Changeset 159798 in webkit

Timestamp:

Nov 26, 2013 6:47:43 PM (10 years ago)

Author:

fpizlo@apple.com

Message:

Restructure global variable constant inference so that it could work for any kind of symbol table variable
​https://bugs.webkit.org/show_bug.cgi?id=124760

Reviewed by Oliver Hunt.

This changes the way global variable constant inference works so that it can be reused
for closure variable constant inference. Some of the premises that originally motivated
this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
that we'll be able to fix those premises in the future. The main point of this patch is
to make it easy to reuse global variable constant inference for closure variable
constant inference, and this will be possible provided we can also either (a) infer
one-shot closures (easy) or (b) infer closure variables that are always assigned prior
to first use.

One of the things that this patch is meant to enable is constant inference for closure
variables that may be part of a multi-shot closure. Closure variables may be
instantiated multiple times, like:

function foo() {

var WIDTH = 45;
function bar() {

... use WIDTH ...

}
...

}

Even if foo() is called many times and WIDTH is assigned to multiple times, that
doesn't change the fact that it's a constant. The goal of closure variable constant
inference is to catch any case where a closure variable has been assigned at least once
and its value has never changed. This patch doesn't implement that, but it does change
global variable constant inference to have most of the powers needed to do that. Note
that most likely we will use this functionality only to implement constant inference
for one-shot closures, but the resulting machinery is still simpler than what we had
before.

This involves three changes:

• The watchpoint object now contains the inferred value. This involves creating a new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object for closure variables.

• Writing to a variable that is watchpointed still involves these three states that we proceed through monotonically (Uninitialized->Initialized->Invalidated) but now, the Initialized->Invalidated state transition only happens if we change the variable's value, rather than store to the variable. Repeatedly storing the same value won't change the variable's state.

• On 64-bit systems (the only systems on which we do concurrent JIT), you no longer need fancy fencing to get a consistent view of the watchpoint in the JIT. The state of the VariableWatchpointSet for the purposes of constant folding is entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is JSValue() then you cannot fold (either because the set is uninitialized or because it's invalidated - doesn't matter which); on the other hand if the value is anything other than JSValue() then you can fold, and that's the value you fold to. Simple!

This also changes the way that DFG IR deals with variable watchpoints. It's now
oblivious to global variables. You install a watchpoint using VariableWatchpoint and
you notify write using NotifyWrite. Easy!

Note that this will requires some more tweaks because of the fact that op_enter will
store Undefined into every captured variable. Hence it won't even work for one-shot
closures. One-shot closures are easily fixed by introducing another state (so we'll
have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
require static analysis. One-shot closures are clearly a higher priority.

• GNUmakefile.list.am:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/Instruction.h:
• bytecode/VariableWatchpointSet.h: Added.

(JSC::VariableWatchpointSet::VariableWatchpointSet):
(JSC::VariableWatchpointSet::~VariableWatchpointSet):
(JSC::VariableWatchpointSet::inferredValue):
(JSC::VariableWatchpointSet::notifyWrite):
(JSC::VariableWatchpointSet::invalidate):
(JSC::VariableWatchpointSet::finalizeUnconditionally):
(JSC::VariableWatchpointSet::addressOfInferredValue):

• bytecode/Watchpoint.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::performNodeCSE):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasRegisterPointer):
(JSC::DFG::Node::hasVariableWatchpointSet):
(JSC::DFG::Node::variableWatchpointSet):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileArithMod):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGWatchpointCollectionPhase.cpp:

(JSC::DFG::WatchpointCollectionPhase::handle):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):

• jit/JIT.h:
• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitNotifyWrite):
(JSC::JIT::emitPutGlobalVar):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitNotifyWrite):
(JSC::JIT::emitPutGlobalVar):

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addFunction):

• runtime/JSGlobalObject.h:
• runtime/JSScope.h:

(JSC::ResolveOp::ResolveOp):

• runtime/JSSymbolTableObject.h:

(JSC::symbolTablePut):
(JSC::symbolTablePutWithAttributes):

• runtime/SymbolTable.cpp:

(JSC::SymbolTableEntry::inferredValue):
(JSC::SymbolTableEntry::prepareToWatch):
(JSC::SymbolTableEntry::addWatchpoint):
(JSC::SymbolTableEntry::notifyWriteSlow):
(JSC::SymbolTable::visitChildren):
(JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
(JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
(JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):

• runtime/SymbolTable.h:

