-        jit.store64(GPRInfo::toArgumentRegister(i), buffer + i);
-    for (unsigned i = 0; i < FPRInfo::numberOfArgumentRegisters; ++i) {
-        jit.move(MacroAssembler::TrustedImmPtr(buffer + GPRInfo::numberOfArgumentRegisters + i), GPRInfo::nonArgGPR1);
-        jit.storeDouble(FPRInfo::toArgumentRegister(i), GPRInfo::nonArgGPR1);
-    }
+    ScratchBuffer* scratchBuffer = vm->scratchBufferForSize(requiredScratchMemorySizeInBytes());
+    char* buffer = static_cast<char*>(scratchBuffer->dataBuffer());
+    
+    saveAllRegisters(jit, buffer);
     
     // Tell GC mark phase how much of the scratch buffer is active during call.
     jit.move(MacroAssembler::TrustedImmPtr(scratchBuffer->activeLengthPtr()), GPRInfo::nonArgGPR1);
-    jit.storePtr(MacroAssembler::TrustedImmPtr(scratchSize), GPRInfo::nonArgGPR1);
+    jit.storePtr(MacroAssembler::TrustedImmPtr(requiredScratchMemorySizeInBytes()), GPRInfo::nonArgGPR1);
 
     // argument 0 is already the call frame.
-    jit.move(GPRInfo::nonArgGPR0, GPRInfo::argumentGPR1);
+    if (Options::ftlOSRExitUsesStackmap())
+        jit.peek(GPRInfo::argumentGPR1, 3);
+    else
+        jit.peek(GPRInfo::argumentGPR1, 1);
     MacroAssembler::Call functionCall = jit.call();
     
-    // Make sure that we're not using the return register if it's an argument register.
-    jit.move(GPRInfo::returnValueGPR, GPRInfo::nonArgGPR0);
+    // At this point we want to make a tail call to what was returned to us in the
+    // returnValueGPR. But at the same time as we do this, we must restore all registers.
+    // The way we will accomplish this is by arranging to have the tail call target in the
+    // return address "slot" (be it a register or the stack).
+    
+    jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0);
     
     // Prepare for tail call.
-    jit.pop(GPRInfo::nonArgGPR1);
-    jit.pop(GPRInfo::nonArgGPR1);
+    jit.pop(GPRInfo::regT1);
+    jit.pop(GPRInfo::regT1);
     jit.pop(MacroAssembler::framePointerRegister);
     
-    jit.move(MacroAssembler::TrustedImmPtr(scratchBuffer->activeLengthPtr()), GPRInfo::nonArgGPR1);
-    jit.storePtr(MacroAssembler::TrustedImmPtr(0), GPRInfo::nonArgGPR1);
+    // At this point we're sitting on the return address - so if we did a jump right now, the
+    // tail-callee would be happy. Instead we'll stash the callee in the return address and then
+    // restore all registers.
     
-    for (unsigned i = 0; i < FPRInfo::numberOfArgumentRegisters; ++i) {
-        jit.move(MacroAssembler::TrustedImmPtr(buffer + GPRInfo::numberOfArgumentRegisters + i), GPRInfo::nonArgGPR1);
-        jit.loadDouble(GPRInfo::nonArgGPR1, FPRInfo::toArgumentRegister(i));
-    }
-    for (unsigned i = 0; i < GPRInfo::numberOfArgumentRegisters; ++i)
-        jit.load64(buffer + i, GPRInfo::toArgumentRegister(i));
+    jit.restoreReturnAddressBeforeReturn(GPRInfo::regT0);
     
-    jit.jump(GPRInfo::nonArgGPR0);
+    restoreAllRegisters(jit, buffer);
+
+    jit.ret();
     
     LinkBuffer patchBuffer(*vm, &jit, GLOBAL_THUNK_ID);

