Changeset 176479 in webkit

Timestamp:

Nov 21, 2014 3:41:26 PM (9 years ago)

Author:

msaboff@apple.com

Message:

Allocate local ScopeChain register
​https://bugs.webkit.org/show_bug.cgi?id=138793

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Now we allocate the scope register as a local. The allocated register is stored in the
CodeBlock for use by other components. Update the DFG to work with a local scope register.
Changed usage of JSStack::ScopeChain access to the CallFrame header to use the allocated
local register.

• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
Updated to properly represent the operand inputs and bytecode result.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::setScopeRegister):
(JSC::CodeBlock::scopeRegister):

• bytecode/UnlinkedCodeBlock.h:

(JSC::UnlinkedCodeBlock::setScopeRegister):
(JSC::UnlinkedCodeBlock::scopeRegister):
Added scope register member and accessors.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::allocateAndEmitScope):

• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::scopeRegister):
Change m_scopeRegister to an allocated register. Added allocateAndEmitScope helper to
allocate the scope register, set the CodeBlock with its value and emit op_get_scope.

• debugger/DebuggerCallFrame.cpp:

(JSC::DebuggerCallFrame::scope): Changed to access the scope using the new convention.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::get):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::parseBlock):
Changed op_create_lexical_environment to set the scope VirtualRegister operand.
Filled out op_get_scope processing to emit a GetScope node putting the result in
the scope VirtualRegister result operand.
Added Phantoms where appropriate to keep the Scope register alive in places where
it use is optimized away, but where the baseline JIT would need to use its value.
Eliminated uses of JSStack::ScopeChain.

• dfg/DFGStackLayoutPhase.cpp:

(JSC::DFG::StackLayoutPhase::run):
Make sure that the scope register stack location is allocated using the same place
that the codeBlock expects.

• dfg/DFGStrengthReductionPhase.cpp:

(JSC::DFG::StrengthReductionPhase::handleNode):
Allow strength reduction of Flush to skip of GetScope nodes looking for a prior
corresponding SetLocal.

• interpreter/CallFrame.h:

(JSC::ExecState::scope):
(JSC::ExecState::setScope):
Added new scope() and setScope() helpers that take a VirtualRegister offset.

• interpreter/Interpreter.cpp:

(JSC::eval):
Changed eval() to get the scope from the caller's scope register instead of from the
temporary frame created for eval.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::unwind):
Changed unwind() to manipulate the scope n the allocated register instead of from the
call frame slot.

• interpreter/StackVisitor.cpp:

(JSC::StackVisitor::readNonInlinedFrame):
(JSC::StackVisitor::readInlinedFrame):

• interpreter/StackVisitor.h:

(JSC::StackVisitor::Frame::callee):
(JSC::StackVisitor::Frame::scope): Deleted.
Eliminated the scope member as it needed to change and no StackVisitor users use it.

• jit/JITOperations.cpp:

(JSC::operationPushNameScope):
(JSC::operationPushWithScope):

• runtime/JSNameScope.h:

(JSC::JSNameScope::create):

• runtime/JSWithScope.h:

(JSC::JSWithScope::create): Deleted.

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):
Deleted JSNameScope::create() and JSWithScope::create() flavors tht used the ScopeChain slot
in the CallFrame header. Changed the only user of these function, op_push_name_scope and
op_push_with_scope helpers, to use the remaining create variants that require explicit scope.
Those operations get the scope from the register pointed to by their scope operands.

• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:

Changed resolveScope to use the allocated register.

LayoutTests:

New test that sets a breakpoint in a callee of a DFG caller. While stopped in the
breakpoint, it modifies a global via the scope chain of the DFG caller as well as
a local of the DFG caller.

• inspector-protocol/debugger/resources/breakpoint.js:

(notInlineable3):
(dfgWithoutInline3):

• inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local-expected.txt: Added.
• inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/inspector-protocol/debugger/resources/breakpoint.js (modified) (1 diff)
• LayoutTests/inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local-expected.txt (added)
• LayoutTests/inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeUseDef.h (modified) (8 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h (modified) (3 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (7 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (3 diffs)
• Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/interpreter/CallFrame.h (modified) (2 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (3 diffs)
• Source/JavaScriptCore/interpreter/StackVisitor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/interpreter/StackVisitor.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (3 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSNameScope.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSWithScope.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-11-21  Michael Saboff  <msaboff@apple.com>
+
+        Allocate local ScopeChain register
+        https://bugs.webkit.org/show_bug.cgi?id=138793
+
+        Reviewed by Geoffrey Garen.
+
+        New test that sets a breakpoint in a callee of a DFG caller.  While stopped in the
+        breakpoint, it modifies a global via the scope chain of the DFG caller as well as
+        a local of the DFG caller.
+
+        * inspector-protocol/debugger/resources/breakpoint.js:
+        (notInlineable3):
+        (dfgWithoutInline3):
+        * inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local-expected.txt: Added.
+        * inspector-protocol/debugger/setBreakpoint-dfg-callee-and-examine-dfg-local.html: Added.
+
 2014-11-21  Glenn Adams  <glenn@skynav.com> and Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/LayoutTests/inspector-protocol/debugger/resources/breakpoint.js

@@ -92 +92 @@
 }
 
+function notInlineable3(x)
+{
+    var func = new Function("return x + 100;");
+    if (x == 1999)
+        breakpointBasic();
+    return x + 3;
+}
+
+var globalVal3 = 0;
+
+function dfgWithoutInline3()
+{
+    globalVal3 = 0;
+    var i;
+    var result = 0;
+    var localVal3 = 0;
+    for (i = 0; i < 2000; i++)
+        result += notInlineable3(i);
+    if (globalVal3)
+        result = globalVal3 + localVal3;
+    log("result: " + result);
+}

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-11-21  Michael Saboff  <msaboff@apple.com>
+
+        Allocate local ScopeChain register
+        https://bugs.webkit.org/show_bug.cgi?id=138793
+
+        Reviewed by Geoffrey Garen.
+
+        Now we allocate the scope register as a local.  The allocated register is stored in the 
+        CodeBlock for use by other components.  Update the DFG to work with a local scope register.
+        Changed usage of JSStack::ScopeChain access to the CallFrame header to use the allocated
+        local register.
+
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        Updated to properly represent the operand inputs and bytecode result.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::setScopeRegister):
+        (JSC::CodeBlock::scopeRegister):
+        * bytecode/UnlinkedCodeBlock.h:
+        (JSC::UnlinkedCodeBlock::setScopeRegister):
+        (JSC::UnlinkedCodeBlock::scopeRegister):
+        Added scope register member and accessors.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::allocateAndEmitScope):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::scopeRegister):
+        Change m_scopeRegister to an allocated register.  Added allocateAndEmitScope helper to
+        allocate the scope register, set the CodeBlock with its value and emit op_get_scope.
+
+        * debugger/DebuggerCallFrame.cpp:
+        (JSC::DebuggerCallFrame::scope): Changed to access the scope using the new convention.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::get):
+        (JSC::DFG::ByteCodeParser::flush):
+        (JSC::DFG::ByteCodeParser::inlineCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        Changed op_create_lexical_environment to set the scope VirtualRegister operand.
+        Filled out op_get_scope processing to emit a GetScope node putting the result in
+        the scope VirtualRegister result operand.
+        Added Phantoms where appropriate to keep the Scope register alive in places where
+        it use is optimized away, but where the baseline JIT would need to use its value.
+        Eliminated uses of JSStack::ScopeChain.
+
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+        Make sure that the scope register stack location is allocated using the same place
+        that the codeBlock expects. 
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        Allow strength reduction of Flush to skip of GetScope nodes looking for a prior
+        corresponding SetLocal.
+
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::scope):
+        (JSC::ExecState::setScope):
+        Added new scope() and setScope() helpers that take a VirtualRegister offset.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+        Changed eval() to get the scope from the caller's scope register instead of from the
+        temporary frame created for eval.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::unwind):
+        Changed unwind() to manipulate the scope n the allocated register instead of from the
+        call frame slot.
+
+        * interpreter/StackVisitor.cpp:
+        (JSC::StackVisitor::readNonInlinedFrame):
+        (JSC::StackVisitor::readInlinedFrame):
+        * interpreter/StackVisitor.h:
+        (JSC::StackVisitor::Frame::callee):
+        (JSC::StackVisitor::Frame::scope): Deleted.
+        Eliminated the scope member as it needed to change and no StackVisitor users use it.
+
+        * jit/JITOperations.cpp:
+        (JSC::operationPushNameScope):
+        (JSC::operationPushWithScope):
+        * runtime/JSNameScope.h:
+        (JSC::JSNameScope::create):
+        * runtime/JSWithScope.h:
+        (JSC::JSWithScope::create): Deleted.
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        Deleted JSNameScope::create() and JSWithScope::create() flavors tht used the ScopeChain slot
+        in the CallFrame header.  Changed the only user of these function, op_push_name_scope and
+        op_push_with_scope helpers, to use the remaining create variants that require explicit scope.  
+        Those operations get the scope from the register pointed to by their scope operands.
+
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        Changed resolveScope to use the allocated register.
+
 2014-11-21  Csaba Osztrogonác  <ossy@webkit.org>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -45 +45 @@
     case op_throw_static_error:
     case op_debug:
-    case op_resolve_scope:
-    case op_pop_scope:
     case op_jneq_ptr:
-    case op_new_func_exp:
     case op_loop_hint:
     case op_jmp:
@@ -58 +55 @@
     case op_touch_entry:
         return;
-    case op_new_func:
-    case op_create_lexical_environment: 
+    case op_create_lexical_environment:
     case op_get_scope:
     case op_create_arguments:
     case op_to_this:
+    case op_pop_scope:
     case op_profile_will_call:
     case op_profile_did_call:
     case op_profile_type:
     case op_throw:
-    case op_push_with_scope:
     case op_end:
     case op_ret:
@@ -79 +75 @@
         return;
     }
+    case op_new_func:
     case op_ret_object_or_this:
     case op_jlesseq:
@@ -118 +115 @@
     }
     case op_get_enumerable_length:
+    case op_new_func_exp:
     case op_to_index_string:
     case op_init_global_const_nop:
     case op_init_global_const:
     case op_push_name_scope:
+    case op_push_with_scope:
+    case op_resolve_scope:
     case op_get_from_scope:
     case op_to_primitive:
@@ -245 +245 @@
     case op_init_global_const:
     case op_init_global_const_nop:
-    case op_push_name_scope:
-    case op_push_with_scope:
     case op_put_to_scope:
-    case op_pop_scope:
     case op_end:
     case op_profile_will_call:
@@ -302 +299 @@
     case op_get_structure_property_enumerator:
     case op_next_enumerator_pname:
+    case op_pop_scope:
+    case op_push_name_scope:
+    case op_push_with_scope:
     case op_resolve_scope:
     case op_strcat:
@@ -366 +366 @@
     case op_get_callee:
     case op_init_lazy_reg:
-    case op_create_lexical_environment:
     case op_get_scope:
     case op_create_arguments:
@@ -375 +374 @@
         return;
     }
+    case op_create_lexical_environment: {
+        functor(codeBlock, instruction, opcodeID, instruction[1].u.operand);
+        functor(codeBlock, instruction, opcodeID, instruction[2].u.operand);
+        return;
+    }
     case op_enter: {
         for (unsigned i = codeBlock->m_numVars; i--;)