(JSC::SymbolTableEntry::watchpointSet):
(JSC::SymbolTableEntry::notifyWrite):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• GNUmakefile.list.am (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• bytecode/Instruction.h (modified) (2 diffs)
• bytecode/VariableWatchpointSet.h (added)
• bytecode/Watchpoint.h (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• dfg/DFGCSEPhase.cpp (modified) (2 diffs)
• dfg/DFGClobberize.h (modified) (2 diffs)
• dfg/DFGFixupPhase.cpp (modified) (1 diff)
• dfg/DFGNode.h (modified) (2 diffs)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• dfg/DFGSafeToExecute.h (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• dfg/DFGWatchpointCollectionPhase.cpp (modified) (1 diff)
• ftl/FTLCapabilities.cpp (modified) (3 diffs)
• ftl/FTLIntrinsicRepository.h (modified) (1 diff)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (4 diffs)
• jit/JIT.h (modified) (1 diff)
• jit/JITOperations.h (modified) (3 diffs)
• jit/JITPropertyAccess.cpp (modified) (1 diff)
• jit/JITPropertyAccess32_64.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)
• runtime/JSGlobalObject.cpp (modified) (2 diffs)
• runtime/JSGlobalObject.h (modified) (1 diff)
• runtime/JSScope.h (modified) (3 diffs)
• runtime/JSSymbolTableObject.h (modified) (5 diffs)
• runtime/SymbolTable.cpp (modified) (2 diffs)
• runtime/SymbolTable.h (modified) (8 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-11-26  Filip Pizlo  <fpizlo@apple.com>
+
+        Restructure global variable constant inference so that it could work for any kind of symbol table variable
+        https://bugs.webkit.org/show_bug.cgi?id=124760
+
+        Reviewed by Oliver Hunt.
+        
+        This changes the way global variable constant inference works so that it can be reused
+        for closure variable constant inference. Some of the premises that originally motivated
+        this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
+        that we'll be able to fix those premises in the future. The main point of this patch is
+        to make it easy to reuse global variable constant inference for closure variable
+        constant inference, and this will be possible provided we can also either (a) infer
+        one-shot closures (easy) or (b) infer closure variables that are always assigned prior
+        to first use.
+        
+        One of the things that this patch is meant to enable is constant inference for closure
+        variables that may be part of a multi-shot closure. Closure variables may be
+        instantiated multiple times, like:
+        
+            function foo() {
+                var WIDTH = 45;
+                function bar() {
+                    ... use WIDTH ...
+                }
+                ...
+            }
+        
+        Even if foo() is called many times and WIDTH is assigned to multiple times, that
+        doesn't change the fact that it's a constant. The goal of closure variable constant
+        inference is to catch any case where a closure variable has been assigned at least once
+        and its value has never changed. This patch doesn't implement that, but it does change
+        global variable constant inference to have most of the powers needed to do that. Note
+        that most likely we will use this functionality only to implement constant inference
+        for one-shot closures, but the resulting machinery is still simpler than what we had
+        before.
+        
+        This involves three changes:
+        
+            - The watchpoint object now contains the inferred value. This involves creating a
+              new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object
+              for closure variables.
+        
+            - Writing to a variable that is watchpointed still involves these three states that
+              we proceed through monotonically (Uninitialized->Initialized->Invalidated) but
+              now, the Initialized->Invalidated state transition only happens if we change the
+              variable's value, rather than store to the variable. Repeatedly storing the same
+              value won't change the variable's state.
+        
+            - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer
+              need fancy fencing to get a consistent view of the watchpoint in the JIT. The
+              state of the VariableWatchpointSet for the purposes of constant folding is
+              entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is
+              JSValue() then you cannot fold (either because the set is uninitialized or
+              because it's invalidated - doesn't matter which); on the other hand if the value
+              is anything other than JSValue() then you can fold, and that's the value you fold
+              to. Simple!
+        
+        This also changes the way that DFG IR deals with variable watchpoints. It's now
+        oblivious to global variables. You install a watchpoint using VariableWatchpoint and
+        you notify write using NotifyWrite. Easy!
+        
+        Note that this will requires some more tweaks because of the fact that op_enter will
+        store Undefined into every captured variable. Hence it won't even work for one-shot
+        closures. One-shot closures are easily fixed by introducing another state (so we'll
+        have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
+        require static analysis. One-shot closures are clearly a higher priority.
+
+        * GNUmakefile.list.am:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/Instruction.h:
+        * bytecode/VariableWatchpointSet.h: Added.
+        (JSC::VariableWatchpointSet::VariableWatchpointSet):
+        (JSC::VariableWatchpointSet::~VariableWatchpointSet):
+        (JSC::VariableWatchpointSet::inferredValue):
+        (JSC::VariableWatchpointSet::notifyWrite):
+        (JSC::VariableWatchpointSet::invalidate):
+        (JSC::VariableWatchpointSet::finalizeUnconditionally):
+        (JSC::VariableWatchpointSet::addressOfInferredValue):
+        * bytecode/Watchpoint.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::performNodeCSE):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasRegisterPointer):
+        (JSC::DFG::Node::hasVariableWatchpointSet):
+        (JSC::DFG::Node::variableWatchpointSet):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArithMod):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGWatchpointCollectionPhase.cpp:
+        (JSC::DFG::WatchpointCollectionPhase::handle):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileNode):
+        (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
+        * jit/JIT.h:
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitNotifyWrite):
+        (JSC::JIT::emitPutGlobalVar):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitNotifyWrite):
+        (JSC::JIT::emitPutGlobalVar):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::addGlobalVar):
+        (JSC::JSGlobalObject::addFunction):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSScope.h:
+        (JSC::ResolveOp::ResolveOp):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTablePut):
+        (JSC::symbolTablePutWithAttributes):
+        * runtime/SymbolTable.cpp:
+        (JSC::SymbolTableEntry::inferredValue):
+        (JSC::SymbolTableEntry::prepareToWatch):
+        (JSC::SymbolTableEntry::addWatchpoint):
+        (JSC::SymbolTableEntry::notifyWriteSlow):
+        (JSC::SymbolTable::visitChildren):
+        (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
+        (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
+        (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
+        * runtime/SymbolTable.h:
+        (JSC::SymbolTableEntry::watchpointSet):
+        (JSC::SymbolTableEntry::notifyWrite):
+
 2013-11-24  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -182 +182 @@
         Source/JavaScriptCore/bytecode/ValueRecovery.cpp \
         Source/JavaScriptCore/bytecode/ValueRecovery.h \
+        Source/JavaScriptCore/bytecode/VariableWatchpointSet.h \
         Source/JavaScriptCore/bytecode/VirtualRegister.h \
         Source/JavaScriptCore/bytecode/Watchpoint.cpp \

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -796 +796 @@
     <ClInclude Include="..\bytecode\ValueProfile.h" />
     <ClInclude Include="..\bytecode\ValueRecovery.h" />
+    <ClInclude Include="..\bytecode\VariableWatchpointSet.h" />
     <ClInclude Include="..\bytecode\VirtualRegister.h" />
     <ClInclude Include="..\bytecode\Watchpoint.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -301 +301 @@
                 0F8F94441667635400D61971 /* JITCode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F8F94431667635200D61971 /* JITCode.cpp */; };
                 0F8F9446166764F100D61971 /* CodeOrigin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F8F9445166764EE00D61971 /* CodeOrigin.cpp */; };
+                0F9181C718415CA50057B669 /* VariableWatchpointSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F9181C618415CA50057B669 /* VariableWatchpointSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F919D0C157EE09F004A4E7D /* JSSymbolTableObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F919D09157EE09D004A4E7D /* JSSymbolTableObject.cpp */; };
                 0F919D0D157EE0A2004A4E7D /* JSSymbolTableObject.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F919D0A157EE09D004A4E7D /* JSSymbolTableObject.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1594 +1595 @@
                 0F8F94431667635200D61971 /* JITCode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITCode.cpp; sourceTree = "<group>"; };
                 0F8F9445166764EE00D61971 /* CodeOrigin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CodeOrigin.cpp; sourceTree = "<group>"; };
+                0F9181C618415CA50057B669 /* VariableWatchpointSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VariableWatchpointSet.h; sourceTree = "<group>"; };
                 0F919D09157EE09D004A4E7D /* JSSymbolTableObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSymbolTableObject.cpp; sourceTree = "<group>"; };
                 0F919D0A157EE09D004A4E7D /* JSSymbolTableObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSSymbolTableObject.h; sourceTree = "<group>"; };
@@ -4133 +4135 @@
                                 0F24E55717F74EDB00ABB217 /* ValueRecovery.cpp */,
                                 0F426A451460CBAB00131F8F /* ValueRecovery.h */,
+                                0F9181C618415CA50057B669 /* VariableWatchpointSet.h */,
                                 0F426A461460CBAB00131F8F /* VirtualRegister.h */,
                                 0F919D2215853CDE004A4E7D /* Watchpoint.cpp */,
@@ -4376 +4379 @@
                                 0FD8A32817D51F5700CA2C40 /* DFGTierUpCheckInjectionPhase.h in Headers */,
                                 0FD8A32A17D51F5700CA2C40 /* DFGToFTLDeferredCompilationCallback.h in Headers */,
+                                0F9181C718415CA50057B669 /* VariableWatchpointSet.h in Headers */,
                                 0FD8A32C17D51F5700CA2C40 /* DFGToFTLForOSREntryDeferredCompilationCallback.h in Headers */,
                                 0F63943F15C75F19006A597C /* DFGTypeCheckHoistingPhase.h in Headers */,

