Changeset 192814 in webkit

Timestamp:

Nov 30, 2015 12:36:54 PM (8 years ago)

Author:

sbarati@apple.com

Message:

implement op_get_rest_length so that we can allocate the rest array with the right size from the start
​https://bugs.webkit.org/show_bug.cgi?id=151467

Reviewed by Geoffrey Garen and Mark Lam.

This patch implements op_get_rest_length which returns the length
that the rest parameter array will be. We're implementing this because
it might be a constant value in the presence of inlining in the DFG.
We will take advantage of this optimization opportunity in a future patch:
​https://bugs.webkit.org/show_bug.cgi?id=151454
to emit better code for op_copy_rest.

op_get_rest_length has two operands:
1) a destination
2) A constant indicating the number of parameters to skip when copying the rest array.

op_get_rest_length lowers to a JSConstant node when we're inlined
and not a varargs call (in this case, we statically know the arguments
length). When that condition isn't met, we lower op_get_rest_length to
GetRestArray. GetRestArray produces its result as an int32.

• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitNewArray):
(JSC::BytecodeGenerator::emitNewArrayWithSize):
(JSC::BytecodeGenerator::emitNewFunction):
(JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
(JSC::BytecodeGenerator::emitRestParameter):

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::RestParameterNode::emit):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGMayExit.cpp:

(JSC::DFG::mayExit):

• dfg/DFGNode.h:

(JSC::DFG::Node::numberOfArgumentsToSkip):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCopyRest):
(JSC::DFG::SpeculativeJIT::compileGetRestLength):
(JSC::DFG::SpeculativeJIT::compileNotifyWrite):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCopyRest):
(JSC::FTL::DFG::LowerDFGToLLVM::compileGetRestLength):
(JSC::FTL::DFG::LowerDFGToLLVM::compileNewObject):

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_copy_rest):
(JSC::JIT::emit_op_get_rest_length):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/BytecodeList.json (modified) (1 diff)
• bytecode/BytecodeUseDef.h (modified) (4 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (3 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCapabilities.cpp (modified) (1 diff)
• dfg/DFGClobberize.h (modified) (1 diff)
• dfg/DFGDoesGC.cpp (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• dfg/DFGMayExit.cpp (modified) (1 diff)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (1 diff)
• dfg/DFGOperations.h (modified) (1 diff)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• dfg/DFGSafeToExecute.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• ftl/FTLCapabilities.cpp (modified) (1 diff)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (2 diffs)
• jit/JIT.cpp (modified) (1 diff)
• jit/JIT.h (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (1 diff)
• llint/LowLevelInterpreter.asm (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)
• runtime/CommonSlowPaths.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-11-30  Saam barati  <sbarati@apple.com>
+
+        implement op_get_rest_length so that we can allocate the rest array with the right size from the start
+        https://bugs.webkit.org/show_bug.cgi?id=151467
+
+        Reviewed by Geoffrey Garen and Mark Lam.
+
+        This patch implements op_get_rest_length which returns the length
+        that the rest parameter array will be. We're implementing this because
+        it might be a constant value in the presence of inlining in the DFG.
+        We will take advantage of this optimization opportunity in a future patch:
+        https://bugs.webkit.org/show_bug.cgi?id=151454
+        to emit better code for op_copy_rest.
+
+        op_get_rest_length has two operands: 
+        1) a destination
+        2) A constant indicating the number of parameters to skip when copying the rest array.
+
+        op_get_rest_length lowers to a JSConstant node when we're inlined
+        and not a varargs call (in this case, we statically know the arguments
+        length). When that condition isn't met, we lower op_get_rest_length to 
+        GetRestArray. GetRestArray produces its result as an int32.
+
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitNewArray):
+        (JSC::BytecodeGenerator::emitNewArrayWithSize):
+        (JSC::BytecodeGenerator::emitNewFunction):
+        (JSC::BytecodeGenerator::emitExpectedFunctionSnippet):
+        (JSC::BytecodeGenerator::emitRestParameter):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::RestParameterNode::emit):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGMayExit.cpp:
+        (JSC::DFG::mayExit):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::numberOfArgumentsToSkip):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCopyRest):
+        (JSC::DFG::SpeculativeJIT::compileGetRestLength):
+        (JSC::DFG::SpeculativeJIT::compileNotifyWrite):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileCopyRest):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileGetRestLength):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileNewObject):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_copy_rest):
+        (JSC::JIT::emit_op_get_rest_length):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2015-11-30  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -130 +130 @@
             { "name" : "op_load_arrowfunction_this", "length" : 2 },
             { "name" : "op_assert", "length" : 3 },
-            { "name" : "op_copy_rest", "length": 3 }
+            { "name" : "op_copy_rest", "length": 4 },
+            { "name" : "op_get_rest_length", "length": 3 }
         ]
     },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -54 +54 @@
     case op_create_direct_arguments:
     case op_create_out_of_band_arguments:
+    case op_get_rest_length:
         return;
     case op_assert:
@@ -71 +72 @@
     case op_jneq_null:
     case op_dec:
-    case op_inc: 
-    case op_copy_rest: {
+    case op_inc: {
         functor(codeBlock, instruction, opcodeID, instruction[1].u.operand);
         return;
@@ -83 +83 @@
     case op_jngreater:
     case op_jngreatereq:
-    case op_jless: {
+    case op_jless:
+    case op_copy_rest: {
         functor(codeBlock, instruction, opcodeID, instruction[1].u.operand);
         functor(codeBlock, instruction, opcodeID, instruction[2].u.operand);
@@ -378 +379 @@
     case op_del_by_val:
     case op_unsigned:
-    case op_get_from_arguments: {
+    case op_get_from_arguments: 
+    case op_get_rest_length: {
         functor(codeBlock, instruction, opcodeID, instruction[1].u.operand);
         return;