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1631 +1631 @@
     , m_instructions(other.m_instructions)
     , m_thisRegister(other.m_thisRegister)
+    , m_scopeRegister(other.m_scopeRegister)
     , m_argumentsRegister(other.m_argumentsRegister)
     , m_lexicalEnvironmentRegister(other.m_lexicalEnvironmentRegister)
@@ -1690 +1691 @@
     , m_vm(unlinkedCodeBlock->vm())
     , m_thisRegister(unlinkedCodeBlock->thisRegister())
+    , m_scopeRegister(unlinkedCodeBlock->scopeRegister())
     , m_argumentsRegister(unlinkedCodeBlock->argumentsRegister())
     , m_lexicalEnvironmentRegister(unlinkedCodeBlock->activationRegister())

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -324 +324 @@
     bool usesEval() const { return m_unlinkedCode->usesEval(); }
 
+    void setScopeRegister(VirtualRegister scopeRegister)
+    {
+        m_scopeRegister = scopeRegister;
+    }
+
+    VirtualRegister scopeRegister() const
+    {
+        ASSERT(m_scopeRegister.isValid());
+        return m_scopeRegister;
+    }
+
     void setArgumentsRegister(VirtualRegister argumentsRegister)
     {
@@ -341 +352 @@
         return argumentsRegister();
     }
+
     void setActivationRegister(VirtualRegister activationRegister)
     {
@@ -1033 +1045 @@
     WriteBarrier<SymbolTable> m_symbolTable;
     VirtualRegister m_thisRegister;
+    VirtualRegister m_scopeRegister;
     VirtualRegister m_argumentsRegister;
     VirtualRegister m_lexicalEnvironmentRegister;

trunk/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h

@@ -283 +283 @@
     // Special registers
     void setThisRegister(VirtualRegister thisRegister) { m_thisRegister = thisRegister; }
+    void setScopeRegister(VirtualRegister scopeRegister) { m_scopeRegister = scopeRegister; }
     void setActivationRegister(VirtualRegister activationRegister) { m_lexicalEnvironmentRegister = activationRegister; }
 