trunk/Source/JavaScriptCore/bytecode/Instruction.h

@@ -44 +44 @@
 class ArrayProfile;
 class ObjectAllocationProfile;
+class VariableWatchpointSet;
 struct LLIntCallLinkInfo;
 struct ValueProfile;
@@ -116 +117 @@
         ArrayAllocationProfile* arrayAllocationProfile;
         ObjectAllocationProfile* objectAllocationProfile;
-        WatchpointSet* watchpointSet;
+        VariableWatchpointSet* watchpointSet;
         void* pointer;
         bool* predicatePointer;

trunk/Source/JavaScriptCore/bytecode/Watchpoint.h

@@ -109 +109 @@
     }
     
-    void notifyWrite()
-    {
-        if (state() == ClearWatchpoint)
-            startWatching();
-        else
-            fireAll();
-    }
-    
     int8_t* addressOfState() { return &m_state; }
     int8_t* addressOfSetIsNotEmpty() { return &m_setIsNotEmpty; }

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1506 +1506 @@
         break;
         
-    case GlobalVarWatchpoint:
+    case VariableWatchpoint:
     case VarInjectionWatchpoint:
         node->setCanExit(true);
@@ -1512 +1512 @@
             
     case PutGlobalVar:
-    case NotifyPutGlobalVar:
+    case NotifyWrite:
         break;
             

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3095 +3095 @@
                 addToGraph(Phantom, get(VirtualRegister(scope)));
                 SymbolTableEntry entry = globalObject->symbolTable()->get(uid);
-                if (!entry.couldBeWatched() || !m_graph.watchpoints().isStillValid(entry.watchpointSet())) {
+                VariableWatchpointSet* watchpointSet = entry.watchpointSet();
+                JSValue specificValue =
+                    watchpointSet ? watchpointSet->inferredValue() : JSValue();
+                if (!specificValue) {
                     set(VirtualRegister(dst), addToGraph(GetGlobalVar, OpInfo(operand), OpInfo(prediction)));
                     break;
                 }
 
-                addToGraph(GlobalVarWatchpoint, OpInfo(operand), OpInfo(identifierNumber));
-                JSValue specificValue = globalObject->registerAt(entry.getIndex()).get();
+                addToGraph(VariableWatchpoint, OpInfo(watchpointSet));
                 if (specificValue.isCell())
                     set(VirtualRegister(dst), cellConstant(specificValue.asCell()));
@@ -3129 +3131 @@
 
             Structure* structure = 0;
-            WatchpointSet* watchpoints = 0;
+            VariableWatchpointSet* watchpoints = 0;
             uintptr_t operand;
             {
@@ -3161 +3163 @@
                 SymbolTableEntry entry = globalObject->symbolTable()->get(uid);
                 ASSERT(watchpoints == entry.watchpointSet());
-                addToGraph(PutGlobalVar, OpInfo(operand), get(VirtualRegister(value)));
+                Node* valueNode = get(VirtualRegister(value));
+                addToGraph(PutGlobalVar, OpInfo(operand), valueNode);
                 if (watchpoints->state() != IsInvalidated)
-                    addToGraph(NotifyPutGlobalVar, OpInfo(operand), OpInfo(identifierNumber));
+                    addToGraph(NotifyWrite, OpInfo(watchpoints), valueNode);
                 // Keep scope alive until after put.
                 addToGraph(Phantom, get(VirtualRegister(scope)));

trunk/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp

@@ -261 +261 @@
     }
     
-    bool globalVarWatchpointElimination(WriteBarrier<Unknown>* registerPointer)
-    {
-        for (unsigned i = m_indexInBlock; i--;) {
-            Node* node = m_currentBlock->at(i);
-            switch (node->op()) {
-            case GlobalVarWatchpoint:
-                if (node->registerPointer() == registerPointer)
-                    return true;
-                break;
-            case PutGlobalVar:
-                if (node->registerPointer() == registerPointer)
-                    return false;
-                break;
-            default:
-                break;
-            }
-            if (m_graph.clobbersWorld(node))
-                break;
-        }
-        return false;
-    }
-
     bool varInjectionWatchpointElimination()
     {
@@ -1230 +1208 @@
         }
 
-        case GlobalVarWatchpoint:
-            if (cseMode == StoreElimination)
-                break;
-            if (globalVarWatchpointElimination(node->registerPointer()))
-                eliminate();
-            break;
-            
         case VarInjectionWatchpoint:
             if (cseMode == StoreElimination)

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -144 +144 @@
         return;
         
-    case NotifyPutGlobalVar:
+    case VariableWatchpoint:
+        read(Watchpoint_fire);
+        return;
+        
+    case NotifyWrite:
         write(Watchpoint_fire);
+        write(SideState);
         return;
 
@@ -521 +526 @@
         
     case GetGlobalVar:
-    case GlobalVarWatchpoint:
         read(AbstractHeap(Absolute, node->registerPointer()));
         return;

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -919 +919 @@
         case GetGlobalVar:
         case PutGlobalVar:
-        case NotifyPutGlobalVar:
-        case GlobalVarWatchpoint:
+        case NotifyWrite:
+        case VariableWatchpoint:
         case VarInjectionWatchpoint:
         case AllocationProfileWatchpoint:

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -749 +749 @@
     }
     
-    bool hasIdentifierNumberForCheck()
-    {
-        return op() == GlobalVarWatchpoint || op() == NotifyPutGlobalVar;
-    }
-    
-    unsigned identifierNumberForCheck()
-    {
-        ASSERT(hasIdentifierNumberForCheck());
-        return m_opInfo2;
-    }
-    
     bool hasRegisterPointer()
     {
-        return op() == GetGlobalVar || op() == PutGlobalVar || op() == GlobalVarWatchpoint || op() == NotifyPutGlobalVar;
+        return op() == GetGlobalVar || op() == PutGlobalVar;
     }
     
@@ -974 +963 @@
         return jsCast<ExecutableBase*>(reinterpret_cast<JSCell*>(m_opInfo));
     }
+    
+    bool hasVariableWatchpointSet()
+    {
+        return op() == NotifyWrite || op() == VariableWatchpoint;
+    }
+    
+    VariableWatchpointSet* variableWatchpointSet()
+    {
+        return reinterpret_cast<VariableWatchpointSet*>(m_opInfo);
+    }
 
     bool hasStructureTransitionData()

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -185 +185 @@
     macro(GetGlobalVar, NodeResultJS) \
     macro(PutGlobalVar, NodeMustGenerate) \
-    macro(NotifyPutGlobalVar, NodeMustGenerate) \
-    macro(GlobalVarWatchpoint, NodeMustGenerate) \
+    macro(NotifyWrite, NodeMustGenerate) \
+    macro(VariableWatchpoint, NodeMustGenerate) \
     macro(VarInjectionWatchpoint, NodeMustGenerate) \
     macro(CheckFunction, NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -999 +999 @@
 }
 