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -784 +784 @@
         case op_copy_rest: {
             int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            unsigned argumentOffset = (++it)->u.unsignedValue;
             printLocationAndOp(out, exec, location, it, "copy_rest");
+            out.printf("%s, %s, ", registerName(r0).data(), registerName(r1).data());
+            out.printf("ArgumentsOffset: %u", argumentOffset);
+            break;
+        }
+        case op_get_rest_length: {
+            int r0 = (++it)->u.operand;
+            printLocationAndOp(out, exec, location, it, "get_rest_length");
             out.printf("%s, ", registerName(r0).data());
             unsigned argumentOffset = (++it)->u.unsignedValue;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -2472 +2472 @@
 }
 
+RegisterID* BytecodeGenerator::emitNewArrayWithSize(RegisterID* dst, RegisterID* length)
+{
+    emitOpcode(op_new_array_with_size);
+    instructions().append(dst->index());
+    instructions().append(length->index());
+    instructions().append(newArrayAllocationProfile());
+
+    return dst;
+}
+
 RegisterID* BytecodeGenerator::emitNewFunction(RegisterID* dst, FunctionMetadataNode* function)
 {
@@ -2601 +2611 @@
         
         if (dst != ignoredResult()) {
-            if (callArguments.argumentCountIncludingThis() == 2) {
-                emitOpcode(op_new_array_with_size);
-                instructions().append(dst->index());
-                instructions().append(callArguments.argumentRegister(0)->index());
-                instructions().append(newArrayAllocationProfile());
-            } else {
+            if (callArguments.argumentCountIncludingThis() == 2)
+                emitNewArrayWithSize(dst, callArguments.argumentRegister(0));
+            else {
                 ASSERT(callArguments.argumentCountIncludingThis() == 1);
                 emitOpcode(op_new_array);
@@ -3834 +3841 @@
 RegisterID* BytecodeGenerator::emitRestParameter(RegisterID* result, unsigned numParametersToSkip)
 {
-    emitNewArray(result, nullptr, 0);
+    RefPtr<RegisterID> restArrayLength = newTemporary();
+    emitOpcode(op_get_rest_length);
+    instructions().append(restArrayLength->index());
+    instructions().append(numParametersToSkip);
+
+    emitNewArrayWithSize(result, restArrayLength.get());
 
     emitOpcode(op_copy_rest);
     instructions().append(result->index());
+    instructions().append(restArrayLength->index());
     instructions().append(numParametersToSkip);
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -498 +498 @@
         RegisterID* emitNewObject(RegisterID* dst);
         RegisterID* emitNewArray(RegisterID* dst, ElementNode*, unsigned length); // stops at first elision
+        RegisterID* emitNewArrayWithSize(RegisterID* dst, RegisterID* length);
 