@@ -430 +431 @@
 
     VirtualRegister thisRegister() const { return m_thisRegister; }
+    VirtualRegister scopeRegister() const { return m_scopeRegister; }
     VirtualRegister activationRegister() const { return m_lexicalEnvironmentRegister; }
     bool hasActivationRegister() const { return m_lexicalEnvironmentRegister.isValid(); }
@@ -521 +523 @@
     VirtualRegister m_thisRegister;
     VirtualRegister m_argumentsRegister;
+    VirtualRegister m_scopeRegister;
     VirtualRegister m_lexicalEnvironmentRegister;
     VirtualRegister m_globalObjectRegister;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -165 +165 @@
     , m_codeBlock(vm, codeBlock)
     , m_thisRegister(CallFrame::thisArgumentOffset())
-    , m_scopeRegister(JSStack::ScopeChain)
+    , m_scopeRegister(0)
     , m_lexicalEnvironmentRegister(0)
     , m_emptyValueRegister(0)
@@ -191 +191 @@
     emitOpcode(op_enter);
 
-    emitGetScope();
+    allocateAndEmitScope();
 
     const VarStack& varStack = programNode->varStack();
@@ -213 +213 @@
     , m_scopeNode(functionBody)
     , m_codeBlock(vm, codeBlock)
-    , m_scopeRegister(JSStack::ScopeChain)
+    , m_scopeRegister(0)
     , m_lexicalEnvironmentRegister(0)
     , m_emptyValueRegister(0)
@@ -252 +252 @@
     emitOpcode(op_enter);
 
-    emitGetScope();
+    allocateAndEmitScope();
 
     if (m_codeBlock->needsFullScopeChain() || m_shouldEmitDebugHooks) {
@@ -453 +453 @@
     , m_codeBlock(vm, codeBlock)
     , m_thisRegister(CallFrame::thisArgumentOffset())
-    , m_scopeRegister(JSStack::ScopeChain)
+    , m_scopeRegister(0)
     , m_lexicalEnvironmentRegister(0)
     , m_emptyValueRegister(0)
@@ -480 +480 @@
     emitOpcode(op_enter);
 
-    emitGetScope();
+    allocateAndEmitScope();
 
     const DeclarationStacks::FunctionStack& functionStack = evalNode->functionStack();
@@ -2217 +2217 @@
     }
     return LabelScopePtr::null();
+}
+
+void BytecodeGenerator::allocateAndEmitScope()
+{
+    m_scopeRegister = addVar();
+    m_scopeRegister->ref();
+    m_codeBlock->setScopeRegister(scopeRegister()->virtualRegister());
+    emitGetScope();
 }
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -291 +291 @@
         RegisterID* thisRegister() { return &m_thisRegister; }
         
-        RegisterID* scopeRegister() { return &m_scopeRegister; }
+        RegisterID* scopeRegister() { return m_scopeRegister; }
 
         // Returns the next available temporary register. Registers returned by
@@ -595 +595 @@
         ALWAYS_INLINE void rewindUnaryOp();
 
+        void allocateAndEmitScope();
         void emitComplexPopScopes(RegisterID*, ControlFlowContext* topScope, ControlFlowContext* bottomScope);
 
@@ -755 +756 @@
         RegisterID m_thisRegister;
         RegisterID m_calleeRegister;
-        RegisterID m_scopeRegister;
+        RegisterID* m_scopeRegister;
         RegisterID* m_lexicalEnvironmentRegister;
         RegisterID* m_emptyValueRegister;