trunk/Source/JavaScriptCore/ftl/FTLValueFormat.cpp

@@ -28 +28 @@
 
 #if ENABLE(FTL_JIT)
+
+#include "AssemblyHelpers.h"
+
+namespace JSC { namespace FTL {
+
+void reboxAccordingToFormat(
+    ValueFormat format, AssemblyHelpers& jit, GPRReg value, GPRReg scratch1, GPRReg scratch2)
+{
+    switch (format) {
+    case ValueFormatInt32: {
+        jit.or64(GPRInfo::tagTypeNumberRegister, value);
+        break;
+    }
+    
+    case ValueFormatUInt32: {
+        jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch2);
+        jit.boxInt52(value, value, scratch1, FPRInfo::fpRegT0);
+        jit.move64ToDouble(scratch2, FPRInfo::fpRegT0);
+        break;
+    }
+    
+    case ValueFormatInt52: {
+        jit.rshift64(AssemblyHelpers::TrustedImm32(JSValue::int52ShiftAmount), value);
+        jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch2);
+        jit.boxInt52(value, value, scratch1, FPRInfo::fpRegT0);
+        jit.move64ToDouble(scratch2, FPRInfo::fpRegT0);
+        break;
+    }
+    
+    case ValueFormatStrictInt52: {
+        jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch2);
+        jit.boxInt52(value, value, scratch1, FPRInfo::fpRegT0);
+        jit.move64ToDouble(scratch2, FPRInfo::fpRegT0);
+        break;
+    }
+    
+    case ValueFormatBoolean: {
+        jit.or32(MacroAssembler::TrustedImm32(ValueFalse), value);
+        break;
+    }
+    
+    case ValueFormatJSValue: {
+        // Done already!
+        break;
+    }
+    
+    case ValueFormatDouble: {
+        jit.moveDoubleTo64(FPRInfo::fpRegT0, scratch1);
+        jit.move64ToDouble(value, FPRInfo::fpRegT0);
+        jit.boxDouble(FPRInfo::fpRegT0, value);
+        jit.move64ToDouble(scratch1, FPRInfo::fpRegT0);
+        break;
+    }
+    
+    default:
+        RELEASE_ASSERT_NOT_REACHED();
+        break;
+    }
+}
+
+} } // namespace JSC::FTL
 
 namespace WTF {

trunk/Source/JavaScriptCore/ftl/FTLValueFormat.h

@@ -31 +31 @@
 #if ENABLE(FTL_JIT)
 
+#include "GPRInfo.h"
 #include <wtf/PrintStream.h>
 
-namespace JSC { namespace FTL {
+namespace JSC {
+
+class AssemblyHelpers;
+
+namespace FTL {
 
 // Note that this is awkwardly similar to DataFormat in other parts of JSC, except that
@@ -49 +54 @@
 };
 
+void reboxAccordingToFormat(
+    ValueFormat, AssemblyHelpers&, GPRReg value, GPRReg scratch1, GPRReg scratch2);
+
 } } // namespace JSC::FTL
 

trunk/Source/JavaScriptCore/runtime/DataView.cpp

@@ -44 +44 @@
 }
 
+PassRefPtr<DataView> DataView::create(PassRefPtr<ArrayBuffer> passedBuffer)
+{
+    RefPtr<ArrayBuffer> buffer = passedBuffer;
+    return create(buffer, 0, buffer->byteLength());
+}
+
 JSArrayBufferView* DataView::wrap(ExecState* exec, JSGlobalObject* globalObject)
 {

trunk/Source/JavaScriptCore/runtime/DataView.h

@@ -39 +39 @@
 public:
     JS_EXPORT_PRIVATE static PassRefPtr<DataView> create(PassRefPtr<ArrayBuffer>, unsigned byteOffset, unsigned length);
+    static PassRefPtr<DataView> create(PassRefPtr<ArrayBuffer>);
     
     virtual unsigned byteLength() const OVERRIDE
@@ -69 +70 @@
     
     template<typename T>
+    T read(unsigned& offset, bool littleEndian, bool* status = 0)
+    {
+        T result = this->template get<T>(offset, littleEndian, status);
+        if (!status || *status)
+            offset += sizeof(T);
+        return result;
+    }
+    
+    template<typename T>
     void set(unsigned offset, T value, bool littleEndian, bool* status = 0)
     {

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -124 +124 @@
     v(bool, ftlTrapsOnOSRExit, false) \
     v(bool, ftlOSRExitOmitsMarshalling, false) \
+    v(bool, ftlOSRExitUsesStackmap, false) \
     v(bool, useLLVMOSRExitIntrinsic, false) \
     v(bool, dumpLLVMIR, false) \
-    v(bool, llvmAlwaysFails, false) \
+    v(bool, llvmAlwaysFailsBeforeCompile, false) \
+    v(bool, llvmAlwaysFailsBeforeLink, false) \
     v(unsigned, llvmBackendOptimizationLevel, 2) \
     v(unsigned, llvmOptimizationLevel, 2) \