         RegisterID* emitNewFunction(RegisterID* dst, FunctionMetadataNode*);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -3484 +3484 @@
     }
 
-    RefPtr<RegisterID> restParameterArray = generator.emitRestParameter(generator.newTemporary(), m_numParametersToSkip);
+    RefPtr<RegisterID> restParameterArray = generator.newTemporary();
+    generator.emitRestParameter(restParameterArray.get(), m_numParametersToSkip);
     generator.emitProfileType(restParameterArray.get(), var, m_divotStart, m_divotEnd);
     RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1761 +1761 @@
         
     case GetArgumentCount:
+        forNode(node).setType(SpecInt32);
+        break;
+        
+    case GetRestLength:
         forNode(node).setType(SpecInt32);
         break;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3332 +3332 @@
         }
 
+        case op_get_rest_length: {
+            InlineCallFrame* inlineCallFrame = this->inlineCallFrame();
+            Node* length;
+            if (inlineCallFrame && !inlineCallFrame->isVarargs()) {
+                unsigned argumentsLength = inlineCallFrame->arguments.size() - 1;
+                unsigned numParamsToSkip = currentInstruction[2].u.unsignedValue;
+                JSValue restLength;
+                if (argumentsLength <= numParamsToSkip)
+                    restLength = jsNumber(0);
+                else
+                    restLength = jsNumber(argumentsLength - numParamsToSkip);
+
+                length = jsConstant(restLength);
+            } else
+                length = addToGraph(GetRestLength, OpInfo(currentInstruction[2].u.unsignedValue));
+            set(VirtualRegister(currentInstruction[1].u.operand), length);
+            NEXT_OPCODE(op_get_rest_length);
+        }
+
         case op_copy_rest: {
             noticeArgumentsUse();
-            addToGraph(CopyRest,
-                OpInfo(currentInstruction[2].u.unsignedValue), get(VirtualRegister(currentInstruction[1].u.operand)));
+            Node* array = get(VirtualRegister(currentInstruction[1].u.operand));
+            Node* arrayLength = get(VirtualRegister(currentInstruction[2].u.operand));
+            addToGraph(CopyRest, OpInfo(currentInstruction[3].u.unsignedValue),
+                array, arrayLength);
             NEXT_OPCODE(op_copy_rest);
         }

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -221 +221 @@
     case op_catch:
     case op_copy_rest:
+    case op_get_rest_length:
         return CanCompileAndInline;
 

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -429 +429 @@
         def(HeapLocation(StackPayloadLoc, AbstractHeap(Stack, JSStack::ArgumentCount)), LazyNode(node));
         return;
+
+    case GetRestLength:
+        read(Stack);
+        return;
         
     case GetLocal:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -51 +51 @@
     case GetCallee:
     case GetArgumentCount:
+    case GetRestLength:
     case GetLocal:
     case SetLocal:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1371 +1371 @@
         case CopyRest: {
             fixEdge<KnownCellUse>(node->child1());
+            fixEdge<KnownInt32Use>(node->child2());
             break;
         }
@@ -1382 +1383 @@
         case GetCallee:
         case GetArgumentCount:
+        case GetRestLength:
         case Flush:
         case PhantomLocal:

trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp

@@ -114 +114 @@
     case GetCallee:
     case GetArgumentCount:
+    case GetRestLength:
     case GetScope:
     case PhantomLocal:

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -2162 +2162 @@
     unsigned numberOfArgumentsToSkip()
     {
-        ASSERT(op() == CopyRest);
+        ASSERT(op() == CopyRest || op() == GetRestLength);
         return static_cast<unsigned>(m_opInfo);
     }

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -263 +263 @@
     macro(NewTypedArray, NodeResultJS | NodeMustGenerate) \
     macro(NewRegexp, NodeResultJS) \
+    /* Rest Parameter */\
+    macro(GetRestLength, NodeResultInt32) \
     macro(CopyRest, NodeMustGenerate) \
     \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -819 +819 @@
 }
 