-void JIT_OPERATION operationNotifyWrite(ExecState* exec, WatchpointSet* set)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-
-    set->notifyWrite();
+void JIT_OPERATION operationInvalidate(ExecState* exec, VariableWatchpointSet* set)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+
+    set->invalidate();
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -126 +126 @@
 char* JIT_OPERATION operationFindSwitchImmTargetForDouble(ExecState*, EncodedJSValue, size_t tableIndex);
 char* JIT_OPERATION operationSwitchString(ExecState*, size_t tableIndex, JSString*);
-void JIT_OPERATION operationNotifyWrite(ExecState*, WatchpointSet*);
+void JIT_OPERATION operationInvalidate(ExecState*, VariableWatchpointSet*);
 
 #if ENABLE(FTL_JIT)

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -575 +575 @@
         case TearOffArguments:
         case CheckArgumentsNotCreated:
-        case GlobalVarWatchpoint:
+        case VariableWatchpoint:
         case VarInjectionWatchpoint:
         case AllocationProfileWatchpoint:
@@ -583 +583 @@
         case Unreachable:
         case LoopHint:
-        case NotifyPutGlobalVar:
+        case NotifyWrite:
             break;
             

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -173 +173 @@
     case GetGlobalVar:
     case PutGlobalVar:
-    case GlobalVarWatchpoint:
+    case VariableWatchpoint:
     case VarInjectionWatchpoint:
     case CheckFunction:
@@ -243 +243 @@
     case Int52ToValue:
     case InvalidationPoint:
-    case NotifyPutGlobalVar:
+    case NotifyWrite:
         return true;
         

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -5601 +5601 @@
 }
 
-void SpeculativeJIT::compileNotifyPutGlobalVar(Node* node)
-{
-    WatchpointSet* set = m_jit.globalObjectFor(node->codeOrigin)->symbolTable()->get(
-        m_jit.graph().identifiers()[node->identifierNumberForCheck()]).watchpointSet();
-    
-    GPRTemporary temp(this);
-    GPRReg tempGPR = temp.gpr();
-    
-    m_jit.load8(set->addressOfState(), tempGPR);
-    
-    JITCompiler::JumpList ready;
-    
-    ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
-    
-    m_jit.memoryFence();
-
-    if (set->state() == ClearWatchpoint) {
-        JITCompiler::Jump isWatched =
-            m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
-        
-        m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
-        ready.append(m_jit.jump());
-        
-        isWatched.link(&m_jit);
-    }
-    
-    JITCompiler::Jump slowCase = m_jit.branchTest8(
-        JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
-    m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
-
-    ready.link(&m_jit);
-    
-    addSlowPathGenerator(
-        slowPathCall(slowCase, this, operationNotifyWrite, NoResult, set));
-    
-    noResult(node);
-}
-
 void SpeculativeJIT::addBranch(const MacroAssembler::JumpList& jump, BasicBlock* destination)
 {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1085 +1085 @@
     }
 
-    JITCompiler::Call callOperation(V_JITOperation_EW operation, WatchpointSet* watchpointSet)
+    JITCompiler::Call callOperation(V_JITOperation_EVws operation, VariableWatchpointSet* watchpointSet)
     {
         m_jit.setupArgumentsWithExecState(TrustedImmPtr(watchpointSet));
@@ -2045 +2045 @@
     void compileNewFunctionExpression(Node*);
     bool compileRegExpExec(Node*);
-    
-    void compileNotifyPutGlobalVar(Node*);
     
     // size can be an immediate or a register, and must be in bytes. If size is a register,

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4072 +4072 @@
     }
 
-    case GlobalVarWatchpoint: {
-#if DFG_ENABLE(JIT_ASSERT)
-        GPRTemporary scratch(this);
-        GPRReg scratchGPR = scratch.gpr();
-        m_jit.load32(node->registerPointer()->tagPointer(), scratchGPR);
-        JITCompiler::Jump notOK = m_jit.branch32(
-            JITCompiler::NotEqual, scratchGPR,
-            TrustedImm32(node->registerPointer()->get().tag()));
-        m_jit.load32(node->registerPointer()->payloadPointer(), scratchGPR);
-        JITCompiler::Jump ok = m_jit.branch32(
-            JITCompiler::Equal, scratchGPR,
-            TrustedImm32(node->registerPointer()->get().payload()));
-        notOK.link(&m_jit);
-        m_jit.breakpoint();
-        ok.link(&m_jit);
-#endif
-        
+    case NotifyWrite: {
+        VariableWatchpointSet* set = node->variableWatchpointSet();
+    
+        JSValueOperand value(this, node->child1());
+        GPRReg valueTagGPR = value.tagGPR();
+        GPRReg valuePayloadGPR = value.payloadGPR();
+    
+        GPRTemporary temp(this);
+        GPRReg tempGPR = temp.gpr();
+    
+        m_jit.load8(set->addressOfState(), tempGPR);
+    
+        JITCompiler::JumpList ready;
+    
+        ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
+    
+        if (set->state() == ClearWatchpoint) {
+            JITCompiler::Jump isWatched =
+                m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
+        
+            m_jit.store32(valueTagGPR, &set->addressOfInferredValue()->u.asBits.tag);
+            m_jit.store32(valuePayloadGPR, &set->addressOfInferredValue()->u.asBits.payload);
+            m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
+            ready.append(m_jit.jump());
+        
+            isWatched.link(&m_jit);
+        }
+
+        JITCompiler::Jump definitelyNotEqual = m_jit.branch32(
+            JITCompiler::NotEqual,
+            JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload),
+            valuePayloadGPR);
+        ready.append(m_jit.branch32(
+            JITCompiler::Equal, 
+            JITCompiler::AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag),
+            valueTagGPR));
+        definitelyNotEqual.link(&m_jit);
+    
+        JITCompiler::Jump slowCase = m_jit.branchTest8(
+            JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
+        m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
+        m_jit.store32(
+            TrustedImm32(JSValue::EmptyValueTag),
+            &set->addressOfInferredValue()->u.asBits.tag);
+        m_jit.store32(
+            TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
+
+        ready.link(&m_jit);
+    
+        addSlowPathGenerator(
+            slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
+    
         noResult(node);
         break;
     }
 
-    case NotifyPutGlobalVar: {
-        compileNotifyPutGlobalVar(node);
-        break;
-    }
-
-    case VarInjectionWatchpoint: {
+    case VarInjectionWatchpoint:
+    case VariableWatchpoint: {
         noResult(node);
         break;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4354 +4354 @@
     }
 
