Changeset 84860 in webkit

Timestamp:

Apr 25, 2011 6:40:25 PM (13 years ago)

Author:

barraclough@apple.com

Message:

​https://bugs.webkit.org/show_bug.cgi?id=59405
DFG JIT - add type speculation for integer & array types, for vars & args.

Reviewed by Geoff Garen.

If a var or argument is used as the base for a GetByVal or PutByVal access
we are speculating that it is of type Array (we only generate code on the
speculative path to perform array accesses). By typing the var or args slot
as Array, and checking on entry to the function (in the case of args), and
each time the local is written to, we can avoid a type check at each point
the array is accessed. This will typically hoist type checks out of loops.

Similarly, any local that is incremented or decremented, or is the input or
output or a bitwise operator, is likely to be an integer. By typing the
local as int32 we can avoid speculation checks on access, and tagging when
writing to the slot. All accesses can become 32bit instead of 64.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::set):
(JSC::DFG::ByteCodeParser::predictArray):
(JSC::DFG::ByteCodeParser::predictInt32):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGGraph.h:

(JSC::DFG::PredictionSlot::PredictionSlot):
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::predict):
(JSC::DFG::Graph::getPrediction):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::compileFunction):

• dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::tagFor):
(JSC::DFG::JITCompiler::payloadFor):

• dfg/DFGNode.h:
• dfg/DFGNonSpeculativeJIT.cpp:

(JSC::DFG::NonSpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
(JSC::DFG::SpeculativeJIT::initializeVariableTypes):

• dfg/DFGSpeculativeJIT.h:
• runtime/Executable.cpp:

(JSC::tryDFGCompile):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (18 diffs)
• dfg/DFGGraph.cpp (modified) (1 diff)
• dfg/DFGGraph.h (modified) (5 diffs)
• dfg/DFGJITCompiler.cpp (modified) (1 diff)
• dfg/DFGJITCompiler.h (modified) (2 diffs)
• dfg/DFGNode.h (modified) (1 diff)
• dfg/DFGNonSpeculativeJIT.cpp (modified) (3 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (4 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• runtime/Executable.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-04-25  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=59405
+        DFG JIT - add type speculation for integer & array types, for vars & args.
+
+        If a var or argument is used as the base for a GetByVal or PutByVal access
+        we are speculating that it is of type Array (we only generate code on the
+        speculative path to perform array accesses). By typing the var or args slot
+        as Array, and checking on entry to the function (in the case of args), and
+        each time the local is written to, we can avoid a type check at each point
+        the array is accessed. This will typically hoist type checks out of loops.
+
+        Similarly, any local that is incremented or decremented, or is the input or
+        output or a bitwise operator, is likely to be an integer. By typing the
+        local as int32 we can avoid speculation checks on access, and tagging when
+        writing to the slot. All accesses can become 32bit instead of 64.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::set):
+        (JSC::DFG::ByteCodeParser::predictArray):
+        (JSC::DFG::ByteCodeParser::predictInt32):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::PredictionSlot::PredictionSlot):
+        (JSC::DFG::Graph::Graph):
+        (JSC::DFG::Graph::predict):
+        (JSC::DFG::Graph::getPrediction):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::tagFor):
+        (JSC::DFG::JITCompiler::payloadFor):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
+        * dfg/DFGSpeculativeJIT.h:
+        * runtime/Executable.cpp:
+        (JSC::tryDFGCompile):
+
 2011-04-25  David Levin  <levin@chromium.org>
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -92 +92 @@
 
         // Is this an argument?
-        if (operand < 0)
+        if (operandIsArgument(operand))
             return getArgument(operand);
 
@@ -98 +98 @@
         return getLocal((unsigned)operand);
     }
-    void set(int operand, NodeIndex value)
-    {
+    void set(int operand, NodeIndex value, PredictedType prediction = PredictNone)
+    {
+        m_graph.predict(operand, prediction);
+
         // Is this an argument?
-        if (operand < 0) {
+        if (operandIsArgument(operand)) {
             setArgument(operand, value);
             return;
@@ -441 +443 @@
     }
 
+    void predictArray(NodeIndex nodeIndex)
+    {
+        Node* nodePtr = &m_graph[nodeIndex];
+
+        if (nodePtr->op == GetLocal)
+            m_graph.predict(nodePtr->local(), PredictArray);
+    }
+
+    void predictInt32(NodeIndex nodeIndex)
+    {
+        Node* nodePtr = &m_graph[nodeIndex];
+
+        if (nodePtr->op == ValueToNumber)
+            nodePtr = &m_graph[nodePtr->child1];
+
+        if (nodePtr->op == ValueToInt32)
+            nodePtr = &m_graph[nodePtr->child1];
+
+        if (nodePtr->op == NumberToInt32)
+            nodePtr = &m_graph[nodePtr->child1];
+
+        if (nodePtr->op == GetLocal)
+            m_graph.predict(nodePtr->local(), PredictInt32);
+    }
+
     JSGlobalData* m_globalData;
     CodeBlock* m_codeBlock;
@@ -561 +588 @@
             NodeIndex op1 = getToInt32(currentInstruction[2].u.operand);
             NodeIndex op2 = getToInt32(currentInstruction[3].u.operand);
-            set(currentInstruction[1].u.operand, addToGraph(BitAnd, op1, op2));
+            predictInt32(op1);
+            predictInt32(op2);
+            set(currentInstruction[1].u.operand, addToGraph(BitAnd, op1, op2), PredictInt32);
             NEXT_OPCODE(op_bitand);
         }
@@ -568 +597 @@
             NodeIndex op1 = getToInt32(currentInstruction[2].u.operand);
             NodeIndex op2 = getToInt32(currentInstruction[3].u.operand);
-            set(currentInstruction[1].u.operand, addToGraph(BitOr, op1, op2));
+            predictInt32(op1);
+            predictInt32(op2);
+            set(currentInstruction[1].u.operand, addToGraph(BitOr, op1, op2), PredictInt32);
             NEXT_OPCODE(op_bitor);
         }
@@ -575 +606 @@
             NodeIndex op1 = getToInt32(currentInstruction[2].u.operand);
             NodeIndex op2 = getToInt32(currentInstruction[3].u.operand);
-            set(currentInstruction[1].u.operand, addToGraph(BitXor, op1, op2));
+            predictInt32(op1);
+            predictInt32(op2);
+            set(currentInstruction[1].u.operand, addToGraph(BitXor, op1, op2), PredictInt32);
             NEXT_OPCODE(op_bitxor);
         }
@@ -582 +615 @@
             NodeIndex op1 = getToInt32(currentInstruction[2].u.operand);
             NodeIndex op2 = getToInt32(currentInstruction[3].u.operand);
+            predictInt32(op1);
+            predictInt32(op2);
             NodeIndex result;
             // Optimize out shifts by zero.
@@ -588 +623 @@
             else
                 result = addToGraph(BitRShift, op1, op2);
-            set(currentInstruction[1].u.operand, result);
+            set(currentInstruction[1].u.operand, result, PredictInt32);
             NEXT_OPCODE(op_rshift);
         }
@@ -595 +630 @@
             NodeIndex op1 = getToInt32(currentInstruction[2].u.operand);
             NodeIndex op2 = getToInt32(currentInstruction[3].u.operand);
+            predictInt32(op1);
+            predictInt32(op2);
             NodeIndex result;
             // Optimize out shifts by zero.
@@ -601 +638 @@
             else
                 result = addToGraph(BitLShift, op1, op2);
-            set(currentInstruction[1].u.operand, result);
+            set(currentInstruction[1].u.operand, result, PredictInt32);
             NEXT_OPCODE(op_lshift);
         }
@@ -608 +645 @@
             NodeIndex op1 = getToInt32(currentInstruction[2].u.operand);
             NodeIndex op2 = getToInt32(currentInstruction[3].u.operand);
+            predictInt32(op1);
+            predictInt32(op2);
             NodeIndex result;
             // The result of a zero-extending right shift is treated as an unsigned value.
@@ -628 +667 @@
                 result = addToGraph(UInt32ToNumber, result);
             }
-            set(currentInstruction[1].u.operand, result);
+            set(currentInstruction[1].u.operand, result, PredictInt32);
             NEXT_OPCODE(op_urshift);
         }
@@ -637 +676 @@
             unsigned srcDst = currentInstruction[1].u.operand;
             NodeIndex op = getToNumber(srcDst);
+            predictInt32(op);
             set(srcDst, addToGraph(ArithAdd, op, one()));
             NEXT_OPCODE(op_pre_inc);
@@ -645 +685 @@
             unsigned srcDst = currentInstruction[2].u.operand;
             NodeIndex op = getToNumber(srcDst);
+            predictInt32(op);
             set(result, op);
             set(srcDst, addToGraph(ArithAdd, op, one()));
@@ -653 +694 @@
             unsigned srcDst = currentInstruction[1].u.operand;
             NodeIndex op = getToNumber(srcDst);
+            predictInt32(op);
             set(srcDst, addToGraph(ArithSub, op, one()));
             NEXT_OPCODE(op_pre_dec);
@@ -661 +703 @@
             unsigned srcDst = currentInstruction[2].u.operand;
             NodeIndex op = getToNumber(srcDst);
+            predictInt32(op);
             set(result, op);
             set(srcDst, addToGraph(ArithSub, op, one()));
@@ -795 +838 @@
             NodeIndex base = get(currentInstruction[2].u.operand);
             NodeIndex property = get(currentInstruction[3].u.operand);
+            predictArray(base);
+            predictInt32(property);
 
