Changeset 252974 in webkit

Timestamp:

Dec 1, 2019 6:54:11 PM (4 years ago)

Author:

Caio Lima

Message:

Implement GetByVal inline caching for 32-bit JITs
​https://bugs.webkit.org/show_bug.cgi?id=204082

Reviewed by Saam Barati.

We are adding 32-bit support for GetByVal cases added on r252684.
This requires changes on some of the IC code generated to properly
support JSVALUE32_64. The major difference from JSVALUE64 is the
usage of tagGPR to inspect value types and store results.

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateWithGuard):
(JSC::AccessCase::generateImpl):

• bytecode/GetterSetterAccessCase.cpp:

(JSC::GetterSetterAccessCase::emitDOMJITGetter):

• bytecode/PolymorphicAccess.cpp:

(JSC::PolymorphicAccess::regenerate):

• bytecode/StructureStubInfo.h:

Since a generator can't have thisGPR and propertyGPR at se same time,
we created a new union to share thisTagGPR and propertyTagGPR,
matching the approach we have for JITInlineCacheGenerator::patch.u.

(JSC::StructureStubInfo::propertyRegs const):
(JSC::StructureStubInfo::baseRegs const):

To simplify scratch register allocation, we added baseRegs() and
propertyRegs() to StructureStubInfo, so we can easily retrive
payload and tag GPRs for those operands, keeping them locked.

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• jit/JITInlineCacheGenerator.cpp:

(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
(JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
(JSC::JITGetByValGenerator::JITGetByValGenerator):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/AccessCase.cpp (modified) (10 diffs)
• bytecode/GetterSetterAccessCase.cpp (modified) (1 diff)
• bytecode/PolymorphicAccess.cpp (modified) (4 diffs)
• bytecode/StructureStubInfo.h (modified) (2 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• jit/JITInlineCacheGenerator.cpp (modified) (4 diffs)
• jit/JITPropertyAccess32_64.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-12-01  Caio Lima  <ticaiolima@gmail.com>
+
+        Implement GetByVal inline caching for 32-bit JITs
+        https://bugs.webkit.org/show_bug.cgi?id=204082
+
+        Reviewed by Saam Barati.
+
+        We are adding 32-bit support for GetByVal cases added on r252684.
+        This requires changes on some of the IC code generated to properly
+        support JSVALUE32_64. The major difference from JSVALUE64 is the
+        usage of tagGPR to inspect value types and store results.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        (JSC::AccessCase::generateImpl):
+        * bytecode/GetterSetterAccessCase.cpp:
+        (JSC::GetterSetterAccessCase::emitDOMJITGetter):
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::PolymorphicAccess::regenerate):
+        * bytecode/StructureStubInfo.h:
+
+        Since a generator can't have `thisGPR` and `propertyGPR` at se same time,
+        we created a new `union` to share `thisTagGPR` and `propertyTagGPR`,
+        matching the approach we have for `JITInlineCacheGenerator::patch.u`.
+
+        (JSC::StructureStubInfo::propertyRegs const):
+        (JSC::StructureStubInfo::baseRegs const):
+
+        To simplify scratch register allocation, we added `baseRegs()` and
+        `propertyRegs()` to `StructureStubInfo`, so we can easily retrive
+        payload and tag GPRs for those operands, keeping them locked.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITInlineCacheGenerator.cpp:
+        (JSC::JITByIdGenerator::JITByIdGenerator):
+        (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
+        (JSC::JITInstanceOfGenerator::JITInstanceOfGenerator):
+        (JSC::JITGetByValGenerator::JITGetByValGenerator):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emitSlow_op_get_by_val):
+
 2019-11-29  Eike Rathke  <erack@redhat.com>
 

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -872 +872 @@
 
         ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
-        allocator.lock(baseGPR);
-        allocator.lock(valueRegs.payloadGPR());
-        allocator.lock(propertyGPR);
+        allocator.lock(stubInfo.baseRegs());
+        allocator.lock(valueRegs);
+        allocator.lock(stubInfo.propertyRegs());
         allocator.lock(scratchGPR);
         