-    case GlobalVarWatchpoint: {
-#if DFG_ENABLE(JIT_ASSERT)
-        GPRTemporary scratch(this);
-        GPRReg scratchGPR = scratch.gpr();
-        m_jit.load64(node->registerPointer(), scratchGPR);
-        JITCompiler::Jump ok = m_jit.branch64(
-            JITCompiler::Equal, scratchGPR,
-            TrustedImm64(JSValue::encode(node->registerPointer()->get())));
-        m_jit.breakpoint();
-        ok.link(&m_jit);
-#endif
-        
+    case NotifyWrite: {
+        VariableWatchpointSet* set = node->variableWatchpointSet();
+    
+        JSValueOperand value(this, node->child1());
+        GPRReg valueGPR = value.gpr();
+    
+        GPRTemporary temp(this);
+        GPRReg tempGPR = temp.gpr();
+    
+        m_jit.load8(set->addressOfState(), tempGPR);
+    
+        JITCompiler::JumpList ready;
+    
+        ready.append(m_jit.branch32(JITCompiler::Equal, tempGPR, TrustedImm32(IsInvalidated)));
+    
+        if (set->state() == ClearWatchpoint) {
+            JITCompiler::Jump isWatched =
+                m_jit.branch32(JITCompiler::NotEqual, tempGPR, TrustedImm32(ClearWatchpoint));
+        
+            m_jit.store64(valueGPR, set->addressOfInferredValue());
+            m_jit.store8(TrustedImm32(IsWatched), set->addressOfState());
+            ready.append(m_jit.jump());
+        
+            isWatched.link(&m_jit);
+        }
+    
+        ready.append(m_jit.branch64(
+            JITCompiler::Equal, 
+            JITCompiler::AbsoluteAddress(set->addressOfInferredValue()), valueGPR));
+    
+        JITCompiler::Jump slowCase = m_jit.branchTest8(
+            JITCompiler::NonZero, JITCompiler::AbsoluteAddress(set->addressOfSetIsNotEmpty()));
+        m_jit.store8(TrustedImm32(IsInvalidated), set->addressOfState());
+        m_jit.move(TrustedImm64(JSValue::encode(JSValue())), tempGPR);
+        m_jit.store64(tempGPR, set->addressOfInferredValue());
+
+        ready.link(&m_jit);
+    
+        addSlowPathGenerator(
+            slowPathCall(slowCase, this, operationInvalidate, NoResult, set));
+    
         noResult(node);
         break;
     }
-        
-    case NotifyPutGlobalVar: {
-        compileNotifyPutGlobalVar(node);
-        break;
-    }
-
-    case VarInjectionWatchpoint: {
+
+    case VarInjectionWatchpoint:
+    case VariableWatchpoint: {
         noResult(node);
         break;

trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp

@@ -119 +119 @@
             break;
             
-        case GlobalVarWatchpoint:
-            addLazily(
-                globalObject()->symbolTable()->get(
-                    m_graph.identifiers()[m_node->identifierNumberForCheck()]).watchpointSet());
+        case VariableWatchpoint:
+            addLazily(m_node->variableWatchpointSet());
             break;
             

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -70 +70 @@
     case GetGlobalVar:
     case PutGlobalVar:
-    case NotifyPutGlobalVar:
     case ValueAdd:
     case ArithAdd:
@@ -93 +92 @@
     case Call:
     case Construct:
-    case GlobalVarWatchpoint:
     case GetMyScope:
     case SkipScope:
@@ -105 +103 @@
     case StringCharCodeAt:
     case AllocatePropertyStorage:
+    case VariableWatchpoint:
+    case NotifyWrite:
         // These are OK.
         break;

trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h

@@ -66 +66 @@
     macro(V_JITOperation_EOZD, functionType(voidType, intPtr, intPtr, int32, doubleType)) \
     macro(V_JITOperation_EOZJ, functionType(voidType, intPtr, intPtr, int32, int64)) \
-    macro(V_JITOperation_EW, functionType(voidType, intPtr, intPtr)) \
+    macro(V_JITOperation_EVws, functionType(voidType, intPtr, intPtr)) \
     macro(Z_JITOperation_D, functionType(int32, doubleType))
 

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -395 +395 @@
             compilePutGlobalVar();
             break;
-        case NotifyPutGlobalVar:
-            compileNotifyPutGlobalVar();
-            break;
-        case GlobalVarWatchpoint:
-            compileGlobalVarWatchpoint();
+        case NotifyWrite:
+            compileNotifyWrite();
+            break;
+        case VariableWatchpoint:
             break;
         case GetMyScope:
@@ -2118 +2117 @@
     }
     
-    void compileNotifyPutGlobalVar()
-    {
-        WatchpointSet* set = m_graph.globalObjectFor(m_node->codeOrigin)->symbolTable()->get(
-            m_graph.identifiers()[m_node->identifierNumberForCheck()]).watchpointSet();
-        
-        LBasicBlock isNotInvalidated = FTL_NEW_BLOCK(m_out, ("NotifyPutGlobalVar not invalidated case"));
-        LBasicBlock isClear = FTL_NEW_BLOCK(m_out, ("NotifyPutGlobalVar clear case"));
-        LBasicBlock isWatched = FTL_NEW_BLOCK(m_out, ("NotifyPutGlobalVar watched case"));
-        LBasicBlock isWatchedFast = FTL_NEW_BLOCK(m_out, ("NotifyPutGlobalVar watched fast case"));
-        LBasicBlock isWatchedSlow = FTL_NEW_BLOCK(m_out, ("NotifyPutGlobalVar watched slow case"));
-        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("NotifyPutGlobalVar continuation"));
+    void compileNotifyWrite()
+    {
+        VariableWatchpointSet* set = m_node->variableWatchpointSet();
+        
+        LValue value = lowJSValue(m_node->child1());
+        
+        LBasicBlock isNotInvalidated = FTL_NEW_BLOCK(m_out, ("NotifyWrite not invalidated case"));
+        LBasicBlock isClear = FTL_NEW_BLOCK(m_out, ("NotifyWrite clear case"));
+        LBasicBlock isWatched = FTL_NEW_BLOCK(m_out, ("NotifyWrite watched case"));
+        LBasicBlock invalidate = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate case"));
+        LBasicBlock invalidateFast = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate fast case"));
+        LBasicBlock invalidateSlow = FTL_NEW_BLOCK(m_out, ("NotifyWrite invalidate slow case"));
+        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("NotifyWrite continuation"));
         
         LValue state = m_out.load8(m_out.absolute(set->addressOfState()));
@@ -2138 +2139 @@
         LBasicBlock lastNext = m_out.appendTo(isNotInvalidated, isClear);
 
-        m_out.fenceAcqRel();
-        
         LValue isClearValue;
         if (set->state() == ClearWatchpoint)
@@ -2149 +2148 @@
         m_out.appendTo(isClear, isWatched);
         
+        m_out.store64(value, m_out.absolute(set->addressOfInferredValue()));
         m_out.store8(m_out.constInt8(IsWatched), m_out.absolute(set->addressOfState()));
         m_out.jump(continuation);
         