trunk/Source/JavaScriptCore/debugger/DebuggerCallFrame.cpp

@@ -144 +144 @@
     if (!m_scope) {
         VM& vm = m_callFrame->vm();
+        JSScope* scope;
         CodeBlock* codeBlock = m_callFrame->codeBlock();
-        if (codeBlock && codeBlock->needsActivation() && !m_callFrame->hasActivation()) {
-            ASSERT(!m_callFrame->scope()->isWithScope());
-            JSLexicalEnvironment* lexicalEnvironment = JSLexicalEnvironment::create(vm, m_callFrame, codeBlock);
-            m_callFrame->setActivation(lexicalEnvironment);
-            m_callFrame->setScope(lexicalEnvironment);
-        }
-
-        m_scope.set(vm, DebuggerScope::create(vm, m_callFrame->scope()));
+        if (codeBlock && codeBlock->scopeRegister().isValid())
+            scope = m_callFrame->scope(codeBlock->scopeRegister().offset());
+        else
+            scope = jsCast<JSCallee*>(m_callFrame->callee())->scope();
+
+        m_scope.set(vm, DebuggerScope::create(vm, scope));
     }
     return m_scope.get();

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -263 +263 @@
                 if (operand.offset() == JSStack::Callee)
                     return weakJSConstant(callee);
-                if (operand.offset() == JSStack::ScopeChain)
+                if (operand == m_inlineStackTop->m_codeBlock->scopeRegister())
                     return weakJSConstant(callee->scope());
             }
         } else if (operand.offset() == JSStack::Callee)
             return addToGraph(GetCallee);
-        else if (operand.offset() == JSStack::ScopeChain)
-            return addToGraph(GetMyScope);
         
         return getDirect(m_inlineStackTop->remapOperand(operand));
@@ -527 +525 @@
         if (InlineCallFrame* inlineCallFrame = inlineStackEntry->m_inlineCallFrame) {
             numArguments = inlineCallFrame->arguments.size();
-            if (inlineCallFrame->isClosureCall) {
+            if (inlineCallFrame->isClosureCall)
                 flushDirect(inlineStackEntry->remapOperand(VirtualRegister(JSStack::Callee)));
-                flushDirect(inlineStackEntry->remapOperand(VirtualRegister(JSStack::ScopeChain)));
-            }
         } else
             numArguments = inlineStackEntry->m_codeBlock->numParameters();
@@ -1263 +1259 @@
         VariableAccessData* calleeVariable =
             set(VirtualRegister(JSStack::Callee), callTargetNode, ImmediateNakedSet)->variableAccessData();
-        VariableAccessData* scopeVariable =
-            set(VirtualRegister(JSStack::ScopeChain), addToGraph(GetScope, callTargetNode), ImmediateNakedSet)->variableAccessData();
         
         calleeVariable->mergeShouldNeverUnbox(true);
-        scopeVariable->mergeShouldNeverUnbox(true);
         
         inlineVariableData.calleeVariable = calleeVariable;
@@ -3196 +3189 @@
                     && lexicalEnvironment->symbolTable()->m_functionEnteredOnce.isStillValid()) {
                     addToGraph(FunctionReentryWatchpoint, OpInfo(lexicalEnvironment->symbolTable()));
+                    addToGraph(Phantom, getDirect(m_inlineStackTop->remapOperand(VirtualRegister(currentInstruction[2].u.operand))));
                     set(VirtualRegister(dst), weakJSConstant(lexicalEnvironment));
                     break;
                 }
                 set(VirtualRegister(dst), getScope(VirtualRegister(currentInstruction[2].u.operand), depth));
+                if (inlineCallFrame())
+                    addToGraph(Phantom, getDirect(m_inlineStackTop->remapOperand(VirtualRegister(currentInstruction[2].u.operand))));
                 break;
             }
@@ -3396 +3392 @@
             
         case op_create_lexical_environment: {
-            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(CreateActivation, get(VirtualRegister(currentInstruction[1].u.operand))));
+            Node* lexicalEnvironment = addToGraph(CreateActivation, get(VirtualRegister(currentInstruction[1].u.operand)));
+            set(VirtualRegister(currentInstruction[1].u.operand), lexicalEnvironment);
+            set(VirtualRegister(currentInstruction[2].u.operand), lexicalEnvironment);
             NEXT_OPCODE(op_create_lexical_environment);
         }
             
         case op_get_scope: {
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(GetScope, get(VirtualRegister(JSStack::Callee))));
             NEXT_OPCODE(op_get_scope);
         }

trunk/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp

@@ -169 +169 @@
         }
         
+        if (codeBlock()->scopeRegister().isValid()) {
+            codeBlock()->setScopeRegister(
+                virtualRegisterForLocal(allocation[codeBlock()->scopeRegister().toLocal()]));
+        }
+
         for (unsigned i = m_graph.m_inlineVariableData.size(); i--;) {
             InlineVariableData data = m_graph.m_inlineVariableData[i];

trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp

@@ -256 +256 @@
                     case DoubleConstant:
                     case Int52Constant:
+                    case GetScope:
                         break;
                 

trunk/Source/JavaScriptCore/interpreter/CallFrame.h

@@ -52 +52 @@
         }
 
+        JSScope* scope(int scopeRegisterOffset) const
+        {
+            ASSERT(this[scopeRegisterOffset].Register::scope());
+            return this[scopeRegisterOffset].Register::scope();
+        }
+
         bool hasActivation() const;
         JSLexicalEnvironment* lexicalEnvironment() const;
@@ -187 +193 @@
         void setCallerFrame(CallFrame* frame) { callerFrameAndPC().callerFrame = frame; }
         void setScope(JSScope* scope) { static_cast<Register*>(this)[JSStack::ScopeChain] = scope; }
+        void setScope(int scopeRegisterOffset, JSScope* scope) { static_cast<Register*>(this)[scopeRegisterOffset] = scope; }
         void setActivation(JSLexicalEnvironment*);
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -106 +106 @@
     CallFrame* callerFrame = callFrame->callerFrame();
     CodeBlock* callerCodeBlock = callerFrame->codeBlock();
-    JSScope* callerScopeChain = callerFrame->scope();
+    JSScope* callerScopeChain = callerFrame->uncheckedR(callerCodeBlock->scopeRegister().offset()).Register::scope();
     EvalExecutable* eval = callerCodeBlock->evalCodeCache().tryGet(callerCodeBlock->isStrictMode(), programSource, callerScopeChain);
 
@@ -727 +727 @@
         ++targetScopeDepth;
 
-    JSScope* scope = callFrame->scope();
+    int scopeRegisterOffset = codeBlock->scopeRegister().offset();
+    JSScope* scope = callFrame->scope(scopeRegisterOffset);
     int scopeDelta = scope->depth() - targetScopeDepth;
     RELEASE_ASSERT(scopeDelta >= 0);
@@ -733 +734 @@
     while (scopeDelta--)
         scope = scope->next();
-    callFrame->setScope(scope);
+
+    callFrame->setScope(scopeRegisterOffset, scope);
 
     return handler;

trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp

@@ -122 +122 @@
     m_frame.m_callerIsVMEntryFrame = m_frame.m_CallerVMEntryFrame != m_frame.m_VMEntryFrame;
     m_frame.m_callee = callFrame->callee();
-    m_frame.m_scope = callFrame->scope();
     m_frame.m_codeBlock = callFrame->codeBlock();
     m_frame.m_bytecodeOffset = !m_frame.codeBlock() ? 0
@@ -156 +155 @@
 
         JSFunction* callee = inlineCallFrame->calleeForCallFrame(callFrame);
-        m_frame.m_scope = callee->scope();
         m_frame.m_callee = callee;
-        ASSERT(m_frame.scope());
         ASSERT(m_frame.callee());
 

trunk/Source/JavaScriptCore/interpreter/StackVisitor.h

@@ -61 +61 @@
         CallFrame* callerFrame() const { return m_callerFrame; }
         JSObject* callee() const { return m_callee; }
-        JSScope* scope() const { return m_scope; }
         CodeBlock* codeBlock() const { return m_codeBlock; }
         unsigned bytecodeOffset() const { return m_bytecodeOffset; }
@@ -102 +101 @@
         CallFrame* m_callerFrame;
         JSObject* m_callee;
-        JSScope* m_scope;
         CodeBlock* m_codeBlock;
         unsigned m_bytecodeOffset;

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1314 +1314 @@
     NativeCallFrameTracer tracer(&vm, exec);
 
+    // FIXME: This won't work if this operation is called from the DFG or FTL.
+    // This should be changed to pass in the new scope.
+    JSScope* currentScope = exec->uncheckedR(dst).Register::scope();
     JSNameScope::Type scopeType = static_cast<JSNameScope::Type>(type);
-    JSNameScope* scope = JSNameScope::create(exec, *identifier, JSValue::decode(encodedValue), attibutes, scopeType);
-
+    JSNameScope* scope = JSNameScope::create(exec, currentScope, *identifier, JSValue::decode(encodedValue), attibutes, scopeType);
+
+    // FIXME: This won't work if this operation is called from the DFG or FTL.
+    // This should be changed to return the new scope.
     exec->uncheckedR(dst) = scope;
 }
@@ -1341 +1346 @@
         return;
 
-    exec->uncheckedR(dst) = JSWithScope::create(exec, o);
+    // FIXME: This won't work if this operation is called from the DFG or FTL.
+    // This should be changed to pass in the old scope and return the new scope.
+    JSScope* currentScope = exec->uncheckedR(dst).Register::scope();
+    exec->uncheckedR(dst) = JSWithScope::create(exec, o, currentScope);
 }
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -1236 +1236 @@
     execCallee->setCallerFrame(exec);
     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
-    execCallee->setScope(exec->scope());
+    JSScope* callerScope = exec->uncheckedR(exec->codeBlock()->scopeRegister().offset()).Register::scope();
+    execCallee->setScope(callerScope);
     execCallee->setReturnPC(LLInt::getCodePtr(llint_generic_return_point));
     execCallee->setCodeBlock(0);
@@ -1276 +1277 @@
     LLINT_CHECK_EXCEPTION();
 
-    exec->uncheckedR(pc[1].u.operand) = JSWithScope::create(exec, o);
+    int scopeReg = pc[1].u.operand;
+    JSScope* currentScope = exec->uncheckedR(scopeReg).Register::scope();
+    exec->uncheckedR(scopeReg) = JSWithScope::create(exec, o, currentScope);
     
     LLINT_END();
@@ -1294 +1297 @@
     LLINT_BEGIN();
     CodeBlock* codeBlock = exec->codeBlock();
+    int scopeReg = pc[1].u.operand;
+    JSScope* currentScope = exec->uncheckedR(scopeReg).Register::scope();
     JSNameScope::Type type = static_cast<JSNameScope::Type>(pc[5].u.operand);
-    JSNameScope* scope = JSNameScope::create(exec, codeBlock->identifier(pc[2].u.operand), LLINT_OP(3).jsValue(), pc[4].u.operand, type);
-    exec->uncheckedR(pc[1].u.operand) = scope;
+    JSNameScope* scope = JSNameScope::create(exec, currentScope, codeBlock->identifier(pc[2].u.operand), LLINT_OP(3).jsValue(), pc[4].u.operand, type);
+    exec->uncheckedR(scopeReg) = scope;
     LLINT_END();
 }

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -2172 +2172 @@
     loadisFromInstruction(5, t2)
 
-    loadp ScopeChain + PayloadOffset[cfr], t0
+    loadisFromInstruction(2, t0)
+    loadp PayloadOffset[cfr, t0, 8], t0
     btiz t2, .resolveScopeLoopEnd
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -2001 +2001 @@
 
 macro resolveScope()
-    loadp CodeBlock[cfr], t0
     loadisFromInstruction(5, t2)
-    loadp ScopeChain[cfr], t0
+    loadisFromInstruction(2, t0)
+    loadp [cfr, t0, 8], t0
     btiz t2, .resolveScopeLoopEnd
 

trunk/Source/JavaScriptCore/runtime/JSNameScope.h

@@ -42 +42 @@
     };
 
-    static JSNameScope* create(ExecState* exec, const Identifier& identifier, JSValue value, unsigned attributes, Type type)
+    static JSNameScope* create(ExecState* exec, JSScope* currentScope, const Identifier& identifier, JSValue value, unsigned attributes, Type type)
     {
         VM& vm = exec->vm();
-        JSNameScope* scopeObject = new (NotNull, allocateCell<JSNameScope>(vm.heap)) JSNameScope(vm, exec->lexicalGlobalObject(), exec->scope(), type);
+        JSNameScope* scopeObject = new (NotNull, allocateCell<JSNameScope>(vm.heap)) JSNameScope(vm, exec->lexicalGlobalObject(), currentScope, type);
         scopeObject->finishCreation(vm, identifier, value, attributes);
         return scopeObject;

trunk/Source/JavaScriptCore/runtime/JSWithScope.h

@@ -34 +34 @@
 public:
     typedef JSScope Base;
-
-    static JSWithScope* create(ExecState* exec, JSObject* object)
-    {
-        JSWithScope* withScope = new (NotNull, allocateCell<JSWithScope>(*exec->heap())) JSWithScope(exec, object);
-        withScope->finishCreation(exec->vm());
-        return withScope;
-    }
 
     static JSWithScope* create(ExecState* exec, JSObject* object, JSScope* next)