@@ -903 +903 @@
         jit.neg32(scratch2GPR);
         jit.loadPtr(CCallHelpers::Address(baseGPR, ScopedArguments::offsetOfStorage()), scratch3GPR);
-        jit.loadValue(CCallHelpers::BaseIndex(scratch3GPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs::payloadOnly(scratchGPR));
+#if USE(JSVALUE64)
+        jit.loadValue(CCallHelpers::BaseIndex(scratch3GPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs(scratchGPR));
         failAndIgnore.append(jit.branchIfEmpty(scratchGPR));
         jit.move(scratchGPR, valueRegs.payloadGPR());
+#else
+        jit.loadValue(CCallHelpers::BaseIndex(scratch3GPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs(scratch2GPR, scratchGPR));
+        failAndIgnore.append(jit.branchIfEmpty(scratch2GPR));
+        jit.move(scratchGPR, valueRegs.payloadGPR());
+        jit.move(scratch2GPR, valueRegs.tagGPR());
+#endif
 
         done.link(&jit);
@@ -960 +967 @@
 
         ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
-        allocator.lock(baseGPR);
-        allocator.lock(valueRegs.payloadGPR());
-        allocator.lock(propertyGPR);
+        allocator.lock(stubInfo.baseRegs());
+        allocator.lock(valueRegs);
+        allocator.lock(stubInfo.propertyRegs());
         allocator.lock(scratchGPR);
         GPRReg scratch2GPR = allocator.allocateScratchGPR();
@@ -1042 +1049 @@
 
         ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
-        allocator.lock(baseGPR);
-        allocator.lock(valueRegs.payloadGPR());
-        allocator.lock(propertyGPR);
+        allocator.lock(stubInfo.baseRegs());
+        allocator.lock(valueRegs);
+        allocator.lock(stubInfo.propertyRegs());
         allocator.lock(scratchGPR);
         GPRReg scratch2GPR = allocator.allocateScratchGPR();
@@ -1073 +1080 @@
         jit.move(CCallHelpers::TrustedImmPtr(vm.smallStrings.singleCharacterStrings()), scratchGPR);
         jit.loadPtr(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::ScalePtr, 0), valueRegs.payloadGPR());
+        jit.boxCell(valueRegs.payloadGPR(), valueRegs);
         allocator.restoreReusedRegistersByPopping(jit, preservedState);
         state.succeed();
@@ -1101 +1109 @@
 
         ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
-        allocator.lock(baseGPR);
-        allocator.lock(valueRegs.payloadGPR());
-        allocator.lock(propertyGPR);
+        allocator.lock(stubInfo.baseRegs());
+        allocator.lock(valueRegs);
+        allocator.lock(stubInfo.propertyRegs());
         allocator.lock(scratchGPR);
         GPRReg scratch2GPR = allocator.allocateScratchGPR();
+#if USE(JSVALUE32_64)
+        GPRReg scratch3GPR = allocator.allocateScratchGPR();
+#endif
         ScratchRegisterAllocator::PreservedState preservedState;
 
@@ -1123 +1134 @@
 
             jit.zeroExtend32ToPtr(propertyGPR, scratch2GPR);
-            jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset()), JSValueRegs::payloadOnly(scratchGPR));
+#if USE(JSVALUE64)
+            jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset()), JSValueRegs(scratchGPR));
             isEmpty = jit.branchIfEmpty(scratchGPR);
             jit.move(scratchGPR, valueRegs.payloadGPR());
+#else
+            jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight, ArrayStorage::vectorOffset()), JSValueRegs(scratch3GPR, scratchGPR));
+            isEmpty = jit.branchIfEmpty(scratch3GPR);
+            jit.move(scratchGPR, valueRegs.payloadGPR());
+            jit.move(scratch3GPR, valueRegs.tagGPR());
+#endif
         } else {
             IndexingType expectedShape;
@@ -1156 +1174 @@
                 jit.boxDouble(state.scratchFPR, valueRegs);
             } else {
-                jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs::payloadOnly(scratchGPR));
+#if USE(JSVALUE64)
+                jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs(scratchGPR));
                 isEmpty = jit.branchIfEmpty(scratchGPR);
                 jit.move(scratchGPR, valueRegs.payloadGPR());
+#else
+                jit.loadValue(CCallHelpers::BaseIndex(scratchGPR, scratch2GPR, CCallHelpers::TimesEight), JSValueRegs(scratch3GPR, scratchGPR));
+                isEmpty = jit.branchIfEmpty(scratch3GPR);
+                jit.move(scratchGPR, valueRegs.payloadGPR());
+                jit.move(scratch3GPR, valueRegs.tagGPR());
+#endif
             }
         }
@@ -1195 +1220 @@
         
         ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
-        allocator.lock(baseGPR);
-        allocator.lock(valueGPR);
-        allocator.lock(prototypeGPR);
+        allocator.lock(stubInfo.baseRegs());
+        allocator.lock(valueRegs);
+        allocator.lock(stubInfo.propertyRegs());
         allocator.lock(scratchGPR);
         
@@ -1708 +1733 @@
 
         ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
-        allocator.lock(baseGPR);
-#if USE(JSVALUE32_64)
-        allocator.lock(stubInfo.patch.baseTagGPR);
-#endif
+        allocator.lock(stubInfo.baseRegs());
         allocator.lock(valueRegs);
         allocator.lock(scratchGPR);

trunk/Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp

@@ -140 +140 @@
 
     ScratchRegisterAllocator allocator(stubInfo.patch.usedRegisters);
-    allocator.lock(baseGPR);
-#if USE(JSVALUE32_64)
-    allocator.lock(stubInfo.patch.baseTagGPR);
-#endif
+    allocator.lock(stubInfo.baseRegs());
     allocator.lock(valueRegs);
     allocator.lock(scratchGPR);

trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

@@ -453 +453 @@
 #if USE(JSVALUE32_64)
     allocator.lock(stubInfo.patch.baseTagGPR);
+    if (stubInfo.patch.v.thisTagGPR != InvalidGPRReg)
+        allocator.lock(stubInfo.patch.v.thisTagGPR);
 #endif
 
@@ -522 +524 @@
                 CCallHelpers::Jump notInt32;
 
-                if (!stubInfo.propertyIsInt32)
+                if (!stubInfo.propertyIsInt32) {
+#if USE(JSVALUE64) 
                     notInt32 = jit.branchIfNotInt32(state.u.propertyGPR);
+#else
+                    notInt32 = jit.branchIfNotInt32(state.stubInfo->patch.v.propertyTagGPR);
+#endif
+                }
                 for (unsigned i = cases.size(); i--;) {
                     fallThrough.link(&jit);
@@ -543 +550 @@
 
             if (needsStringPropertyCheck) {
+                CCallHelpers::JumpList notString;
                 GPRReg propertyGPR = state.u.propertyGPR;
-                CCallHelpers::JumpList notString;
                 if (!stubInfo.propertyIsString) {
+#if USE(JSVALUE32_64)
+                    GPRReg propertyTagGPR = state.stubInfo->patch.v.propertyTagGPR;
+                    notString.append(jit.branchIfNotCell(propertyTagGPR));
+#else
                     notString.append(jit.branchIfNotCell(propertyGPR));
+#endif
                     notString.append(jit.branchIfNotString(propertyGPR));
                 }
+
                 jit.loadPtr(MacroAssembler::Address(propertyGPR, JSString::offsetOfValue()), state.scratchGPR);
 
@@ -572 +585 @@
                 if (!stubInfo.propertyIsSymbol) {
                     GPRReg propertyGPR = state.u.propertyGPR;
+#if USE(JSVALUE32_64)
+                    GPRReg propertyTagGPR = state.stubInfo->patch.v.propertyTagGPR;
+                    notSymbol.append(jit.branchIfNotCell(propertyTagGPR));
+#else
                     notSymbol.append(jit.branchIfNotCell(propertyGPR));
+#endif
                     notSymbol.append(jit.branchIfNotSymbol(propertyGPR));
                 }

trunk/Source/JavaScriptCore/bytecode/StructureStubInfo.h

@@ -221 +221 @@
 #if USE(JSVALUE32_64)
         GPRReg valueTagGPR;
+        // FIXME: [32-bits] Check if StructureStubInfo::patch.baseTagGPR is used somewhere.
+        // https://bugs.webkit.org/show_bug.cgi?id=204726
         GPRReg baseTagGPR;
-        GPRReg thisTagGPR;
+        union {
+            GPRReg thisTagGPR;
+            GPRReg propertyTagGPR;
+        } v;
 #endif
     } patch;
@@ -248 +253 @@
 #endif
             patch.valueGPR);
+    }
+
+    JSValueRegs propertyRegs() const
+    {
+        return JSValueRegs(
+#if USE(JSVALUE32_64)
+            patch.v.propertyTagGPR,
+#endif
+            patch.u.propertyGPR);
+    }
+
+    JSValueRegs baseRegs() const
+    {
+        return JSValueRegs(
+#if USE(JSVALUE32_64)
+            patch.baseTagGPR,
+#endif
+            patch.baseGPR);
     }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -2260 +2260 @@
         }
         case Array::Generic: {
-            // FIXME: Implement IC here:
-            // https://bugs.webkit.org/show_bug.cgi?id=204082
-            if (m_graph.varArgChild(node, 0).useKind() == ObjectUse) {
-                if (m_graph.varArgChild(node, 1).useKind() == StringUse) {
-                    compileGetByValForObjectWithString(node);
-                    break;
+            if (m_graph.m_slowGetByVal.contains(node)) {
+                if (m_graph.varArgChild(node, 0).useKind() == ObjectUse) {
+                    if (m_graph.varArgChild(node, 1).useKind() == StringUse) {
+                        compileGetByValForObjectWithString(node);
+                        break;
+                    }
+
+                    if (m_graph.varArgChild(node, 1).useKind() == SymbolUse) {
+                        compileGetByValForObjectWithSymbol(node);
+                        break;
+                    }
                 }
 
-                if (m_graph.varArgChild(node, 1).useKind() == SymbolUse) {
-                    compileGetByValForObjectWithSymbol(node);
-                    break;
-                }
+                SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); // Save a register, speculate cell. We'll probably be right.
+                JSValueOperand property(this, m_graph.varArgChild(node, 1));
+                GPRReg baseGPR = base.gpr();
+                JSValueRegs propertyRegs = property.jsValueRegs();
+                
+                flushRegisters();
+                JSValueRegsFlushedCallResult result(this);
+                JSValueRegs resultRegs = result.regs();
+                callOperation(operationGetByValCell, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, propertyRegs);
+                m_jit.exceptionCheck();
+                
+                jsValueResult(resultRegs, node);
+                break;
             }
 
-            SpeculateCellOperand base(this, m_graph.varArgChild(node, 0)); // Save a register, speculate cell. We'll probably be right.
-            JSValueOperand property(this, m_graph.varArgChild(node, 1));
-            GPRReg baseGPR = base.gpr();
+            speculate(node, m_graph.varArgChild(node, 0));
+            speculate(node, m_graph.varArgChild(node, 1));
+
+            JSValueOperand base(this, m_graph.varArgChild(node, 0), ManualOperandSpeculation);
+            JSValueOperand property(this, m_graph.varArgChild(node, 1), ManualOperandSpeculation);
+            GPRTemporary resultTag(this, Reuse, property, TagWord);
+            GPRTemporary resultPayload(this, Reuse, property, PayloadWord);
+
+            JSValueRegs baseRegs = base.jsValueRegs();
             JSValueRegs propertyRegs = property.jsValueRegs();
-            
-            flushRegisters();
-            JSValueRegsFlushedCallResult result(this);
-            JSValueRegs resultRegs = result.regs();
-            callOperation(operationGetByValCell, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, propertyRegs);
-            m_jit.exceptionCheck();
-            
+            JSValueRegs resultRegs(resultTag.gpr(), resultPayload.gpr());
+
+            CodeOrigin codeOrigin = node->origin.semantic;
+            CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
+            RegisterSet usedRegisters = this->usedRegisters();
+
+            JITCompiler::JumpList slowCases;
+            if (!m_state.forNode(m_graph.varArgChild(node, 0)).isType(SpecCell))
+                slowCases.append(m_jit.branchIfNotCell(baseRegs.tagGPR()));
+
+            JITGetByValGenerator gen(
+                m_jit.codeBlock(), codeOrigin, callSite, usedRegisters,
+                baseRegs, propertyRegs, resultRegs);
+
+            if (m_state.forNode(m_graph.varArgChild(node, 1)).isType(SpecString))
+                gen.stubInfo()->propertyIsString = true;
+            else if (m_state.forNode(m_graph.varArgChild(node, 1)).isType(SpecInt32Only))
+                gen.stubInfo()->propertyIsInt32 = true;
+            else if (m_state.forNode(m_graph.varArgChild(node, 1)).isType(SpecSymbol))
+                gen.stubInfo()->propertyIsSymbol = true;
+
+            gen.generateFastPath(m_jit);
+            
+            slowCases.append(gen.slowPathJump());
+
+            std::unique_ptr<SlowPathGenerator> slowPath = slowPathCall(
+                slowCases, this, operationGetByValOptimize,
+                resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), gen.stubInfo(), nullptr, baseRegs, propertyRegs);
+            
+            m_jit.addGetByVal(gen, slowPath.get());
+            addSlowPathGenerator(WTFMove(slowPath));
+
             jsValueResult(resultRegs, node);
             break;

trunk/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp

@@ -79 +79 @@
     m_stubInfo->patch.baseTagGPR = base.tagGPR();
     m_stubInfo->patch.valueTagGPR = value.tagGPR();
-    m_stubInfo->patch.thisTagGPR = InvalidGPRReg;
+    m_stubInfo->patch.v.thisTagGPR = InvalidGPRReg;
 #endif
 }
@@ -125 +125 @@
     m_stubInfo->patch.u.thisGPR = thisRegs.payloadGPR();
 #if USE(JSVALUE32_64)
-    m_stubInfo->patch.thisTagGPR = thisRegs.tagGPR();
+    m_stubInfo->patch.v.thisTagGPR = thisRegs.tagGPR();
 #endif
 }
@@ -191 +191 @@
     m_stubInfo->patch.baseTagGPR = InvalidGPRReg;
     m_stubInfo->patch.valueTagGPR = InvalidGPRReg;
-    m_stubInfo->patch.thisTagGPR = InvalidGPRReg;
+    m_stubInfo->patch.v.thisTagGPR = InvalidGPRReg;
 #endif
 
@@ -230 +230 @@
     m_stubInfo->patch.u.propertyGPR = property.payloadGPR();
     m_stubInfo->patch.valueGPR = result.payloadGPR();
+#if USE(JSVALUE32_64)
+    m_stubInfo->patch.baseTagGPR = base.tagGPR();
+    m_stubInfo->patch.valueTagGPR = result.tagGPR();
+    m_stubInfo->patch.v.propertyTagGPR = property.tagGPR();
+#endif
 }
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -139 +139 @@
 void JIT::emit_op_get_by_val(const Instruction* currentInstruction)
 {
-    // FIXME: Implement IC here:
-    // https://bugs.webkit.org/show_bug.cgi?id=204082
     auto bytecode = currentInstruction->as<OpGetByVal>();
     auto& metadata = bytecode.metadata(m_codeBlock);
@@ -150 +148 @@
     emitLoad2(base, regT1, regT0, property, regT3, regT2);
 
-    emitJumpSlowCaseIfNotJSCell(base, regT1);
-    emitArrayProfilingSiteWithCell(regT0, regT4, profile);
-
-    JITGetByValGenerator gen(
-        m_codeBlock, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), RegisterSet::stubUnavailableRegisters(),
-        JSValueRegs::payloadOnly(regT0), JSValueRegs(regT3, regT2), JSValueRegs(regT1, regT0));
-    gen.generateFastPath(*this);
-    addSlowCase(gen.slowPathJump());
-    m_getByVals.append(gen);
-
-    emitValueProfilingSite(bytecode.metadata(m_codeBlock));
-    emitStore(dst, regT1, regT0);
+    if (metadata.m_seenIdentifiers.count() > Options::getByValICMaxNumberOfIdentifiers()) {
+        auto notCell = branchIfNotCell(regT1);
+        emitArrayProfilingSiteWithCell(regT0, regT4, profile);
+        notCell.link(this);
+        callOperationWithProfile(bytecode.metadata(m_codeBlock), operationGetByVal, dst, TrustedImmPtr(m_codeBlock->globalObject()), JSValueRegs(regT1, regT0), JSValueRegs(regT3, regT2));
+    } else {
+        emitJumpSlowCaseIfNotJSCell(base, regT1);
+        emitArrayProfilingSiteWithCell(regT0, regT4, profile);
+
+        JITGetByValGenerator gen(
+            m_codeBlock, CodeOrigin(m_bytecodeIndex), CallSiteIndex(BytecodeIndex(bitwise_cast<uint32_t>(currentInstruction))), RegisterSet::stubUnavailableRegisters(),
+            JSValueRegs::payloadOnly(regT0), JSValueRegs(regT3, regT2), JSValueRegs(regT1, regT0));
+        if (isOperandConstantInt(property))
+            gen.stubInfo()->propertyIsInt32 = true;
+        gen.generateFastPath(*this);
+        addSlowCase(gen.slowPathJump());
+        m_getByVals.append(gen);
+
+        emitValueProfilingSite(bytecode.metadata(m_codeBlock));
+        emitStore(dst, regT1, regT0);
+    }
 }
 
 void JIT::emitSlow_op_get_by_val(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
-    auto bytecode = currentInstruction->as<OpGetByVal>();
-    int dst = bytecode.m_dst.offset();
-    auto& metadata = bytecode.metadata(m_codeBlock);
-    ArrayProfile* profile = &metadata.m_arrayProfile;
-
-    JITGetByValGenerator& gen = m_getByVals[m_getByValIndex];
-    ++m_getByValIndex;
-
-    linkAllSlowCases(iter);
-
-    Label coldPathBegin = label();
-    Call call = callOperationWithProfile(bytecode.metadata(m_codeBlock), operationGetByValGeneric, dst, TrustedImmPtr(m_codeBlock->globalObject()), gen.stubInfo(), profile, JSValueRegs(regT1, regT0), JSValueRegs(regT3, regT2));
-    gen.reportSlowPathCall(coldPathBegin, call);
+    if (hasAnySlowCases(iter)) {
+        auto bytecode = currentInstruction->as<OpGetByVal>();
+        int dst = bytecode.m_dst.offset();
+        auto& metadata = bytecode.metadata(m_codeBlock);
+        ArrayProfile* profile = &metadata.m_arrayProfile;
+
+        JITGetByValGenerator& gen = m_getByVals[m_getByValIndex];
+        ++m_getByValIndex;
+
+        linkAllSlowCases(iter);
+
+        Label coldPathBegin = label();
+        Call call = callOperationWithProfile(bytecode.metadata(m_codeBlock), operationGetByValOptimize, dst, TrustedImmPtr(m_codeBlock->globalObject()), gen.stubInfo(), profile, JSValueRegs(regT1, regT0), JSValueRegs(regT3, regT2));
+        gen.reportSlowPathCall(coldPathBegin, call);
+    }
 }