-        m_out.appendTo(isWatched, isWatchedFast);
+        m_out.appendTo(isWatched, invalidate);
+        
+        m_out.branch(
+            m_out.equal(value, m_out.load64(m_out.absolute(set->addressOfInferredValue()))),
+            continuation, invalidate);
+        
+        m_out.appendTo(invalidate, invalidateFast);
         
         m_out.branch(
             m_out.notZero8(m_out.load8(m_out.absolute(set->addressOfSetIsNotEmpty()))),
-            isWatchedSlow, isWatchedFast);
-        
-        m_out.appendTo(isWatchedFast, isWatchedSlow);
-        
+            invalidateSlow, invalidateFast);
+        
+        m_out.appendTo(invalidateFast, invalidateSlow);
+        
+        m_out.store64(
+            m_out.constInt64(JSValue::encode(JSValue())),
+            m_out.absolute(set->addressOfInferredValue()));
         m_out.store8(m_out.constInt8(IsInvalidated), m_out.absolute(set->addressOfState()));
         m_out.jump(continuation);
         
-        m_out.appendTo(isWatchedSlow, continuation);
-        
-        vmCall(m_out.operation(operationNotifyWrite), m_callFrame, m_out.constIntPtr(set));
+        m_out.appendTo(invalidateSlow, continuation);
+        
+        vmCall(m_out.operation(operationInvalidate), m_callFrame, m_out.constIntPtr(set));
         m_out.jump(continuation);
         
         m_out.appendTo(continuation, lastNext);
-    }
-    
-    void compileGlobalVarWatchpoint()
-    {
-        // FIXME: In debug mode we could emit some assertion code here.
-        // https://bugs.webkit.org/show_bug.cgi?id=123471
     }
     

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -619 +619 @@
         void emitGetClosureVar(int scope, uintptr_t operand);
         void emitPutGlobalProperty(uintptr_t* operandSlot, int value);
-        void emitPutGlobalVar(uintptr_t operand, int value, WatchpointSet*);
+#if USE(JSVALUE64)
+        void emitNotifyWrite(RegisterID value, RegisterID scratch, VariableWatchpointSet*);
+#else
+        void emitNotifyWrite(RegisterID tag, RegisterID payload, RegisterID scratch, VariableWatchpointSet*);
+#endif
+        void emitPutGlobalVar(uintptr_t operand, int value, VariableWatchpointSet*);
         void emitPutClosureVar(int scope, uintptr_t operand, int value);
 

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -36 +36 @@
 #include "PutKind.h"
 #include "StructureStubInfo.h"
-#include "Watchpoint.h"
+#include "VariableWatchpointSet.h"
 
 namespace JSC {
@@ -77 +77 @@
     V: void
     Vm: VM*
-    W: WatchpointSet*
+    Vws: VariableWatchpointSet*
     Z: int32_t
 */
@@ -155 +155 @@
 typedef void JIT_OPERATION (*V_JITOperation_EPZJ)(ExecState*, void*, int32_t, EncodedJSValue);
 typedef void JIT_OPERATION (*V_JITOperation_ESsiJJI)(ExecState*, StructureStubInfo*, EncodedJSValue, EncodedJSValue, StringImpl*);
-typedef void JIT_OPERATION (*V_JITOperation_EW)(ExecState*, WatchpointSet*);
+typedef void JIT_OPERATION (*V_JITOperation_EVws)(ExecState*, VariableWatchpointSet*);
 typedef void JIT_OPERATION (*V_JITOperation_EZ)(ExecState*, int32_t);
 typedef void JIT_OPERATION (*V_JITOperation_EVm)(ExecState*, VM*);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -772 +772 @@
 }
 
-void JIT::emitPutGlobalVar(uintptr_t operand, int value, WatchpointSet* set)
-{
-    if (set && set->state() != IsInvalidated) {
-        load8(set->addressOfState(), regT1);
+void JIT::emitNotifyWrite(RegisterID value, RegisterID scratch, VariableWatchpointSet* set)
+{
+    if (!set || set->state() == IsInvalidated)
+        return;
+    
+    load8(set->addressOfState(), scratch);
+    
+    JumpList ready;
+    
+    ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
+    
+    if (set->state() == ClearWatchpoint) {
+        Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
         
-        JumpList ready;
+        store64(value, set->addressOfInferredValue());
+        store8(TrustedImm32(IsWatched), set->addressOfState());
+        ready.append(jump());
         
-        ready.append(branch32(Equal, regT1, TrustedImm32(IsInvalidated)));
-        
-        if (set->state() == ClearWatchpoint) {
-            Jump isWatched = branch32(NotEqual, regT1, TrustedImm32(ClearWatchpoint));
-            
-            move(TrustedImm32(IsWatched), regT1);
-            ready.append(jump());
-            
-            isWatched.link(this);
-        }
-        
-        addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
-        move(TrustedImm32(IsInvalidated), regT1);
-        ready.link(this);
-    }
-    
+        isWatched.link(this);
+    }
+    
+    ready.append(branch64(Equal, AbsoluteAddress(set->addressOfInferredValue()), value));
+    addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
+    store8(TrustedImm32(IsInvalidated), set->addressOfState());
+    move(TrustedImm64(JSValue::encode(JSValue())), scratch);
+    store64(scratch, set->addressOfInferredValue());
+    
+    ready.link(this);
+}
+
+void JIT::emitPutGlobalVar(uintptr_t operand, int value, VariableWatchpointSet* set)
+{
     emitGetVirtualRegister(value, regT0);
+    emitNotifyWrite(regT0, regT1, set);
     storePtr(regT0, reinterpret_cast<void*>(operand));
-    
-    if (set && set->state() != IsInvalidated) {
-        memoryFence();
-        store8(regT1, set->addressOfState());
-    }
 }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -808 +808 @@
 }
 
-void JIT::emitPutGlobalVar(uintptr_t operand, int value, WatchpointSet* set)
-{
-    if (set && set->state() != IsInvalidated) {
-        load8(set->addressOfState(), regT2);
+void JIT::emitNotifyWrite(RegisterID tag, RegisterID payload, RegisterID scratch, VariableWatchpointSet* set)
+{
+    if (!set || set->state() == IsInvalidated)
+        return;
+    
+    load8(set->addressOfState(), scratch);
+    
+    JumpList ready;
+    
+    ready.append(branch32(Equal, scratch, TrustedImm32(IsInvalidated)));
+    
+    if (set->state() == ClearWatchpoint) {
+        Jump isWatched = branch32(NotEqual, scratch, TrustedImm32(ClearWatchpoint));
         
-        JumpList ready;
+        store32(tag, &set->addressOfInferredValue()->u.asBits.tag);
+        store32(payload, &set->addressOfInferredValue()->u.asBits.payload);
+        store8(TrustedImm32(IsWatched), set->addressOfState());
+        ready.append(jump());
         