             NodeIndex getByVal = addToGraph(GetByVal, base, property, aliases.lookupGetByVal(base, property));
@@ -807 +852 @@
             NodeIndex property = get(currentInstruction[2].u.operand);
             NodeIndex value = get(currentInstruction[3].u.operand);
+            predictArray(base);
+            predictInt32(property);
 
             NodeIndex aliasedGet = aliases.lookupGetByVal(base, property);

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -98 +98 @@
     if (node.hasLocal()) {
         int local = node.local();
-        if (local < 0)
+        if (operandIsArgument(local))
             printf("%sarg%u", hasPrinted ? ", " : "", local - codeBlock->thisRegister());
         else

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
+#include <RegisterFile.h>
 #include <dfg/DFGNode.h>
 #include <wtf/Vector.h>
@@ -38 +39 @@
 
 namespace DFG {
+
+// helper function to distinguish vars & temporaries from arguments.
+inline bool operandIsArgument(int operand) { return operand < 0; }
+
+typedef uint8_t PredictedType;
+static const PredictedType PredictNone  = 0;
+static const PredictedType PredictCell  = 0x01;
+static const PredictedType PredictArray = 0x03;
+static const PredictedType PredictInt32 = 0x04;
+
+struct PredictionSlot {
+public:
+    PredictionSlot()
+        : m_value(PredictNone)
+    {
+    }
+    PredictedType m_value;
+};
 
 typedef uint32_t BlockIndex;
@@ -87 +106 @@
 class Graph : public Vector<Node, 64> {
 public:
+    Graph(unsigned numArguments, unsigned numVariables)
+        : m_argumentPredictions(numArguments)
+        , m_variablePredictions(numVariables)
+    {
+    }
+
     // Mark a node as being referenced.
     void ref(NodeIndex nodeIndex)
@@ -102 +127 @@
 #endif
 
-    Vector< OwnPtr<BasicBlock> , 8> m_blocks;
-
     BlockIndex blockIndexForBytecodeOffset(unsigned bytecodeBegin)
     {
@@ -117 +140 @@
     }
 
+    void predict(int operand, PredictedType prediction)
+    {
+        if (operandIsArgument(operand)) {
+            unsigned argument = operand + m_argumentPredictions.size() + RegisterFile::CallFrameHeaderSize;
+            m_argumentPredictions[argument].m_value |= prediction;
+        } else if ((unsigned)operand < m_variablePredictions.size())
+            m_variablePredictions[operand].m_value |= prediction;
+            
+    }
+
+    PredictedType getPrediction(int operand)
+    {
+        if (operandIsArgument(operand)) {
+            unsigned argument = operand + m_argumentPredictions.size() + RegisterFile::CallFrameHeaderSize;
+            return m_argumentPredictions[argument].m_value;
+        }
+        if ((unsigned)operand < m_variablePredictions.size())
+            return m_variablePredictions[operand].m_value;
+        return PredictNone;
+    }
+
+    Vector< OwnPtr<BasicBlock> , 8> m_blocks;
 private:
+
     // When a node's refCount goes from 0 to 1, it must (logically) recursively ref all of its children, and vice versa.
     void refChildren(NodeIndex);
+
+    Vector<PredictionSlot, 16> m_argumentPredictions;
+    Vector<PredictionSlot, 16> m_variablePredictions;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -265 +265 @@
     Label speculativePathBegin = label();
     SpeculativeJIT speculative(*this);
+#if !DFG_DEBUG_LOCAL_DISBALE_SPECULATIVE
     bool compiledSpeculative = speculative.compile();
+#else
+    bool compiledSpeculative = false;
+#endif
 
     // Next, generate the non-speculative path. We pass this a SpeculationCheckIndexIterator

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -206 +206 @@
 #endif
 
-    Address addressForArgument(int32_t argument)
-    {
-        return Address(callFrameRegister, (argument - (m_codeBlock->m_numParameters + RegisterFile::CallFrameHeaderSize)) * sizeof(Register));
-    }
-
     static Address addressForGlobalVar(RegisterID global, int32_t varNumber)
     {
@@ -219 +214 @@
     {
         return Address(callFrameRegister, virtualRegister * sizeof(Register));
+    }
+
+    static Address tagFor(VirtualRegister virtualRegister)
+    {
+        return Address(callFrameRegister, virtualRegister * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
+    }
+
+    static Address payloadFor(VirtualRegister virtualRegister)
+    {
+        return Address(callFrameRegister, virtualRegister * sizeof(Register) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
     }
 

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -41 +41 @@
 // Disable the DFG JIT without having to touch Platform.h!
 #define DFG_DEBUG_LOCAL_DISBALE 0
+// Disable the SpeculativeJIT without having to touch Platform.h!
+#define DFG_DEBUG_LOCAL_DISBALE_SPECULATIVE 0
 // Generate stats on how successful we were in making use of the DFG jit, and remaining on the hot path.
 #define DFG_SUCCESS_STATS 0

trunk/Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp

@@ -174 +174 @@
 void NonSpeculativeJIT::compile(SpeculationCheckIndexIterator& checkIterator, Node& node)
 {
-    // ...
-    if (checkIterator.hasCheckAtIndex(m_compileIndex))
+    // Check for speculation checks from the corresponding instruction in the
+    // speculative path. Do not check for NodeIndex 0, since this is checked
+    // in the outermost compile layer, at the head of the non-speculative path
+    // (for index 0 we may need to check regardless of whether or not the node
+    // will be generated, since argument type speculation checks will appear
+    // as speculation checks at this index).
+    if (m_compileIndex && checkIterator.hasCheckAtIndex(m_compileIndex))
         trackEntry(m_jit.label());
 
@@ -202 +207 @@
         m_jit.loadPtr(JITCompiler::addressFor(node.local()), result.registerID());
 
-        // jsValueResult, but don't useChildren!
+        // Like jsValueResult, but don't useChildren - our children are phi nodes,
+        // and don't represent values within this dataflow with virtual registers.
         VirtualRegister virtualRegister = node.virtualRegister();
         m_gprs.retain(result.gpr(), virtualRegister, SpillOrderJS);
@@ -684 +690 @@
 void NonSpeculativeJIT::compile(SpeculationCheckIndexIterator& checkIterator)
 {
+    // Check for speculation checks added at function entry (checking argument types).
+    if (checkIterator.hasCheckAtIndex(m_compileIndex))
+        trackEntry(m_jit.label());
+
     ASSERT(!m_compileIndex);
     for (m_block = 0; m_block < m_jit.graph().m_blocks.size(); ++m_block)

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -286 +286 @@
     case GetLocal: {
         GPRTemporary result(this);
-        m_jit.loadPtr(JITCompiler::addressFor(node.local()), result.registerID());
-
-        // jsValueResult, but don't useChildren!
-        VirtualRegister virtualRegister = node.virtualRegister();
-        m_gprs.retain(result.gpr(), virtualRegister, SpillOrderJS);
-        m_generationInfo[virtualRegister].initJSValue(m_compileIndex, node.refCount(), result.gpr(), DataFormatJS);
+        PredictedType prediction = m_jit.graph().getPrediction(node.local());
+        if (prediction == PredictInt32) {
+            m_jit.load32(JITCompiler::payloadFor(node.local()), result.registerID());
+
+            // Like integerResult, but don't useChildren - our children are phi nodes,
+            // and don't represent values within this dataflow with virtual registers.
+            VirtualRegister virtualRegister = node.virtualRegister();
+            m_gprs.retain(result.gpr(), virtualRegister, SpillOrderInteger);
+            m_generationInfo[virtualRegister].initInteger(m_compileIndex, node.refCount(), result.gpr());
+        } else {
+            m_jit.loadPtr(JITCompiler::addressFor(node.local()), result.registerID());
+
+            // Like jsValueResult, but don't useChildren - our children are phi nodes,
+            // and don't represent values within this dataflow with virtual registers.
+            VirtualRegister virtualRegister = node.virtualRegister();
+            m_gprs.retain(result.gpr(), virtualRegister, SpillOrderJS);
+            m_generationInfo[virtualRegister].initJSValue(m_compileIndex, node.refCount(), result.gpr(), (prediction == PredictArray) ? DataFormatJSCell : DataFormatJS);
+        }
         break;
     }
 
     case SetLocal: {
-        JSValueOperand value(this, node.child1);
-        m_jit.storePtr(value.registerID(), JITCompiler::addressFor(node.local()));
-        noResult(m_compileIndex);
+        switch (m_jit.graph().getPrediction(node.local())) {
+        case PredictInt32: {
+            SpeculateIntegerOperand value(this, node.child1);
+            m_jit.store32(value.registerID(), JITCompiler::payloadFor(node.local()));
+            noResult(m_compileIndex);
+            break;
+        }
+        case PredictArray: {
+            SpeculateCellOperand cell(this, node.child1);
+            m_jit.storePtr(cell.registerID(), JITCompiler::addressFor(node.local()));
+            noResult(m_compileIndex);
+            break;
+        }
+
+        default: {
+            JSValueOperand value(this, node.child1);
+            m_jit.storePtr(value.registerID(), JITCompiler::addressFor(node.local()));
+            noResult(m_compileIndex);
+            break;
+        }
+        }
         break;
     }
@@ -631 +661 @@
 
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+        // If we have predicted the base to be type array, we can skip the check.
+        Node& baseNode = m_jit.graph()[node.child1];
+        if (baseNode.op != GetLocal || m_jit.graph().getPrediction(baseNode.local()) != PredictArray)
+            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
 
@@ -658 +691 @@
 
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+        // If we have predicted the base to be type array, we can skip the check.
+        Node& baseNode = m_jit.graph()[node.child1];
+        if (baseNode.op != GetLocal || m_jit.graph().getPrediction(baseNode.local()) != PredictArray)
+            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
 
@@ -869 +905 @@
 }
 
+// If we are making type predictions about our arguments then
+// we need to check that they are correct on function entry.
+void SpeculativeJIT::checkArgumentTypes()
+{
+    ASSERT(!m_compileIndex);
+    for (int i = 0; i < m_jit.codeBlock()->m_numParameters; ++i) {
+        VirtualRegister virtualRegister = (VirtualRegister)(m_jit.codeBlock()->thisRegister() + i);
+        if (m_jit.graph().getPrediction(virtualRegister) == PredictInt32)
+        switch (m_jit.graph().getPrediction(virtualRegister)) {
+        case PredictInt32:
+            speculationCheck(m_jit.branchPtr(MacroAssembler::Below, JITCompiler::addressFor(virtualRegister), JITCompiler::tagTypeNumberRegister));
+            break;
+
+        case PredictArray: {
+            GPRTemporary temp(this);
+            m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), temp.registerID());
+            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, temp.registerID(), JITCompiler::tagMaskRegister));
+            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.registerID()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            break;
+        }
+
+        default:
+            break;
+        }
+    }
+}
+
+// For any vars that we will be treating as numeric, write 0 to
+// the var on entry. Throughout the block we will only read/write
+// to the payload, by writing the tag now we prevent the GC from
+// misinterpreting values as pointers.
+void SpeculativeJIT::initializeVariableTypes()
+{
+    ASSERT(!m_compileIndex);
+    for (int var = 0; var < m_jit.codeBlock()->m_numVars; ++var) {
+        if (m_jit.graph().getPrediction(var) == PredictInt32)
+            m_jit.storePtr(JITCompiler::tagTypeNumberRegister, JITCompiler::addressFor((VirtualRegister)var));
+    }
+}
+
 bool SpeculativeJIT::compile()
 {
+    checkArgumentTypes();
+    initializeVariableTypes();
+
     ASSERT(!m_compileIndex);
     for (m_block = 0; m_block < m_jit.graph().m_blocks.size(); ++m_block) {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -136 +136 @@
     void compile(BasicBlock&);
 
+    void checkArgumentTypes();
+    void initializeVariableTypes();
+
     bool isDoubleConstantWithInt32Value(NodeIndex nodeIndex, int32_t& out)
     {

trunk/Source/JavaScriptCore/runtime/Executable.cpp

@@ -205 +205 @@
 #endif
 
-    DFG::Graph dfg;
+    DFG::Graph dfg(codeBlock->m_numParameters, codeBlock->m_numVars);
     if (!parse(dfg, globalData, codeBlock))
         return false;