-void JIT_OPERATION operationCopyRest(ExecState* exec, JSCell* arrayAsCell, Register* argumentStart, unsigned numberOfParamsToSkip, unsigned numberOfArguments)
-{
-    RELEASE_ASSERT(numberOfArguments > numberOfParamsToSkip); // We should only call this from JIT code when this condition is true.
+void JIT_OPERATION operationCopyRest(ExecState* exec, JSCell* arrayAsCell, Register* argumentStart, unsigned numberOfParamsToSkip, unsigned arraySize)
+{
+    ASSERT(arraySize);
     JSArray* array = jsCast<JSArray*>(arrayAsCell);
-    unsigned arraySize = numberOfArguments - numberOfParamsToSkip;
+    ASSERT(arraySize == array->length());
     array->setLength(exec, arraySize);
     for (unsigned i = 0; i < arraySize; i++)

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -104 +104 @@
 JSCell* JIT_OPERATION operationCreateClonedArgumentsDuringExit(ExecState*, InlineCallFrame*, JSFunction*, int32_t argumentCount);
 JSCell* JIT_OPERATION operationCreateClonedArguments(ExecState*, Structure*, Register* argumentStart, int32_t length, JSFunction* callee);
-void JIT_OPERATION operationCopyRest(ExecState*, JSCell*, Register* argumentStart, unsigned numberOfParamsToSkip, unsigned argumentsCount);
+void JIT_OPERATION operationCopyRest(ExecState*, JSCell*, Register* argumentStart, unsigned numberOfParamsToSkip, unsigned arraySize);
 double JIT_OPERATION operationFModOnInts(int32_t, int32_t) WTF_INTERNAL;
 size_t JIT_OPERATION operationObjectIsObject(ExecState*, JSGlobalObject*, JSCell*) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -216 +216 @@
             
         case GetArgumentCount: {
+            changed |= setPrediction(SpecInt32);
+            break;
+        }
+
+        case GetRestLength: {
             changed |= setPrediction(SpecInt32);
             break;

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -141 +141 @@
     case GetCallee:
     case GetArgumentCount:
+    case GetRestLength:
     case GetLocal:
     case SetLocal:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -5353 +5353 @@
 
     SpeculateCellOperand array(this, node->child1());
+    GPRTemporary argumentsStart(this);
+    SpeculateStrictInt32Operand arrayLength(this, node->child2());
+
     GPRReg arrayGPR = array.gpr();
-
-    GPRTemporary argumentsLength(this);
-    GPRReg argumentsLengthGPR = argumentsLength.gpr();
-
-    GPRTemporary argumentsStart(this);
     GPRReg argumentsStartGPR = argumentsStart.gpr();
-
-    emitGetLength(node->origin.semantic, argumentsLengthGPR);
-    CCallHelpers::Jump done = m_jit.branch32(MacroAssembler::LessThanOrEqual, argumentsLengthGPR, TrustedImm32(node->numberOfArgumentsToSkip()));
+    GPRReg arrayLengthGPR = arrayLength.gpr();
+
+    CCallHelpers::Jump done = m_jit.branch32(MacroAssembler::Equal, arrayLengthGPR, TrustedImm32(0));
 
     emitGetArgumentStart(node->origin.semantic, argumentsStartGPR);
-    silentSpillAllRegisters(argumentsLengthGPR, argumentsStartGPR);
-    // Arguments: 0:exec, 1:JSCell* array, 2:arguments start, 3:number of arguments to skip, 4:number of arguments
-    callOperation(operationCopyRest, arrayGPR, argumentsStartGPR, TrustedImm32(node->numberOfArgumentsToSkip()), argumentsLengthGPR);
-    silentFillAllRegisters(argumentsLengthGPR);
+    silentSpillAllRegisters(argumentsStartGPR);
+    // Arguments: 0:exec, 1:JSCell* array, 2:arguments start, 3:number of arguments to skip, 4:array length
+    callOperation(operationCopyRest, arrayGPR, argumentsStartGPR, Imm32(node->numberOfArgumentsToSkip()), arrayLengthGPR);
+    silentFillAllRegisters(argumentsStartGPR);
     m_jit.exceptionCheck();
 
@@ -5374 +5372 @@
 
     noResult(node);
+}
+
+void SpeculativeJIT::compileGetRestLength(Node* node)
+{
+    ASSERT(node->op() == GetRestLength);
+
+    GPRTemporary result(this);
+    GPRReg resultGPR = result.gpr();
+
+    emitGetLength(node->origin.semantic, resultGPR);
+    CCallHelpers::Jump hasNonZeroLength = m_jit.branch32(MacroAssembler::Above, resultGPR, Imm32(node->numberOfArgumentsToSkip()));
+    m_jit.move(TrustedImm32(0), resultGPR);
+    CCallHelpers::Jump done = m_jit.jump();
+    hasNonZeroLength.link(&m_jit);
+    if (node->numberOfArgumentsToSkip())
+        m_jit.sub32(TrustedImm32(node->numberOfArgumentsToSkip()), resultGPR);
+    done.link(&m_jit);
+    int32Result(resultGPR, node);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1222 +1222 @@
     }
 
-    JITCompiler::Call callOperation(V_JITOperation_ECRUiUi operation, GPRReg arg1, GPRReg arg2, TrustedImm32 arg3, GPRReg arg4)
-    {
-        m_jit.setupArgumentsWithExecState(arg1, arg2, arg3, arg4);
+    JITCompiler::Call callOperation(V_JITOperation_ECRUiUi operation, GPRReg arg1, GPRReg arg2, Imm32 arg3, GPRReg arg4)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, arg3.asTrustedImm32(), arg4);
         return appendCall(operation);
     }
@@ -2246 +2246 @@
     void compileCreateClonedArguments(Node*);
     void compileCopyRest(Node*);
+    void compileGetRestLength(Node*);
     void compileNotifyWrite(Node*);
     bool compileRegExpExec(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4444 +4444 @@
     }
 
+    case GetRestLength: {
+        compileGetRestLength(node);
+        break;
+    }
+
     case NewFunction:
     case NewArrowFunction:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3828 +3828 @@
         break;
     }
+
+    case GetRestLength: {
+        compileGetRestLength(node);
+        break;
+    }
         
     case GetScope:

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -212 +212 @@
     case PutSetterByVal:
     case CopyRest:
+    case GetRestLength:
         // These are OK.
         break;

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -970 +970 @@
         case CopyRest:
             compileCopyRest();
+            break;
+        case GetRestLength:
+            compileGetRestLength();
             break;
 
@@ -3646 +3649 @@
         LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("FillRestParameter continuation"));
 
+        LValue arrayLength = lowInt32(m_node->child2());
+
+        m_out.branch(
+            m_out.equal(arrayLength, m_out.constInt32(0)),
+            unsure(continuation), unsure(doCopyRest));
+            
+        LBasicBlock lastNext = m_out.appendTo(doCopyRest, continuation);
+        // Arguments: 0:exec, 1:JSCell* array, 2:arguments start, 3:number of arguments to skip, 4:array length
         LValue numberOfArgumentsToSkip = m_out.constInt32(m_node->numberOfArgumentsToSkip());
-        LValue numberOfArguments = getArgumentsLength().value;
-
-        m_out.branch(
-            m_out.above(numberOfArguments, numberOfArgumentsToSkip),
-            unsure(doCopyRest), unsure(continuation));
-            
-        LBasicBlock lastNext = m_out.appendTo(doCopyRest, continuation);
-        // Arguments: 0:exec, 1:JSCell* array, 2:arguments start, 3:number of arguments to skip, 4:number of arguments
         vmCall(
             m_out.voidType,m_out.operation(operationCopyRest), m_callFrame, lowCell(m_node->child1()),
-            getArgumentsStart(), numberOfArgumentsToSkip, numberOfArguments);
+            getArgumentsStart(), numberOfArgumentsToSkip, arrayLength);
         m_out.jump(continuation);
 
         m_out.appendTo(continuation, lastNext);
+    }
+
+    void compileGetRestLength()
+    {
+        LBasicBlock nonZeroLength = FTL_NEW_BLOCK(m_out, ("GetRestLength non zero"));
+        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("GetRestLength continuation"));
+        
+        ValueFromBlock zeroLengthResult = m_out.anchor(m_out.constInt32(0));
+
+        LValue numberOfArgumentsToSkip = m_out.constInt32(m_node->numberOfArgumentsToSkip());
+        LValue argumentsLength = getArgumentsLength().value;
+        m_out.branch(m_out.above(argumentsLength, numberOfArgumentsToSkip),
+            unsure(nonZeroLength), unsure(continuation));
+        
+        LBasicBlock lastNext = m_out.appendTo(nonZeroLength, continuation);
+        ValueFromBlock nonZeroLengthResult = m_out.anchor(m_out.sub(argumentsLength, numberOfArgumentsToSkip));
+        m_out.jump(continuation);
+        
+        m_out.appendTo(continuation, lastNext);
+        setInt32(m_out.phi(m_out.int32, zeroLengthResult, nonZeroLengthResult));
     }
     

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -213 +213 @@
         DEFINE_OP(op_create_out_of_band_arguments)
         DEFINE_OP(op_copy_rest)
+        DEFINE_OP(op_get_rest_length)
         DEFINE_OP(op_check_tdz)
         DEFINE_OP(op_assert)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -492 +492 @@
         void emit_op_create_out_of_band_arguments(Instruction*);
         void emit_op_copy_rest(Instruction*);
+        void emit_op_get_rest_length(Instruction*);
         void emit_op_check_tdz(Instruction*);
         void emit_op_assert(Instruction*);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1406 +1406 @@
 }
 
+void JIT::emit_op_get_rest_length(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    unsigned numParamsToSkip = currentInstruction[2].u.unsignedValue;
+    load32(payloadFor(JSStack::ArgumentCount), regT0);
+    sub32(TrustedImm32(1), regT0);
+    Jump zeroLength = branch32(LessThanOrEqual, regT0, Imm32(numParamsToSkip));
+    sub32(Imm32(numParamsToSkip), regT0);
+#if USE(JSVALUE64)
+    boxInt32(regT0, JSValueRegs(regT0));
+#endif
+    Jump done = jump();
+
+    zeroLength.link(this);
+#if USE(JSVALUE64)
+    move(TrustedImm64(JSValue::encode(jsNumber(0))), regT0);
+#else
+    move(TrustedImm32(0), regT0);
+#endif
+
+    done.link(this);
+#if USE(JSVALUE64)
+    emitPutVirtualRegister(dst, regT0);
+#else
+    move(TrustedImm32(JSValue::Int32Tag), regT1);
+    emitPutVirtualRegister(dst, JSValueRegs(regT1, regT0));
+#endif
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -1679 +1679 @@
     traceExecution()
     callSlowPath(_slow_path_copy_rest)
-    dispatch(3)
+    dispatch(4)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -2431 +2431 @@
     storei t0, PayloadOffset[cfr, t1, 8]
     dispatch(2)
+
+
+_llint_op_get_rest_length:
+    traceExecution()
+    loadi PayloadOffset + ArgumentCount[cfr], t0
+    subi 1, t0
+    loadisFromInstruction(2, t1)
+    bilteq t0, t1, .storeZero
+    subi t1, t0
+    jmp .finish
+.storeZero:
+    move 0, t0
+.finish:
+    loadisFromInstruction(1, t1)
+    storei t0, PayloadOffset[cfr, t1, 8]
+    storei Int32Tag, TagOffset[cfr, t1, 8]
+    dispatch(3)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -2299 +2299 @@
     storeq t0, [cfr, t1, 8]
     dispatch(2)
+
+
+_llint_op_get_rest_length:
+    traceExecution()
+    loadi PayloadOffset + ArgumentCount[cfr], t0
+    subi 1, t0
+    loadisFromInstruction(2, t1)
+    bilteq t0, t1, .storeZero
+    subi t1, t0
+    jmp .boxUp
+.storeZero:
+    move 0, t0
+.boxUp:
+    orq tagTypeNumber, t0
+    loadisFromInstruction(1, t1)
+    storeq t0, [cfr, t1, 8]
+    dispatch(3)

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -705 +705 @@
 {
     BEGIN();
-    unsigned numParamsToSkip = pc[2].u.unsignedValue;
-    unsigned numArgumentsToFunction = exec->argumentCount();
-    if (numArgumentsToFunction <= numParamsToSkip)
+    unsigned arraySize = OP_C(2).jsValue().asUInt32();
+    if (!arraySize) {
+        ASSERT(!jsCast<JSArray*>(OP(1).jsValue())->length());
         END();
-
+    }
     JSArray* array = jsCast<JSArray*>(OP(1).jsValue());
-    unsigned arraySize = numArgumentsToFunction - numParamsToSkip;
-    array->setLength(exec, arraySize);
+    ASSERT(arraySize == array->length());
+    unsigned numParamsToSkip = pc[3].u.unsignedValue;
     for (unsigned i = 0; i < arraySize; i++)
         array->putDirectIndex(exec, i, exec->uncheckedArgument(i + numParamsToSkip));