-        ready.append(branch32(Equal, regT2, TrustedImm32(IsInvalidated)));
-        
-        if (set->state() == ClearWatchpoint) {
-            Jump isWatched = branch32(NotEqual, regT2, TrustedImm32(ClearWatchpoint));
-            
-            move(TrustedImm32(IsWatched), regT2);
-            ready.append(jump());
-            
-            isWatched.link(this);
-        }
-        
-        addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
-        move(TrustedImm32(IsInvalidated), regT2);
-        ready.link(this);
-    }
-    
+        isWatched.link(this);
+    }
+
+    Jump definitelyNotEqual = branch32(
+        NotEqual, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.payload), payload);
+    ready.append(branch32(
+        Equal, AbsoluteAddress(&set->addressOfInferredValue()->u.asBits.tag), tag));
+    definitelyNotEqual.link(this);
+    addSlowCase(branchTest8(NonZero, AbsoluteAddress(set->addressOfSetIsNotEmpty())));
+    store8(TrustedImm32(IsInvalidated), set->addressOfState());
+    store32(
+        TrustedImm32(JSValue::EmptyValueTag), &set->addressOfInferredValue()->u.asBits.tag);
+    store32(TrustedImm32(0), &set->addressOfInferredValue()->u.asBits.payload);
+    
+    ready.link(this);
+}
+
+void JIT::emitPutGlobalVar(uintptr_t operand, int value, VariableWatchpointSet* set)
+{
     emitLoad(value, regT1, regT0);
+    emitNotifyWrite(regT1, regT0, regT2, set);
     store32(regT1, reinterpret_cast<char*>(operand) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
     store32(regT0, reinterpret_cast<char*>(operand) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
-    
-    if (set && set->state() != IsInvalidated) {
-        memoryFence();
-        store8(regT1, set->addressOfState());
-    }
 }
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -2133 +2133 @@
 end
 
+macro notifyWrite(set, valueTag, valuePayload, scratch, slow)
+    loadb VariableWatchpointSet::m_state[set], scratch
+    bieq scratch, IsInvalidated, .done
+    bineq scratch, ClearWatchpoint, .overwrite
+    storei valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
+    storei valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
+    storeb IsWatched, VariableWatchpointSet::m_state[set]
+    jmp .done
+
+.overwrite:
+    bineq valuePayload, VariableWatchpointSet::m_inferredValue + PayloadOffset[set], .definitelyDifferent
+    bieq valueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set], .done
+.definitelyDifferent:
+    btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
+    storei EmptyValueTag, VariableWatchpointSet::m_inferredValue + TagOffset[set]
+    storei 0, VariableWatchpointSet::m_inferredValue + PayloadOffset[set]
+    storeb IsInvalidated, VariableWatchpointSet::m_state[set]
+
+.done:
+end
+
 macro putGlobalVar()
-    loadpFromInstruction(5, t2)
-    loadb WatchpointSet::m_state[t2], t3
-    bieq t3, IsInvalidated, .ready
-    bineq t3, ClearWatchpoint, .needToInvalidate
-    move IsWatched, t3
-    jmp .ready
-.needToInvalidate:
-    btbnz WatchpointSet::m_setIsNotEmpty[t2], .pDynamic
-    move IsInvalidated, t3
-.ready:
     loadisFromInstruction(3, t0)
     loadConstantOrVariable(t0, t1, t2)
+    loadpFromInstruction(5, t3)
+    notifyWrite(t3, t1, t2, t0, .pDynamic)
     loadpFromInstruction(6, t0)
     storei t1, TagOffset[t0]
     storei t2, PayloadOffset[t0]
-    memfence
-    loadpFromInstruction(5, t2)
-    storeb t3, WatchpointSet::m_state[t2]
 end
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1953 +1953 @@
 end
 
+macro notifyWrite(set, value, scratch, slow)
+    loadb VariableWatchpointSet::m_state[set], scratch
+    bieq scratch, IsInvalidated, .done
+    bineq scratch, ClearWatchpoint, .overwrite
+    storeq value, VariableWatchpointSet::m_inferredValue[set]
+    storeb IsWatched, VariableWatchpointSet::m_state[set]
+    jmp .done
+
+.overwrite:
+    bqeq value, VariableWatchpointSet::m_inferredValue[set], .done
+    btbnz VariableWatchpointSet::m_setIsNotEmpty[set], slow
+    storeq 0, VariableWatchpointSet::m_inferredValue[set]
+    storeb IsInvalidated, VariableWatchpointSet::m_state[set]
+
+.done:    
+end
+
 macro putGlobalVar()
-    loadpFromInstruction(5, t2)
-    loadb WatchpointSet::m_state[t2], t3
-    bieq t3, IsInvalidated, .ready
-    bineq t3, ClearWatchpoint, .needToInvalidate
-    move IsWatched, t3
-    jmp .ready
-.needToInvalidate:
-    btbnz WatchpointSet::m_setIsNotEmpty[t2], .pDynamic
-    move IsInvalidated, t3
-.ready:
     loadisFromInstruction(3, t0)
     loadConstantOrVariable(t0, t1)
+    loadpFromInstruction(5, t2)
+    notifyWrite(t2, t1, t0, .pDynamic)
     loadpFromInstruction(6, t0)
     storeq t1, [t0]
-    memfence
-    storeb t3, WatchpointSet::m_state[t2]
 end
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -217 +217 @@
     SymbolTableEntry newEntry(index, (constantMode == IsConstant) ? ReadOnly : 0);
     if (constantMode == IsVariable)
-        newEntry.prepareToWatch(SymbolTableEntry::NotInitialized);
+        newEntry.prepareToWatch();
     SymbolTable::Map::AddResult result = symbolTable()->add(locker, ident.impl(), newEntry);
     if (result.isNewEntry)
@@ -235 +235 @@
     registerAt(var.registerNumber).set(exec->vm(), this, value);
     if (var.set)
-        var.set->notifyWrite();
+        var.set->notifyWrite(value);
 }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -292 +292 @@
     struct NewGlobalVar {
         int registerNumber;
-        WatchpointSet* set;
+        VariableWatchpointSet* set;
     };
     NewGlobalVar addGlobalVar(const Identifier&, ConstantMode);

trunk/Source/JavaScriptCore/runtime/JSScope.h

@@ -32 +32 @@
 
 class ScopeChainIterator;
-class WatchpointSet;
+class VariableWatchpointSet;
 
 enum ResolveMode {
@@ -97 +97 @@
 
 struct ResolveOp {
-    ResolveOp(ResolveType type, size_t depth, Structure* structure, WatchpointSet* watchpointSet, uintptr_t operand)
+    ResolveOp(ResolveType type, size_t depth, Structure* structure, VariableWatchpointSet* watchpointSet, uintptr_t operand)
         : type(type)
         , depth(depth)
@@ -109 +109 @@
     size_t depth;
     Structure* structure;
-    WatchpointSet* watchpointSet;
+    VariableWatchpointSet* watchpointSet;
     uintptr_t operand;
 };

trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h

@@ -124 +124 @@
     
     WriteBarrierBase<Unknown>* reg;
-    WatchpointSet* set = 0;
     {
         SymbolTable& symbolTable = *object->symbolTable();
@@ -139 +138 @@
             return true;
         }
-        set = iter->value.watchpointSet();
+        if (VariableWatchpointSet* set = iter->value.watchpointSet())
+            set->notifyWrite(value);
         reg = &object->registerAt(fastEntry.getIndex());
     }
@@ -146 +146 @@
     // locks while GC'ing.
     reg->set(vm, object, value);
-    if (set)
-        set->notifyWrite();
     return true;
 }
@@ -159 +157 @@
 
     WriteBarrierBase<Unknown>* reg;
-    WatchpointSet* set = 0;
     {
         SymbolTable& symbolTable = *object->symbolTable();
@@ -168 +165 @@
         SymbolTableEntry& entry = iter->value;
         ASSERT(!entry.isNull());
-        set = entry.watchpointSet();
+        if (VariableWatchpointSet* set = entry.watchpointSet())
+            set->notifyWrite(value);
         entry.setAttributes(attributes);
         reg = &object->registerAt(entry.getIndex());
     }
     reg->set(vm, object, value);
-    if (set)
-        set->notifyWrite();
     return true;
 }

trunk/Source/JavaScriptCore/runtime/SymbolTable.cpp

@@ -59 +59 @@
 }
 
-bool SymbolTableEntry::couldBeWatched()
+JSValue SymbolTableEntry::inferredValue()
 {
     if (!isFat())
-        return false;
-    WatchpointSet* watchpoints = fatEntry()->m_watchpoints.get();
-    if (!watchpoints)
-        return false;
-    return watchpoints->state() == IsWatched;
+        return JSValue();
+    return fatEntry()->m_watchpoints->inferredValue();
 }
 
-void SymbolTableEntry::prepareToWatch(WatchState state)
+void SymbolTableEntry::prepareToWatch()
 {
     FatEntry* entry = inflate();
     ASSERT(!entry->m_watchpoints);
-    entry->m_watchpoints = adoptRef(
-        new WatchpointSet(state == AlreadyInitialized ? IsWatched : ClearWatchpoint));
+    entry->m_watchpoints = adoptRef(new VariableWatchpointSet());
 }
 
 void SymbolTableEntry::addWatchpoint(Watchpoint* watchpoint)
 {
-    ASSERT(couldBeWatched());
     fatEntry()->m_watchpoints->add(watchpoint);
 }
 
-void SymbolTableEntry::notifyWriteSlow()
+void SymbolTableEntry::notifyWriteSlow(JSValue value)
 {
-    WatchpointSet* watchpoints = fatEntry()->m_watchpoints.get();
+    VariableWatchpointSet* watchpoints = fatEntry()->m_watchpoints.get();
     if (!watchpoints)
         return;
     
-    watchpoints->notifyWrite();
+    watchpoints->notifyWrite(value);
 }
 
@@ -109 +104 @@
 
 SymbolTable::~SymbolTable() { }
+
+void SymbolTable::visitChildren(JSCell* thisCell, SlotVisitor& visitor)
+{
+    SymbolTable* thisSymbolTable = jsCast<SymbolTable*>(thisCell);
+    if (!thisSymbolTable->m_watchpointCleanup) {
+        thisSymbolTable->m_watchpointCleanup =
+            std::make_unique<WatchpointCleanup>(thisSymbolTable);
+    }
+    
+    visitor.addUnconditionalFinalizer(thisSymbolTable->m_watchpointCleanup.get());
+}
+
+SymbolTable::WatchpointCleanup::WatchpointCleanup(SymbolTable* symbolTable)
+    : m_symbolTable(symbolTable)
+{
+}
+
+SymbolTable::WatchpointCleanup::~WatchpointCleanup() { }
+
+void SymbolTable::WatchpointCleanup::finalizeUnconditionally()
+{
+    Map::iterator iter = m_symbolTable->m_map.begin();
+    Map::iterator end = m_symbolTable->m_map.end();
+    for (; iter != end; ++iter) {
+        if (VariableWatchpointSet* set = iter->value.watchpointSet())
+            set->finalizeUnconditionally();
+    }
+}
 
 SymbolTable* SymbolTable::clone(VM& vm)

trunk/Source/JavaScriptCore/runtime/SymbolTable.h

@@ -32 +32 @@
 #include "ConcurrentJITLock.h"
 #include "JSObject.h"
-#include "Watchpoint.h"
+#include "VariableWatchpointSet.h"
 #include <memory>
 #include <wtf/HashTraits.h>
@@ -38 +38 @@
 
 namespace JSC {
-
-class Watchpoint;
-class WatchpointSet;
 
 struct SlowArgument {
@@ -80 +77 @@
 // WatchpointSet will manifest in all copies. Here's a picture:
 //
-// SymbolTableEntry --> FatEntry --> WatchpointSet
+// SymbolTableEntry --> FatEntry --> VariableWatchpointSet
 //
 // If you make a copy of a SymbolTableEntry, you will have:
 //
-// original: SymbolTableEntry --> FatEntry --> WatchpointSet
+// original: SymbolTableEntry --> FatEntry --> VariableWatchpointSet
 // copy:     SymbolTableEntry --> FatEntry -----^
 
@@ -219 +216 @@
     }
     
-    bool couldBeWatched();
-    
-    enum WatchState { NotInitialized, AlreadyInitialized };
-    void prepareToWatch(WatchState);
+    JSValue inferredValue();
+    
+    void prepareToWatch();
     
     void addWatchpoint(Watchpoint*);
     
-    WatchpointSet* watchpointSet()
+    VariableWatchpointSet* watchpointSet()
     {
         if (!isFat())
@@ -233 +229 @@
     }
     
-    ALWAYS_INLINE void notifyWrite()
+    ALWAYS_INLINE void notifyWrite(JSValue value)
     {
         if (LIKELY(!isFat()))
             return;
-        notifyWriteSlow();
+        notifyWriteSlow(value);
     }
     
@@ -257 +253 @@
         intptr_t m_bits; // always has FatFlag set and exactly matches what the bits would have been if this wasn't fat.
         
-        RefPtr<WatchpointSet> m_watchpoints;
+        RefPtr<VariableWatchpointSet> m_watchpoints;
     };
     
     SymbolTableEntry& copySlow(const SymbolTableEntry&);
-    JS_EXPORT_PRIVATE void notifyWriteSlow();
+    JS_EXPORT_PRIVATE void notifyWriteSlow(JSValue);
     
     bool isFat() const
@@ -469 +465 @@
     SymbolTable* clone(VM&);
 
+    static void visitChildren(JSCell*, SlotVisitor&);
+
     DECLARE_EXPORT_INFO;
 
 private:
+    class WatchpointCleanup : public UnconditionalFinalizer {
+    public:
+        WatchpointCleanup(SymbolTable*);
+        virtual ~WatchpointCleanup();
+        
+    protected:
+        virtual void finalizeUnconditionally() OVERRIDE;
+
+    private:
+        SymbolTable* m_symbolTable;
+    };
+    
     JS_EXPORT_PRIVATE SymbolTable(VM&);
     ~SymbolTable();
@@ -484 +494 @@
 
     std::unique_ptr<SlowArgument[]> m_slowArguments;
+    
+    std::unique_ptr<WatchpointCleanup> m_watchpointCleanup;
 
 public: