Changeset 97218 in webkit

Timestamp:

Oct 11, 2011 7:05:53 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

DFG does not have flow-sensitive intraprocedural control flow analysis
​https://bugs.webkit.org/show_bug.cgi?id=69690

Reviewed by Gavin Barraclough.

Implemented a control flow analysis (CFA). It currently propagates type
proofs only. For example, if all predecessors to a basic block have
checks that variable X is a JSFinalObject with structure 0xabcdef, then
this basic block will now know this fact and will know that it does not
have to emit either JSFinalObject checks or any structure checks since
the structure is precisely known. The CFA takes heap side-effects into
account (though somewhat conservatively), so that if the object pointed
to by variable X could have possibly undergone a structure transition
then this is reflected: the analysis may simply say that X's structure
is unknown.

This also propagates a wealth of other type information which is
currently not being used. For example, we now know when a variable can
only hold doubles. Even if a variable may hold other types at different
points in its live range, we can still prove exactly when it will only
be double.

There's a bunch of stuff that the CFA could do that it still does not
do, like precise handling of PutStructure (i.e. structure transitions),
precise handling of CheckFunction and CheckMethod, etc. So this is
very much intended to be a starting point rather than an end unto
itself.

This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
Neutral on SunSpider.

• GNUmakefile.list.am:
• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/ActionablePrediction.h: Removed.
• bytecode/PredictedType.cpp:

(JSC::predictionToString):

• bytecode/PredictedType.h:
• dfg/DFGAbstractState.cpp: Added.

(JSC::DFG::AbstractState::AbstractState):
(JSC::DFG::AbstractState::~AbstractState):
(JSC::DFG::AbstractState::beginBasicBlock):
(JSC::DFG::AbstractState::initialize):
(JSC::DFG::AbstractState::endBasicBlock):
(JSC::DFG::AbstractState::reset):
(JSC::DFG::AbstractState::execute):
(JSC::DFG::AbstractState::clobberStructures):
(JSC::DFG::AbstractState::mergeStateAtTail):
(JSC::DFG::AbstractState::merge):
(JSC::DFG::AbstractState::mergeToSuccessors):
(JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
(JSC::DFG::AbstractState::dump):

• dfg/DFGAbstractState.h: Added.

(JSC::DFG::AbstractState::forNode):
(JSC::DFG::AbstractState::isValid):

• dfg/DFGAbstractValue.h: Added.

(JSC::DFG::StructureAbstractValue::StructureAbstractValue):
(JSC::DFG::StructureAbstractValue::clear):
(JSC::DFG::StructureAbstractValue::makeTop):
(JSC::DFG::StructureAbstractValue::top):
(JSC::DFG::StructureAbstractValue::add):
(JSC::DFG::StructureAbstractValue::addAll):
(JSC::DFG::StructureAbstractValue::contains):
(JSC::DFG::StructureAbstractValue::isSubsetOf):
(JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
(JSC::DFG::StructureAbstractValue::isSupersetOf):
(JSC::DFG::StructureAbstractValue::filter):
(JSC::DFG::StructureAbstractValue::isClear):
(JSC::DFG::StructureAbstractValue::isTop):
(JSC::DFG::StructureAbstractValue::size):
(JSC::DFG::StructureAbstractValue::at):
(JSC::DFG::StructureAbstractValue::operator[]):
(JSC::DFG::StructureAbstractValue::last):
(JSC::DFG::StructureAbstractValue::predictionFromStructures):
(JSC::DFG::StructureAbstractValue::operator==):
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::AbstractValue::AbstractValue):
(JSC::DFG::AbstractValue::clear):
(JSC::DFG::AbstractValue::isClear):
(JSC::DFG::AbstractValue::makeTop):
(JSC::DFG::AbstractValue::clobberStructures):
(JSC::DFG::AbstractValue::isTop):
(JSC::DFG::AbstractValue::top):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::operator==):
(JSC::DFG::AbstractValue::merge):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::validate):
(JSC::DFG::AbstractValue::dump):

• dfg/DFGBasicBlock.h: Added.

(JSC::DFG::BasicBlock::BasicBlock):
(JSC::DFG::BasicBlock::getBytecodeBegin):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::getLocal):
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::getArgument):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::processPhiStack):
(JSC::DFG::ByteCodeParser::setupPredecessors):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGGraph.h:
• dfg/DFGJITCodeGenerator.h:

(JSC::DFG::block):

• dfg/DFGJITCodeGenerator32_64.cpp:

(JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
(JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
(JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):

• dfg/DFGJITCodeGenerator64.cpp:

(JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
(JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
(JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):

• dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::noticeOSREntry):

• dfg/DFGNode.h:

(JSC::DFG::NodeIndexTraits::defaultValue):
(JSC::DFG::Node::variableAccessData):
(JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
(JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
(JSC::DFG::Node::setTakenBlockIndex):
(JSC::DFG::Node::setNotTakenBlockIndex):
(JSC::DFG::Node::takenBlockIndex):
(JSC::DFG::Node::notTakenBlockIndex):

• dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):

• dfg/DFGOSREntry.h:
• dfg/DFGOperands.h: Added.

(JSC::DFG::operandIsArgument):
(JSC::DFG::OperandValueTraits::defaultValue):
(JSC::DFG::Operands::Operands):
(JSC::DFG::Operands::numberOfArguments):
(JSC::DFG::Operands::numberOfLocals):
(JSC::DFG::Operands::argument):
(JSC::DFG::Operands::local):
(JSC::DFG::Operands::setLocal):
(JSC::DFG::Operands::setArgumentFirstTime):
(JSC::DFG::Operands::setLocalFirstTime):
(JSC::DFG::Operands::operand):
(JSC::DFG::Operands::setOperand):
(JSC::DFG::Operands::clear):
(JSC::DFG::dumpOperands):

• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::fixpoint):
(JSC::DFG::Propagator::propagateArithNodeFlags):
(JSC::DFG::Propagator::propagateNodePredictions):
(JSC::DFG::Propagator::propagatePredictions):
(JSC::DFG::Propagator::performBlockCFA):
(JSC::DFG::Propagator::performForwardCFA):
(JSC::DFG::Propagator::globalCFA):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::SpeculativeJIT):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGStructureSet.h:

(JSC::DFG::StructureSet::clear):
(JSC::DFG::StructureSet::predictionFromStructures):
(JSC::DFG::StructureSet::operator==):
(JSC::DFG::StructureSet::dump):

• dfg/DFGVariableAccessData.h: Added.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• GNUmakefile.list.am (modified) (4 diffs)
• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj (modified) (2 diffs)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (7 diffs)
• bytecode/ActionablePrediction.h (deleted)
• bytecode/PredictedType.cpp (modified) (1 diff)
• bytecode/PredictedType.h (modified) (2 diffs)
• dfg/DFGAbstractState.cpp (added)
• dfg/DFGAbstractState.h (added)
• dfg/DFGAbstractValue.h (added)
• dfg/DFGBasicBlock.h (added)
• dfg/DFGByteCodeParser.cpp (modified) (10 diffs)
• dfg/DFGGraph.cpp (modified) (2 diffs)
• dfg/DFGGraph.h (modified) (3 diffs)
• dfg/DFGJITCodeGenerator.h (modified) (1 diff)
• dfg/DFGJITCodeGenerator32_64.cpp (modified) (3 diffs)
• dfg/DFGJITCodeGenerator64.cpp (modified) (3 diffs)
• dfg/DFGJITCompiler.h (modified) (1 diff)
• dfg/DFGNode.h (modified) (7 diffs)
• dfg/DFGOSREntry.cpp (modified) (2 diffs)
• dfg/DFGOSREntry.h (modified) (2 diffs)
• dfg/DFGOperands.h (added)
• dfg/DFGPropagator.cpp (modified) (7 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (10 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (4 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (26 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (29 diffs)
• dfg/DFGStructureSet.h (modified) (5 diffs)
• dfg/DFGVariableAccessData.h (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-10-08  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG does not have flow-sensitive intraprocedural control flow analysis
+        https://bugs.webkit.org/show_bug.cgi?id=69690
+
+        Reviewed by Gavin Barraclough.
+
+        Implemented a control flow analysis (CFA). It currently propagates type
+        proofs only. For example, if all predecessors to a basic block have
+        checks that variable X is a JSFinalObject with structure 0xabcdef, then
+        this basic block will now know this fact and will know that it does not
+        have to emit either JSFinalObject checks or any structure checks since
+        the structure is precisely known. The CFA takes heap side-effects into
+        account (though somewhat conservatively), so that if the object pointed
+        to by variable X could have possibly undergone a structure transition
+        then this is reflected: the analysis may simply say that X's structure
+        is unknown.
+        
+        This also propagates a wealth of other type information which is
+        currently not being used. For example, we now know when a variable can
+        only hold doubles. Even if a variable may hold other types at different
+        points in its live range, we can still prove exactly when it will only
+        be double.
+        
+        There's a bunch of stuff that the CFA could do that it still does not
+        do, like precise handling of PutStructure (i.e. structure transitions),
+        precise handling of CheckFunction and CheckMethod, etc. So this is
+        very much intended to be a starting point rather than an end unto
+        itself.
+        
+        This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
+        and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
+        Neutral on SunSpider.
+
+        * GNUmakefile.list.am:
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/ActionablePrediction.h: Removed.
+        * bytecode/PredictedType.cpp:
+        (JSC::predictionToString):
+        * bytecode/PredictedType.h:
+        * dfg/DFGAbstractState.cpp: Added.
+        (JSC::DFG::AbstractState::AbstractState):
+        (JSC::DFG::AbstractState::~AbstractState):
+        (JSC::DFG::AbstractState::beginBasicBlock):
+        (JSC::DFG::AbstractState::initialize):
+        (JSC::DFG::AbstractState::endBasicBlock):
+        (JSC::DFG::AbstractState::reset):
+        (JSC::DFG::AbstractState::execute):
+        (JSC::DFG::AbstractState::clobberStructures):
+        (JSC::DFG::AbstractState::mergeStateAtTail):
+        (JSC::DFG::AbstractState::merge):
+        (JSC::DFG::AbstractState::mergeToSuccessors):
+        (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
+        (JSC::DFG::AbstractState::dump):
+        * dfg/DFGAbstractState.h: Added.
+        (JSC::DFG::AbstractState::forNode):
+        (JSC::DFG::AbstractState::isValid):
+        * dfg/DFGAbstractValue.h: Added.
+        (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
+        (JSC::DFG::StructureAbstractValue::clear):
+        (JSC::DFG::StructureAbstractValue::makeTop):
+        (JSC::DFG::StructureAbstractValue::top):
+        (JSC::DFG::StructureAbstractValue::add):
+        (JSC::DFG::StructureAbstractValue::addAll):
+        (JSC::DFG::StructureAbstractValue::contains):
+        (JSC::DFG::StructureAbstractValue::isSubsetOf):
+        (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
+        (JSC::DFG::StructureAbstractValue::isSupersetOf):
+        (JSC::DFG::StructureAbstractValue::filter):
+        (JSC::DFG::StructureAbstractValue::isClear):
+        (JSC::DFG::StructureAbstractValue::isTop):
+        (JSC::DFG::StructureAbstractValue::size):
+        (JSC::DFG::StructureAbstractValue::at):
+        (JSC::DFG::StructureAbstractValue::operator[]):
+        (JSC::DFG::StructureAbstractValue::last):
+        (JSC::DFG::StructureAbstractValue::predictionFromStructures):
+        (JSC::DFG::StructureAbstractValue::operator==):
+        (JSC::DFG::StructureAbstractValue::dump):
+        (JSC::DFG::AbstractValue::AbstractValue):
+        (JSC::DFG::AbstractValue::clear):
+        (JSC::DFG::AbstractValue::isClear):
+        (JSC::DFG::AbstractValue::makeTop):
+        (JSC::DFG::AbstractValue::clobberStructures):
+        (JSC::DFG::AbstractValue::isTop):
+        (JSC::DFG::AbstractValue::top):
+        (JSC::DFG::AbstractValue::set):
+        (JSC::DFG::AbstractValue::operator==):
+        (JSC::DFG::AbstractValue::merge):
+        (JSC::DFG::AbstractValue::filter):
+        (JSC::DFG::AbstractValue::validate):
+        (JSC::DFG::AbstractValue::dump):
+        * dfg/DFGBasicBlock.h: Added.
+        (JSC::DFG::BasicBlock::BasicBlock):
+        (JSC::DFG::BasicBlock::getBytecodeBegin):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getLocal):
+        (JSC::DFG::ByteCodeParser::setLocal):
+        (JSC::DFG::ByteCodeParser::getArgument):
+        (JSC::DFG::ByteCodeParser::setArgument):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::processPhiStack):
+        (JSC::DFG::ByteCodeParser::setupPredecessors):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGGraph.h:
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::block):
+        * dfg/DFGJITCodeGenerator32_64.cpp:
+        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
+        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
+        * dfg/DFGJITCodeGenerator64.cpp:
+        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
+        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::noticeOSREntry):
+        * dfg/DFGNode.h:
+        (JSC::DFG::NodeIndexTraits::defaultValue):
+        (JSC::DFG::Node::variableAccessData):
+        (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
+        (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
+        (JSC::DFG::Node::setTakenBlockIndex):
+        (JSC::DFG::Node::setNotTakenBlockIndex):
+        (JSC::DFG::Node::takenBlockIndex):
+        (JSC::DFG::Node::notTakenBlockIndex):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGOSREntry.h:
+        * dfg/DFGOperands.h: Added.
+        (JSC::DFG::operandIsArgument):
+        (JSC::DFG::OperandValueTraits::defaultValue):
+        (JSC::DFG::Operands::Operands):
+        (JSC::DFG::Operands::numberOfArguments):
+        (JSC::DFG::Operands::numberOfLocals):
+        (JSC::DFG::Operands::argument):
+        (JSC::DFG::Operands::local):
+        (JSC::DFG::Operands::setLocal):
+        (JSC::DFG::Operands::setArgumentFirstTime):
+        (JSC::DFG::Operands::setLocalFirstTime):
+        (JSC::DFG::Operands::operand):
+        (JSC::DFG::Operands::setOperand):
+        (JSC::DFG::Operands::clear):
+        (JSC::DFG::dumpOperands):
+        * dfg/DFGPropagator.cpp:
+        (JSC::DFG::Propagator::fixpoint):
+        (JSC::DFG::Propagator::propagateArithNodeFlags):
+        (JSC::DFG::Propagator::propagateNodePredictions):
+        (JSC::DFG::Propagator::propagatePredictions):
+        (JSC::DFG::Propagator::performBlockCFA):
+        (JSC::DFG::Propagator::performForwardCFA):
+        (JSC::DFG::Propagator::globalCFA):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compare):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::emitBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compare):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::emitBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStructureSet.h:
+        (JSC::DFG::StructureSet::clear):
+        (JSC::DFG::StructureSet::predictionFromStructures):
+        (JSC::DFG::StructureSet::operator==):
+        (JSC::DFG::StructureSet::dump):
+        * dfg/DFGVariableAccessData.h: Added.
+
 2011-10-11  Gavin Barraclough  <baraclough@apple.com>
 

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -82 +82 @@
         Source/JavaScriptCore/assembler/SH4Assembler.h \
         Source/JavaScriptCore/assembler/X86Assembler.h \
-        Source/JavaScriptCore/bytecode/ActionablePrediction.h \
         Source/JavaScriptCore/bytecode/CodeBlock.cpp \
         Source/JavaScriptCore/bytecode/CodeBlock.h \
@@ -106 +105 @@
         Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp \
         Source/JavaScriptCore/bytecompiler/RegisterID.h \
+        Source/JavaScriptCore/dfg/DFGAbstractState.cpp \
+        Source/JavaScriptCore/dfg/DFGAbstractState.h \
+        Source/JavaScriptCore/dfg/DFGAbstractValue.h \
+        Source/JavaScriptCoer/dfg/DFGBasicBlock.h \
         Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp \
         Source/JavaScriptCore/dfg/DFGByteCodeParser.h \
@@ -123 +126 @@
         Source/JavaScriptCore/dfg/DFGJITCompiler.h \
         Source/JavaScriptCore/dfg/DFGNode.h \
+        Source/JavaScriptCore/dfg/DFGOperands.h \
         Source/JavaScriptCore/dfg/DFGOperations.cpp \
         Source/JavaScriptCore/dfg/DFGOperations.h \
@@ -136 +140 @@
         Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h \
         Source/JavaScriptCore/dfg/DFGStructureSet.h \
+        Source/JavaScriptCore/dfg/DFGVariableAccessData.h \
         Source/JavaScriptCore/heap/AllocationSpace.cpp \
         Source/JavaScriptCore/heap/AllocationSpace.h \

trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj

@@ -1439 +1439 @@
                         >
                         <File
-                                RelativePath="..\..\bytecode\ActionablePrediction.h"
-                                >
-                        </File>
-                        <File
                                 RelativePath="..\..\bytecode\CodeBlock.cpp"
                                 >
@@ -1586 +1582 @@
                                 >
                         </File>
+                        <File
+                                RelativePath="..\..\dfg\DFGOSREntry.h"
+                                >
+                        </File>
                 </Filter>
                 <Filter

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -52 +52 @@
                 0F16D726142C39C000CF784A /* BitVector.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F16D724142C39A200CF784A /* BitVector.cpp */; };
                 0F242DA713F3B1E8007ADD4C /* WeakReferenceHarvester.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F242DA513F3B1BB007ADD4C /* WeakReferenceHarvester.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F620174143FCD330068B77C /* DFGVariableAccessData.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F620172143FCD2F0068B77C /* DFGVariableAccessData.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F620175143FCD370068B77C /* DFGOperands.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F620171143FCD2F0068B77C /* DFGOperands.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F620176143FCD3B0068B77C /* DFGBasicBlock.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F620170143FCD2F0068B77C /* DFGBasicBlock.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F620177143FCD3F0068B77C /* DFGAbstractValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F62016F143FCD2F0068B77C /* DFGAbstractValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F620178143FCD440068B77C /* DFGAbstractState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F62016E143FCD2F0068B77C /* DFGAbstractState.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F620179143FCD480068B77C /* DFGAbstractState.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F62016D143FCD2F0068B77C /* DFGAbstractState.cpp */; };
                 0F636DA0142D27D700B2E66A /* PackedIntVector.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F636D9F142D27D200B2E66A /* PackedIntVector.h */; };
-                0F636DA2142D27F000B2E66A /* ActionablePrediction.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F636DA1142D27ED00B2E66A /* ActionablePrediction.h */; };
                 0F7700921402FF3C0078EB39 /* SamplingCounter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F7700911402FF280078EB39 /* SamplingCounter.cpp */; };
                 0F963B2713F753BB0002D9B2 /* RedBlackTree.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F963B2613F753990002D9B2 /* RedBlackTree.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -810 +815 @@
                 0F16D724142C39A200CF784A /* BitVector.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = BitVector.cpp; sourceTree = "<group>"; };
                 0F242DA513F3B1BB007ADD4C /* WeakReferenceHarvester.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WeakReferenceHarvester.h; sourceTree = "<group>"; };
+                0F62016D143FCD2F0068B77C /* DFGAbstractState.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGAbstractState.cpp; path = dfg/DFGAbstractState.cpp; sourceTree = "<group>"; };
+                0F62016E143FCD2F0068B77C /* DFGAbstractState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAbstractState.h; path = dfg/DFGAbstractState.h; sourceTree = "<group>"; };
+                0F62016F143FCD2F0068B77C /* DFGAbstractValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAbstractValue.h; path = dfg/DFGAbstractValue.h; sourceTree = "<group>"; };
+                0F620170143FCD2F0068B77C /* DFGBasicBlock.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGBasicBlock.h; path = dfg/DFGBasicBlock.h; sourceTree = "<group>"; };
+                0F620171143FCD2F0068B77C /* DFGOperands.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGOperands.h; path = dfg/DFGOperands.h; sourceTree = "<group>"; };
+                0F620172143FCD2F0068B77C /* DFGVariableAccessData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGVariableAccessData.h; path = dfg/DFGVariableAccessData.h; sourceTree = "<group>"; };
                 0F636D9F142D27D200B2E66A /* PackedIntVector.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PackedIntVector.h; sourceTree = "<group>"; };
-                0F636DA1142D27ED00B2E66A /* ActionablePrediction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ActionablePrediction.h; sourceTree = "<group>"; };
                 0F77008E1402FDD60078EB39 /* SamplingCounter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SamplingCounter.h; sourceTree = "<group>"; };
                 0F7700911402FF280078EB39 /* SamplingCounter.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SamplingCounter.cpp; sourceTree = "<group>"; };
@@ -2284 +2294 @@
                         isa = PBXGroup;
                         children = (
+                                0F62016D143FCD2F0068B77C /* DFGAbstractState.cpp */,
+                                0F62016E143FCD2F0068B77C /* DFGAbstractState.h */,
+                                0F62016F143FCD2F0068B77C /* DFGAbstractValue.h */,
+                                0F620170143FCD2F0068B77C /* DFGBasicBlock.h */,
+                                0F620171143FCD2F0068B77C /* DFGOperands.h */,
+                                0F620172143FCD2F0068B77C /* DFGVariableAccessData.h */,
                                 0FFF4BB2143955E600655BC0 /* DFGStructureSet.h */,
                                 86EC9DB41328DF82002B2AD7 /* DFGByteCodeParser.cpp */,
@@ -2385 +2401 @@
                         isa = PBXGroup;
                         children = (
-                                0F636DA1142D27ED00B2E66A /* ActionablePrediction.h */,
                                 0FD82E8E14207A5100179C94 /* ValueProfile.cpp */,
                                 0FD82E84141F3FDA00179C94 /* PredictedType.cpp */,
@@ -2871 +2886 @@
                                 86FA9E92142BBB2E001773B7 /* JSBoundFunction.h in Headers */,
                                 0F636DA0142D27D700B2E66A /* PackedIntVector.h in Headers */,
-                                0F636DA2142D27F000B2E66A /* ActionablePrediction.h in Headers */,
                                 A7521E131429169A003C8D0C /* CardSet.h in Headers */,
                                 0FD52AAE143035A00026DC9F /* UnionFind.h in Headers */,
@@ -2878 +2892 @@
                                 0FFF4BB4143955E900655BC0 /* DFGStructureSet.h in Headers */,
                                 8604F505143CE1C200B295F5 /* JSGlobalThis.h in Headers */,
+                                0F620174143FCD330068B77C /* DFGVariableAccessData.h in Headers */,
+                                0F620175143FCD370068B77C /* DFGOperands.h in Headers */,
+                                0F620176143FCD3B0068B77C /* DFGBasicBlock.h in Headers */,
+                                0F620177143FCD3F0068B77C /* DFGAbstractValue.h in Headers */,
+                                0F620178143FCD440068B77C /* DFGAbstractState.h in Headers */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;
@@ -3409 +3428 @@
                                 86880F4D14353B2100B08D42 /* DFGSpeculativeJIT64.cpp in Sources */,
                                 0FE228EE1436AB2C00196C48 /* Heuristics.cpp in Sources */,
+                                0F620179143FCD480068B77C /* DFGAbstractState.cpp in Sources */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/Source/JavaScriptCore/bytecode/PredictedType.cpp

@@ -45 +45 @@
     BoundsCheckedPointer<char> ptr(description, size);
     
+    bool isTop = true;
+    
     if (value & PredictCellOther)
         ptr.strcat("Othercell");
+    else
+        isTop = false;
     
     if (value & PredictObjectOther)
         ptr.strcat("Otherobj");
+    else
+        isTop = false;
     
     if (value & PredictFinalObject)
         ptr.strcat("Final");
+    else
+        isTop = false;
 
     if (value & PredictArray)
         ptr.strcat("Array");
+    else
+        isTop = false;
     
     if (value & PredictString)
         ptr.strcat("String");
+    else
+        isTop = false;
     
     if (value & PredictInt32)
         ptr.strcat("Int");
+    else
+        isTop = false;
     
     if (value & PredictDouble)
         ptr.strcat("Double");
+    else
+        isTop = false;
     
     if (value & PredictBoolean)
         ptr.strcat("Bool");
+    else
+        isTop = false;
     
     if (value & PredictOther)
         ptr.strcat("Other");
+    else
+        isTop = false;
+    
+    if (isTop)
+        return "Top";
     
     *ptr++ = 0;

trunk/Source/JavaScriptCore/bytecode/PredictedType.h

@@ -51 +51 @@
 static const PredictedType PredictOther         = 0x4000; // It's definitely none of the above.
 static const PredictedType PredictTop           = 0x7fff; // It can be any of the above.
+
+typedef bool (*PredictionChecker)(PredictedType);
 
 inline bool isCellPrediction(PredictedType value)
@@ -116 +118 @@
 #endif
 
+// Merge two predictions. Note that currently this just does left | right. It may
+// seem tempting to do so directly, but you would be doing so at your own peril,
+// since the merging protocol PredictedType may change at any time (and has already
+// changed several times in its history).
 inline PredictedType mergePredictions(PredictedType left, PredictedType right)
 {

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -129 +129 @@
     NodeIndex getLocal(unsigned operand)
     {
-        NodeIndex nodeIndex = m_currentBlock->m_localsAtTail[operand].value;
+        NodeIndex nodeIndex = m_currentBlock->variablesAtTail.local(operand);
 
         if (nodeIndex != NoNode) {
@@ -148 +148 @@
         m_localPhiStack.append(PhiStackEntry(m_currentBlock, phi, operand));
         nodeIndex = addToGraph(GetLocal, OpInfo(variableAccessData), phi);
-        m_currentBlock->m_localsAtTail[operand].value = nodeIndex;
-        
-        m_currentBlock->m_localsAtHead[operand].setFirstTime(nodeIndex);
+        m_currentBlock->variablesAtTail.local(operand) = nodeIndex;
+        
+        m_currentBlock->variablesAtHead.setLocalFirstTime(operand, nodeIndex);
         
         return nodeIndex;
@@ -156 +156 @@
     void setLocal(unsigned operand, NodeIndex value)
     {
-        m_currentBlock->m_localsAtTail[operand].value = addToGraph(SetLocal, OpInfo(newVariableAccessData(operand)), value);
+        m_currentBlock->variablesAtTail.local(operand) = addToGraph(SetLocal, OpInfo(newVariableAccessData(operand)), value);
     }
 
@@ -165 +165 @@
         ASSERT(argument < m_numArguments);
 
-        NodeIndex nodeIndex = m_currentBlock->m_argumentsAtTail[argument].value;
+        NodeIndex nodeIndex = m_currentBlock->variablesAtTail.argument(argument);
 
         if (nodeIndex != NoNode) {
@@ -174 +174 @@
                 ASSERT(node.local() == static_cast<VirtualRegister>(operand));
                 nodeIndex = addToGraph(GetLocal, OpInfo(node.variableAccessData()), nodeIndex);
-                m_currentBlock->m_argumentsAtTail[argument].value = nodeIndex;
+                m_currentBlock->variablesAtTail.argument(argument) = nodeIndex;
                 return nodeIndex;
             }
@@ -190 +190 @@
         m_argumentPhiStack.append(PhiStackEntry(m_currentBlock, phi, argument));
         nodeIndex = addToGraph(GetLocal, OpInfo(variableAccessData), phi);
-        m_currentBlock->m_argumentsAtTail[argument].value = nodeIndex;
-        
-        m_currentBlock->m_argumentsAtHead[argument].setFirstTime(nodeIndex);
+        m_currentBlock->variablesAtTail.argument(argument) = nodeIndex;
+        
+        m_currentBlock->variablesAtHead.setArgumentFirstTime(argument, nodeIndex);
         
         return nodeIndex;
@@ -201 +201 @@
         ASSERT(argument < m_numArguments);
 
-        m_currentBlock->m_argumentsAtTail[argument].value = addToGraph(SetLocal, OpInfo(newVariableAccessData(operand)), value);
+        m_currentBlock->variablesAtTail.argument(argument) = addToGraph(SetLocal, OpInfo(newVariableAccessData(operand)), value);
     }
 
@@ -787 +787 @@
             NodeIndex setArgument = addToGraph(SetArgument, OpInfo(newVariableAccessData(argument - m_codeBlock->m_numParameters - RegisterFile::CallFrameHeaderSize)));
             m_graph.m_arguments[argument] = setArgument;
-            m_currentBlock->m_argumentsAtHead[argument].setFirstTime(setArgument);
-            m_currentBlock->m_argumentsAtTail[argument].setFirstTime(setArgument);
+            m_currentBlock->variablesAtHead.setArgumentFirstTime(argument, setArgument);
+            m_currentBlock->variablesAtTail.setArgumentFirstTime(argument, setArgument);
         }
     }
@@ -1693 +1693 @@
             BasicBlock* predecessorBlock = m_graph.m_blocks[predecessors[i]].get();
 
-            VariableRecord& var = (stackType == ArgumentPhiStack) ? predecessorBlock->m_argumentsAtTail[varNo] : predecessorBlock->m_localsAtTail[varNo];
-
-            NodeIndex valueInPredecessor = var.value;
+            NodeIndex& var = (stackType == ArgumentPhiStack) ? predecessorBlock->variablesAtTail.argument(varNo) : predecessorBlock->variablesAtTail.local(varNo);
+
+            NodeIndex valueInPredecessor = var;
             if (valueInPredecessor == NoNode) {
                 valueInPredecessor = addToGraph(Phi, OpInfo(newVariableAccessData(stackType == ArgumentPhiStack ? varNo - m_codeBlock->m_numParameters - RegisterFile::CallFrameHeaderSize : varNo)));
-                var.setFirstTime(valueInPredecessor);
+                var = valueInPredecessor;
                 if (stackType == ArgumentPhiStack)
-                    predecessorBlock->m_argumentsAtHead[varNo].setFirstTime(valueInPredecessor);
+                    predecessorBlock->variablesAtHead.setArgumentFirstTime(varNo, valueInPredecessor);
                 else
-                    predecessorBlock->m_localsAtHead[varNo].setFirstTime(valueInPredecessor);
+                    predecessorBlock->variablesAtHead.setLocalFirstTime(varNo, valueInPredecessor);
                 phiStack.append(PhiStackEntry(predecessorBlock, valueInPredecessor, varNo));
             } else if (m_graph[valueInPredecessor].op == GetLocal) {
@@ -1762 +1762 @@
         ASSERT(node.isTerminal());
 
-        if (node.isJump())
-            m_graph.blockForBytecodeOffset(node.takenBytecodeOffset()).m_predecessors.append(index);
-        else if (node.isBranch()) {
-            m_graph.blockForBytecodeOffset(node.takenBytecodeOffset()).m_predecessors.append(index);
-            m_graph.blockForBytecodeOffset(node.notTakenBytecodeOffset()).m_predecessors.append(index);
+        if (node.isJump()) {
+            node.setTakenBlockIndex(m_graph.blockIndexForBytecodeOffset(node.takenBytecodeOffsetDuringParsing()));
+            m_graph.m_blocks[node.takenBlockIndex()]->m_predecessors.append(index);
+        } else if (node.isBranch()) {
+            node.setTakenBlockIndex(m_graph.blockIndexForBytecodeOffset(node.takenBytecodeOffsetDuringParsing()));
+            node.setNotTakenBlockIndex(m_graph.blockIndexForBytecodeOffset(node.notTakenBytecodeOffsetDuringParsing()));
+            m_graph.m_blocks[node.takenBlockIndex()]->m_predecessors.append(index);
+            m_graph.m_blocks[node.notTakenBlockIndex()]->m_predecessors.append(index);
         }
     }

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -189 +189 @@
     }
     if  (node.isBranch() || node.isJump()) {
-        printf("%sT:#%u", hasPrinted ? ", " : "", blockIndexForBytecodeOffset(node.takenBytecodeOffset()));
+        printf("%sT:#%u", hasPrinted ? ", " : "", node.takenBlockIndex());
         hasPrinted = true;
     }
     if  (node.isBranch()) {
-        printf("%sF:#%u", hasPrinted ? ", " : "", blockIndexForBytecodeOffset(node.notTakenBytecodeOffset()));
+        printf("%sF:#%u", hasPrinted ? ", " : "", node.notTakenBlockIndex());
         hasPrinted = true;
     }
@@ -240 +240 @@
 {
     for (size_t b = 0; b < m_blocks.size(); ++b) {
-        printf("Block #%u (bc#%u):  %s\n", (int)b, m_blocks[b]->bytecodeBegin, m_blocks[b]->isOSRTarget ? " (OSR target)" : "");
-        for (size_t i = m_blocks[b]->begin; i < m_blocks[b]->end; ++i)
+        BasicBlock* block = m_blocks[b].get();
+        printf("Block #%u (bc#%u):  %s\n", (int)b, block->bytecodeBegin, block->isOSRTarget ? " (OSR target)" : "");
+        printf("  vars: ");
+        if (block->cfaHasVisited)
+            dumpOperands(block->valuesAtHead, stdout);
+        else
+            printf("<empty>");
+        printf("\n");
+        for (size_t i = block->begin; i < block->end; ++i)
             dump(i, codeBlock);
     }

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -30 +30 @@
 
 #include "CodeBlock.h"
+#include "DFGBasicBlock.h"
 #include "DFGNode.h"
 #include "PredictionTracker.h"
@@ -45 +46 @@
 namespace DFG {
 
-// helper function to distinguish vars & temporaries from arguments.
-inline bool operandIsArgument(int operand) { return operand < 0; }
-
-typedef uint32_t BlockIndex;
-
-// For every local variable we track any existing get or set of the value.
-// We track the get so that these may be shared, and we track the set to
-// retrieve the current value, and to reference the final definition.
-struct VariableRecord {
-    VariableRecord()
-        : value(NoNode)
-    {
-    }
-    
-    void setFirstTime(NodeIndex nodeIndex)
-    {
-        ASSERT(value == NoNode);
-        value = nodeIndex;
-    }
-
-    NodeIndex value;
-};
-
 struct MethodCheckData {
     // It is safe to refer to these directly because they are shadowed by
@@ -111 +89 @@
     unsigned identifierNumber;
     unsigned resolveInfoIndex;
-};
-
-typedef Vector <BlockIndex, 2> PredecessorList;
-
-struct BasicBlock {
-    BasicBlock(unsigned bytecodeBegin, NodeIndex begin, unsigned numArguments, unsigned numLocals)
-        : bytecodeBegin(bytecodeBegin)
-        , begin(begin)
-        , end(NoNode)
-        , isOSRTarget(false)
-        , m_argumentsAtHead(numArguments)
-        , m_localsAtHead(numLocals)
-        , m_argumentsAtTail(numArguments)
-        , m_localsAtTail(numLocals)
-    {
-    }
-
-    static inline BlockIndex getBytecodeBegin(OwnPtr<BasicBlock>* block)
-    {
-        return (*block)->bytecodeBegin;
-    }
-
-    unsigned bytecodeBegin;
-    NodeIndex begin;
-    NodeIndex end;
-    bool isOSRTarget;
-
-    PredecessorList m_predecessors;
-    
-    Vector<VariableRecord, 8> m_argumentsAtHead;
-    Vector<VariableRecord, 16> m_localsAtHead;
-    
-    Vector<VariableRecord, 8> m_argumentsAtTail;
-    Vector<VariableRecord, 16> m_localsAtTail;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -1516 +1516 @@
     }
 
+    BasicBlock* block()
+    {
+        return m_jit.graph().m_blocks[m_block].get();
+    }
+
 #ifndef NDEBUG
     void dump(const char* label = 0);

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator32_64.cpp

@@ -966 +966 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
     
     if (taken == (m_block + 1)) {
@@ -1029 +1029 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
 
     JITCompiler::ResultCondition callResultCondition = JITCompiler::NonZero;
@@ -1158 +1158 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
 
     // The branch instruction will branch to the taken block.

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator64.cpp

@@ -928 +928 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
     
     if (taken == (m_block + 1)) {
@@ -989 +989 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
 
     JITCompiler::ResultCondition callResultCondition = JITCompiler::NonZero;
@@ -1111 +1111 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
 
     // The branch instruction will branch to the taken block.

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -405 +405 @@
         OSREntryData* entry = codeBlock()->appendDFGOSREntryData(basicBlock.bytecodeBegin, differenceBetween(m_startOfCode, label()));
         
-        ActionablePredictions actionablePredictions(basicBlock.m_argumentsAtHead.size(), basicBlock.m_localsAtHead.size());
-
-        for (unsigned i = 0; i < basicBlock.m_argumentsAtHead.size(); ++i) {
-            NodeIndex nodeIndex = basicBlock.m_argumentsAtHead[i].value;
-            if (nodeIndex != NoNode)
-                actionablePredictions.setArgument(i, actionablePredictionFromPredictedType(m_graph[nodeIndex].variableAccessData()->prediction()));
-        }
+        entry->m_expectedValues = basicBlock.valuesAtHead;
         
-        for (unsigned i = 0; i < basicBlock.m_localsAtHead.size(); ++i) {
-            NodeIndex nodeIndex = basicBlock.m_localsAtHead[i].value;
-            if (nodeIndex != NoNode)
-                actionablePredictions.setVariable(i, actionablePredictionFromPredictedType(m_graph[nodeIndex].variableAccessData()->prediction()));
-        }
-        
-        actionablePredictions.pack();
-        
-        entry->m_predictions = actionablePredictions;
+        // Fix the expected values: in our protocol, a dead variable will have an expected
+        // value of (None, []). But the old JIT may stash some values there. So we really
+        // need (Top, TOP).
+        for (size_t argument = 0; argument < basicBlock.variablesAtHead.numberOfArguments(); ++argument) {
+            if (basicBlock.variablesAtHead.argument(argument) == NoNode)
+                entry->m_expectedValues.argument(argument).makeTop();
+        }
+        for (size_t local = 0; local < basicBlock.variablesAtHead.numberOfLocals(); ++local) {
+            if (basicBlock.variablesAtHead.local(local) == NoNode)
+                entry->m_expectedValues.local(local).makeTop();
+        }
 #else
         UNUSED_PARAM(basicBlock);

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -27 +27 @@
 #define DFGNode_h
 
-#include "DFGStructureSet.h"
 #include <wtf/BoundsCheckedPointer.h>
 #include <wtf/Platform.h>
-#include <wtf/UnionFind.h>
 
 // Emit various logging information for debugging, including dumping the dataflow graphs.
@@ -68 +66 @@
 
 #include "CodeBlock.h"
+#include "DFGOperands.h"
+#include "DFGVariableAccessData.h"
 #include "JSValue.h"
 #include "PredictedType.h"
@@ -75 +75 @@
 namespace JSC { namespace DFG {
 
-// Type for a virtual register number (spill location).
-// Using an enum to make this type-checked at compile time, to avert programmer errors.
-enum VirtualRegister { InvalidVirtualRegister = -1 };
-COMPILE_ASSERT(sizeof(VirtualRegister) == sizeof(int), VirtualRegister_is_32bit);
-
 // Type for a reference to another node in the graph.
 typedef uint32_t NodeIndex;
 static const NodeIndex NoNode = UINT_MAX;
+
+typedef uint32_t BlockIndex;
+
+struct NodeIndexTraits {
+    static NodeIndex defaultValue() { return NoNode; }
+};
 
 // Information used to map back from an exception to any handler/source information,
@@ -109 +110 @@
 private:
     uint32_t m_bytecodeIndex;
-};
-
-class VariableAccessData: public UnionFind<VariableAccessData> {
-public:
-    VariableAccessData()
-        : m_local(static_cast<VirtualRegister>(std::numeric_limits<int>::min()))
-        , m_prediction(PredictNone)
-    {
-    }
-    
-    VariableAccessData(VirtualRegister local)
-        : m_local(local)
-        , m_prediction(PredictNone)
-    {
-    }
-    
-    VirtualRegister local()
-    {
-        ASSERT(m_local == find()->m_local);
-        return m_local;
-    }
-    
-    int operand()
-    {
-        return static_cast<int>(local());
-    }
-    
-    bool predict(PredictedType prediction)
-    {
-        return mergePrediction(find()->m_prediction, prediction);
-    }
-    
-    PredictedType prediction()
-    {
-        return find()->m_prediction;
-    }
-    
-private:
-    // This is slightly space-inefficient, since anything we're unified with
-    // will have the same operand and should have the same prediction. But
-    // putting them here simplifies the code, and we don't expect DFG space
-    // usage for variable access nodes do be significant.
-
-    VirtualRegister m_local;
-    PredictedType m_prediction;
 };
 
@@ -565 +521 @@
     VariableAccessData* variableAccessData()
     {
+        ASSERT(hasVariableAccessData());
         return reinterpret_cast<VariableAccessData*>(m_opInfo)->find();
     }
@@ -756 +713 @@
     }
 
-    unsigned takenBytecodeOffset()
+    unsigned takenBytecodeOffsetDuringParsing()
     {
         ASSERT(isBranch() || isJump());
@@ -762 +719 @@
     }
 
-    unsigned notTakenBytecodeOffset()
+    unsigned notTakenBytecodeOffsetDuringParsing()
+    {
+        ASSERT(isBranch());
+        return m_opInfo2;
+    }
+    
+    void setTakenBlockIndex(BlockIndex blockIndex)
+    {
+        ASSERT(isBranch() || isJump());
+        m_opInfo = blockIndex;
+    }
+    
+    void setNotTakenBlockIndex(BlockIndex blockIndex)
+    {
+        ASSERT(isBranch());
+        m_opInfo2 = blockIndex;
+    }
+    
+    BlockIndex takenBlockIndex()
+    {
+        ASSERT(isBranch() || isJump());
+        return m_opInfo;
+    }
+    
+    BlockIndex notTakenBlockIndex()
     {
         ASSERT(isBranch());

trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp

@@ -78 +78 @@
     //    OSR at this time.
     
-    for (unsigned i = 1; i < entry->m_predictions.argumentUpperBound(); ++i) {
-        ActionablePrediction prediction = entry->m_predictions.argument(i);
-        if (prediction == NoActionablePrediction)
-            continue;
-
-        if (i >= exec->argumentCountIncludingThis()) {
+    for (size_t argument = 0; argument < entry->m_expectedValues.numberOfArguments(); ++argument) {
+        if (argument >= exec->argumentCountIncludingThis()) {
 #if ENABLE(JIT_VERBOSE_OSR)
-            printf("    OSR failed because argument %u was not passed, expected %s.\n", i, actionablePredictionToString(prediction));
+            printf("    OSR failed because argument %lu was not passed, expected ", argument);
+            entry->m_expectedValues.argument(argument).dump(stdout);
+            printf(".\n");
 #endif
             return 0;
         }
         
-        if (!valueObeysPrediction(globalData, exec->argument(i - 1), prediction)) {
+        JSValue value;
+        if (!argument)
+            value = exec->hostThisValue();
+        else
+            value = exec->argument(argument - 1);
+        
+        if (!entry->m_expectedValues.argument(argument).validate(value)) {
 #if ENABLE(JIT_VERBOSE_OSR)
-            printf("    OSR failed because argument %u is %s, expected %s.\n", i, exec->argument(i - 1).description(), actionablePredictionToString(prediction));
+            printf("    OSR failed because argument %lu is %s, expected ", argument, value.description());
+            entry->m_expectedValues.argument(argument).dump(stdout);
+            printf(".\n");
 #endif
             return 0;
@@ -98 +104 @@
     }
     
-    for (unsigned i = 0; i < entry->m_predictions.variableUpperBound(); ++i) {
-        ActionablePrediction prediction = entry->m_predictions.variable(i);
-        if (prediction == NoActionablePrediction)
-            continue;
-        
-        if (!valueObeysPrediction(globalData, exec->registers()[i].jsValue(), prediction)) {
+    for (size_t local = 0; local < entry->m_expectedValues.numberOfLocals(); ++local) {
+        if (!entry->m_expectedValues.local(local).validate(exec->registers()[local].jsValue())) {
 #if ENABLE(JIT_VERBOSE_OSR)
-            printf("    OSR failed because variable %u is %s, expected %s.\n", i, exec->registers()[i].jsValue().description(), actionablePredictionToString(prediction));
+            printf("    OSR failed because variable %lu is %s, expected ", local, exec->registers()[local].jsValue().description());
+            entry->m_expectedValues.local(local).dump(stdout);
+            printf(".\n");
 #endif
             return 0;

trunk/Source/JavaScriptCore/dfg/DFGOSREntry.h

@@ -27 +27 @@
 #define DFGOSREntry_h
 
-#include "ActionablePrediction.h"
+#include "DFGAbstractValue.h"
+#include "DFGOperands.h"
 
 namespace JSC {
@@ -40 +41 @@
     unsigned m_bytecodeIndex;
     unsigned m_machineCodeOffset;
-    ActionablePredictions m_predictions;
+    Operands<AbstractValue> m_expectedValues;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
+#include "DFGAbstractState.h"
 #include "DFGGraph.h"
 #include "DFGScoreBoard.h"
@@ -56 +57 @@
     {
 #if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
-    m_graph.dump(m_codeBlock);
-#endif
-
-#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
-        m_count = 0;
-#endif
-        do {
-            m_changed = false;
-            
-            // Up here we start with a backward pass because we suspect that to be
-            // more profitable.
-            propagateArithNodeFlagsBackward();
-            if (!m_changed)
-                break;
-            
-            m_changed = false;
-            propagateArithNodeFlagsForward();
-        } while (m_changed);
-        
-#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
-        m_count = 0;
-#endif
-        do {
-            m_changed = false;
-            
-            // Forward propagation is near-optimal for both topologically-sorted and
-            // DFS-sorted code.
-            propagatePredictionsForward();
-            if (!m_changed)
-                break;
-            
-            // Backward propagation reduces the likelihood that pathological code will
-            // cause slowness. Loops (especially nested ones) resemble backward flow.
-            // This pass captures two cases: (1) it detects if the forward fixpoint
-            // found a sound solution and (2) short-circuits backward flow.
-            m_changed = false;
-            propagatePredictionsBackward();
-        } while (m_changed);
-        
+        m_graph.dump(m_codeBlock);
+#endif
+
+        propagateArithNodeFlags();
+        propagatePredictions();
         fixup();
         
@@ -110 +77 @@
 
         allocateVirtualRegisters();
+
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        printf("Graph after virtual register allocation:\n");
+        m_graph.dump(m_codeBlock);
+#endif
+
+        globalCFA();
 
 #if ENABLE(DFG_DEBUG_VERBOSE)
@@ -273 +247 @@
         for (m_compileIndex = m_graph.size(); m_compileIndex-- > 0;)
             propagateArithNodeFlags(m_graph[m_compileIndex]);
+    }
+    
+    void propagateArithNodeFlags()
+    {
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        m_count = 0;
+#endif
+        do {
+            m_changed = false;
+            
+            // Up here we start with a backward pass because we suspect that to be
+            // more profitable.
+            propagateArithNodeFlagsBackward();
+            if (!m_changed)
+                break;
+            
+            m_changed = false;
+            propagateArithNodeFlagsForward();
+        } while (m_changed);
     }
     
@@ -609 +602 @@
 
 #if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
-        printf("%s ", predictionToString(m_graph[m_compileIndex].prediction()));
+        printf("%s\n", predictionToString(m_graph[m_compileIndex].prediction()));
 #endif
         
@@ -631 +624 @@
         for (m_compileIndex = m_graph.size(); m_compileIndex-- > 0;)
             propagateNodePredictions(m_graph[m_compileIndex]);
+    }
+    
+    void propagatePredictions()
+    {
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        m_count = 0;
+#endif
+        do {
+            m_changed = false;
+            
+            // Forward propagation is near-optimal for both topologically-sorted and
+            // DFS-sorted code.
+            propagatePredictionsForward();
+            if (!m_changed)
+                break;
+            
+            // Backward propagation reduces the likelihood that pathological code will
+            // cause slowness. Loops (especially nested ones) resemble backward flow.
+            // This pass captures two cases: (1) it detects if the forward fixpoint
+            // found a sound solution and (2) short-circuits backward flow.
+            m_changed = false;
+            propagatePredictionsBackward();
+        } while (m_changed);
     }
     
@@ -1454 +1470 @@
     }
     
+    void performBlockCFA(AbstractState& state, BlockIndex blockIndex)
+    {
+        BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+        if (!block->cfaShouldRevisit)
+            return;
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        printf("   Block #%u (bc#%u):\n", blockIndex, block->bytecodeBegin);
+#endif
+        state.beginBasicBlock(block);
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        printf("      head vars: ");
+        dumpOperands(block->valuesAtHead, stdout);
+        printf("\n");
+#endif
+        for (NodeIndex nodeIndex = block->begin; nodeIndex < block->end; ++nodeIndex) {
+            if (!m_graph[nodeIndex].shouldGenerate())
+                continue;
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+            printf("      %s @%u: ", Graph::opName(m_graph[nodeIndex].op), nodeIndex);
+            state.dump(stdout);
+            printf("\n");
+#endif
+            if (!state.execute(nodeIndex))
+                break;
+        }
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        printf("      tail regs: ");
+        state.dump(stdout);
+        printf("\n");
+#endif
+        m_changed |= state.endBasicBlock(AbstractState::MergeToSuccessors);
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        printf("      tail vars: ");
+        dumpOperands(block->valuesAtTail, stdout);
+        printf("\n");
+#endif
+    }
+    
+    void performForwardCFA(AbstractState& state)
+    {
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        printf("CFA [%u]\n", ++m_count);
+#endif
+        
+        for (BlockIndex block = 0; block < m_graph.m_blocks.size(); ++block)
+            performBlockCFA(state, block);
+    }
+    
+    void globalCFA()
+    {
+#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
+        m_count = 0;
+#endif
+        
+        // This implements a pseudo-worklist-based forward CFA, except that the visit order
+        // of blocks is the bytecode program order (which is nearly topological), and
+        // instead of a worklist we just walk all basic blocks checking if cfaShouldRevisit
+        // is set to true. This is likely to balance the efficiency properties of both
+        // worklist-based and forward fixpoint-based approaches. Like a worklist-based
+        // approach, it won't visit code if it's meaningless to do so (nothing changed at
+        // the head of the block or the predecessors have not been visited). Like a forward
+        // fixpoint-based approach, it has a high probability of only visiting a block
+        // after all predecessors have been visited. Only loops will cause this analysis to
+        // revisit blocks, and the amount of revisiting is proportional to loop depth.
+        
+        AbstractState::initialize(m_graph);
+        
+        AbstractState state(m_codeBlock, m_graph);
+        
+        do {
+            m_changed = false;
+            performForwardCFA(state);
+        } while (m_changed);
+    }
+    
     Graph& m_graph;
     JSGlobalData& m_globalData;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -132 +132 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
     
     SpeculateDoubleOperand op1(this, node.child1());
@@ -144 +144 @@
 }
 
-void SpeculativeJIT::compilePeepHoleObjectEquality(Node& node, NodeIndex branchNodeIndex, void* vptr)
+void SpeculativeJIT::compilePeepHoleObjectEquality(Node& node, NodeIndex branchNodeIndex, void* vptr, PredictionChecker predictionCheck)
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
 
     MacroAssembler::RelationalCondition condition = MacroAssembler::Equal;
@@ -165 +165 @@
     GPRReg op2GPR = op2.gpr();
     
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (!predictionCheck(m_state.forNode(node.child1()).m_type))
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (!predictionCheck(m_state.forNode(node.child2()).m_type))
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
     
     addBranch(m_jit.branchPtr(condition, op1GPR, op2GPR), taken);
@@ -176 +178 @@
 {
     Node& branchNode = at(branchNodeIndex);
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(branchNode.notTakenBytecodeOffset());
+    BlockIndex taken = branchNode.takenBlockIndex();
+    BlockIndex notTaken = branchNode.notTakenBlockIndex();
 
     // The branch instruction will branch to the taken block.
@@ -226 +228 @@
             use(node.child2());
         } else if (node.op == CompareEq && Node::shouldSpeculateFinalObject(at(node.child1()), at(node.child2()))) {
-            compilePeepHoleObjectEquality(node, branchNodeIndex, m_jit.globalData()->jsFinalObjectVPtr);
+            compilePeepHoleObjectEquality(node, branchNodeIndex, m_jit.globalData()->jsFinalObjectVPtr, isFinalObjectPrediction);
             use(node.child1());
             use(node.child2());
         } else if (node.op == CompareEq && Node::shouldSpeculateArray(at(node.child1()), at(node.child2()))) {
-            compilePeepHoleObjectEquality(node, branchNodeIndex, m_jit.globalData()->jsArrayVPtr);
+            compilePeepHoleObjectEquality(node, branchNodeIndex, m_jit.globalData()->jsArrayVPtr, isArrayPrediction);
             use(node.child1());
             use(node.child2());
@@ -263 +265 @@
 #endif
 
-    ASSERT(m_arguments.size() == block.m_argumentsAtHead.size());
+    ASSERT(m_arguments.size() == block.variablesAtHead.numberOfArguments());
     for (size_t i = 0; i < m_arguments.size(); ++i) {
-        NodeIndex nodeIndex = block.m_argumentsAtHead[i].value;
+        NodeIndex nodeIndex = block.variablesAtHead.argument(i);
         if (nodeIndex == NoNode)
             m_arguments[i] = ValueSource(ValueInRegisterFile);
@@ -272 +274 @@
     }
     
-    ASSERT(m_variables.size() == block.m_localsAtHead.size());
+    m_state.reset();
+    m_state.beginBasicBlock(&block);
+    
+    ASSERT(m_variables.size() == block.variablesAtHead.numberOfLocals());
     for (size_t i = 0; i < m_variables.size(); ++i) {
-        NodeIndex nodeIndex = block.m_localsAtHead[i].value;
+        NodeIndex nodeIndex = block.variablesAtHead.local(i);
         if (nodeIndex == NoNode)
             m_variables[i] = ValueSource(ValueInRegisterFile);
@@ -343 +348 @@
         fprintf(stderr, "\n");
 #endif
+        
+        // Make sure that the abstract state is rematerialized for the next node.
+        m_state.execute(m_compileIndex);
         
         if (node.shouldGenerate())
@@ -544 +552 @@
     GPRReg indexReg = index.gpr();
     
-    if (!isKnownString(node.child1()))
+    if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
         speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(stringReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
     
@@ -573 +581 @@
     GPRReg propertyReg = property.gpr();
 
-    if (!isKnownString(node.child1()))
+    if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
         speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
+#include <dfg/DFGAbstractState.h>
 #include <dfg/DFGJITCodeGenerator.h>
 
@@ -434 +435 @@
     }
     
-    bool isKnownArray(NodeIndex op1)
-    {
-        Node& node = at(op1);
-        switch (node.op) {
-        case GetLocal:
-            return isArrayPrediction(node.variableAccessData()->prediction());
-            
-        case NewArray:
-        case NewArrayBuffer:
-            return true;
-            
-        default:
-            return false;
-        }
-    }
-
-    bool isKnownString(NodeIndex op1)
-    {
-        switch (at(op1).op) {
-        case StrCat:
-            return true;
-            
-        default:
-            return false;
-        }
-    }
-    
     bool compare(Node&, MacroAssembler::RelationalCondition, MacroAssembler::DoubleCondition, S_DFGOperation_EJJ);
     bool compilePeepHoleBranch(Node&, MacroAssembler::RelationalCondition, MacroAssembler::DoubleCondition, S_DFGOperation_EJJ);
     void compilePeepHoleIntegerBranch(Node&, NodeIndex branchNodeIndex, JITCompiler::RelationalCondition);
     void compilePeepHoleDoubleBranch(Node&, NodeIndex branchNodeIndex, JITCompiler::DoubleCondition);
-    void compilePeepHoleObjectEquality(Node&, NodeIndex branchNodeIndex, void* vptr);
-    void compileObjectEquality(Node&, void* vptr);
+    void compilePeepHoleObjectEquality(Node&, NodeIndex branchNodeIndex, void* vptr, PredictionChecker);
+    void compileObjectEquality(Node&, void* vptr, PredictionChecker);
     void compileValueAdd(Node&);
-    void compileObjectOrOtherLogicalNot(NodeIndex value, void* vptr);
+    void compileObjectOrOtherLogicalNot(NodeIndex value, void* vptr, bool needSpeculationCheck);
     void compileLogicalNot(Node&);
-    void emitObjectOrOtherBranch(NodeIndex value, BlockIndex taken, BlockIndex notTaken, void *vptr);
+    void emitObjectOrOtherBranch(NodeIndex value, BlockIndex taken, BlockIndex notTaken, void *vptr, bool needSpeculationCheck);
     void emitBranch(Node&);
     
@@ -592 +566 @@
     uint32_t m_bytecodeIndexForOSR;
     
+    AbstractState m_state;
+    
     ValueRecovery computeValueRecoveryFor(const ValueSource&);
 
@@ -824 +800 @@
     , m_lastSetOperand(std::numeric_limits<int>::max())
     , m_bytecodeIndexForOSR(std::numeric_limits<uint32_t>::max())
+    , m_state(m_jit.codeBlock(), m_jit.graph())
 {
 }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -359 +359 @@
 }
 
-void SpeculativeJIT::compileObjectEquality(Node& node, void* vptr)
+void SpeculativeJIT::compileObjectEquality(Node& node, void* vptr, PredictionChecker predictionCheck)
 {
     SpeculateCellOperand op1(this, node.child1());
@@ -371 +371 @@
     GPRReg resultPayloadGPR = resultPayload.gpr();
     
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (!predictionCheck(m_state.forNode(node.child1()).m_type))
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (!predictionCheck(m_state.forNode(node.child2()).m_type))
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
     
     MacroAssembler::Jump falseCase = m_jit.branchPtr(MacroAssembler::NotEqual, op1GPR, op2GPR);
@@ -392 +394 @@
 
     if (Node::shouldSpeculateFinalObject(at(node.child1()), at(node.child2())))
-        compileObjectEquality(node, m_jit.globalData()->jsFinalObjectVPtr);
+        compileObjectEquality(node, m_jit.globalData()->jsFinalObjectVPtr, isFinalObjectPrediction);
     else if (Node::shouldSpeculateArray(at(node.child1()), at(node.child2())))
-        compileObjectEquality(node, m_jit.globalData()->jsArrayVPtr);
+        compileObjectEquality(node, m_jit.globalData()->jsArrayVPtr, isArrayPrediction);
     else if (!at(node.child1()).shouldSpeculateNumber() && !at(node.child2()).shouldSpeculateNumber())
         nonSpeculativeNonPeepholeCompare(node, condition, operation);
@@ -450 +452 @@
 }
 
-void SpeculativeJIT::compileObjectOrOtherLogicalNot(NodeIndex nodeIndex, void* vptr)
+void SpeculativeJIT::compileObjectOrOtherLogicalNot(NodeIndex nodeIndex, void* vptr, bool needSpeculationCheck)
 {
     JSValueOperand value(this, nodeIndex);
@@ -463 +465 @@
     
     MacroAssembler::Jump notCell = m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::CellTag));
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (needSpeculationCheck)
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
     m_jit.move(TrustedImm32(0), resultPayloadGPR);
     MacroAssembler::Jump done = m_jit.jump();
@@ -470 +473 @@
  
     COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
-    m_jit.move(valueTagGPR, resultPayloadGPR);
-    m_jit.or32(TrustedImm32(1), resultPayloadGPR);
-    speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, resultPayloadGPR, TrustedImm32(JSValue::NullTag)));
+    if (needSpeculationCheck) {
+        m_jit.move(valueTagGPR, resultPayloadGPR);
+        m_jit.or32(TrustedImm32(1), resultPayloadGPR);
+        speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, resultPayloadGPR, TrustedImm32(JSValue::NullTag)));
+    }
     m_jit.move(TrustedImm32(1), resultPayloadGPR);
     
@@ -485 +490 @@
 
     if (at(node.child1()).shouldSpeculateFinalObjectOrOther()) {
-        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsFinalObjectVPtr);
+        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsFinalObjectVPtr, !isFinalObjectOrOtherPrediction(m_state.forNode(node.child1()).m_type));
         return;
     }
     if (at(node.child1()).shouldSpeculateArrayOrOther()) {
-        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsArrayVPtr);
+        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsArrayVPtr, !isArrayOrOtherPrediction(m_state.forNode(node.child1()).m_type));
         return;
     }
@@ -555 +560 @@
 }
 
-void SpeculativeJIT::emitObjectOrOtherBranch(NodeIndex nodeIndex, BlockIndex taken, BlockIndex notTaken, void *vptr)
+void SpeculativeJIT::emitObjectOrOtherBranch(NodeIndex nodeIndex, BlockIndex taken, BlockIndex notTaken, void *vptr, bool needSpeculationCheck)
 {
     JSValueOperand value(this, nodeIndex);
@@ -564 +569 @@
     
     MacroAssembler::Jump notCell = m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::CellTag));
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (needSpeculationCheck)
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
     addBranch(m_jit.jump(), taken);
     
@@ -570 +576 @@
     
     COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
-    m_jit.move(valueTagGPR, scratchGPR);
-    m_jit.or32(TrustedImm32(1), scratchGPR);
-    speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, scratchGPR, TrustedImm32(JSValue::NullTag)));
+    if (needSpeculationCheck) {
+        m_jit.move(valueTagGPR, scratchGPR);
+        m_jit.or32(TrustedImm32(1), scratchGPR);
+        speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, scratchGPR, TrustedImm32(JSValue::NullTag)));
+    }
 
     if (notTaken != (m_block + 1))
@@ -582 +590 @@
 void SpeculativeJIT::emitBranch(Node& node)
 {
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(node.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(node.notTakenBytecodeOffset());
+    BlockIndex taken = node.takenBlockIndex();
+    BlockIndex notTaken = node.notTakenBlockIndex();
 
     // FIXME: Add fast cases for known Boolean!
 
     if (at(node.child1()).shouldSpeculateFinalObjectOrOther()) {
-        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsFinalObjectVPtr);
+        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsFinalObjectVPtr, !isFinalObjectOrOtherPrediction(m_state.forNode(node.child1()).m_type));
     } else if (at(node.child1()).shouldSpeculateArrayOrOther()) {
-        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsArrayVPtr);
+        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsArrayVPtr, !isArrayOrOtherPrediction(m_state.forNode(node.child1()).m_type));
     } else if (at(node.child1()).shouldSpeculateNumber()) {
         if (at(node.child1()).shouldSpeculateInteger()) {
@@ -656 +664 @@
     case GetLocal: {
         PredictedType prediction = node.variableAccessData()->prediction();
+        AbstractValue& value = block()->valuesAtHead.operand(node.local());
 
         // If we have no prediction for this local, then don't attempt to compile.
@@ -696 +705 @@
         m_gprs.retain(tag.gpr(), virtualRegister, SpillOrderJS);
 
-        DataFormat format = isBooleanPrediction(prediction) ? DataFormatJSBoolean : DataFormatJS;
+        DataFormat format;
+        if (isCellPrediction(value.m_type))
+            format = DataFormatJSCell;
+        else if (isBooleanPrediction(value.m_type))
+            format = DataFormatJSBoolean;
+        else
+            format = DataFormatJS;
+
         m_generationInfo[virtualRegister].initJSValue(m_compileIndex, node.refCount(), tag.gpr(), result.gpr(), format);
         break;
@@ -725 +741 @@
             SpeculateCellOperand cell(this, node.child1());
             GPRReg cellGPR = cell.gpr();
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
+                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
             m_jit.storePtr(cellGPR, JITCompiler::payloadFor(node.local()));
             noResult(m_compileIndex);
@@ -1328 +1345 @@
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
         // If we have predicted the base to be type array, we can skip the check.
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
@@ -1381 +1398 @@
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
         // If we have predicted the base to be type array, we can skip the check.
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
 
@@ -1463 +1480 @@
         writeBarrier(baseGPR, valueTagGPR, node.child2(), WriteBarrierForPropertyAccess, storageGPR, storageLengthGPR);
 
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
@@ -1509 +1526 @@
         GPRReg storageLengthGPR = storageLength.gpr();
         
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
@@ -1556 +1573 @@
 
     case DFG::Jump: {
-        BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(node.takenBytecodeOffset());
+        BlockIndex taken = node.takenBlockIndex();
         if (taken != (m_block + 1))
             addBranch(m_jit.jump(), taken);
@@ -1567 +1584 @@
             SpeculateIntegerOperand op(this, node.child1());
             
-            BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(node.takenBytecodeOffset());
-            BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(node.notTakenBytecodeOffset());
+            BlockIndex taken = node.takenBlockIndex();
+            BlockIndex notTaken = node.notTakenBlockIndex();
             
             MacroAssembler::ResultCondition condition = MacroAssembler::NonZero;
@@ -1780 +1797 @@
             SpeculateCellOperand thisValue(this, node.child1());
             
-            speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValue.gpr()), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+            if (!isObjectPrediction(m_state.forNode(node.child1()).m_type))
+                speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValue.gpr()), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
             
             cellResult(thisValue.gpr(), m_compileIndex);
@@ -1822 +1840 @@
         // that it's a FinalObject then we speculate on that directly. Otherwise we
         // do the slow (structure-based) check.
-        if (at(node.child1()).shouldSpeculateFinalObject())
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
-        else {
+        if (at(node.child1()).shouldSpeculateFinalObject()) {
+            if (!isFinalObjectPrediction(m_state.forNode(node.child1()).m_type))
+                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
+        } else {
             m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
             slowPath.append(m_jit.branch8(MacroAssembler::Below, MacroAssembler::Address(scratchGPR, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
@@ -1960 +1979 @@
         GPRReg resultGPR = result.gpr();
         
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
@@ -1979 +1998 @@
         GPRReg resultGPR = result.gpr();
         
-        if (!isKnownString(node.child1()))
+        if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
         
@@ -1996 +2015 @@
 
     case CheckStructure: {
+        if (m_state.forNode(node.child1()).m_structure.isSubsetOf(node.structureSet())) {
+            noResult(m_compileIndex);
+            break;
+        }
+        
         SpeculateCellOperand base(this, node.child1());
         
@@ -2122 +2146 @@
         GPRReg scratchGPR = scratch.gpr();
         
-        speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
+        if (!m_state.forNode(node.child1()).m_structure.doesNotContainAnyOtherThan(methodCheckData.structure))
+            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
         if (methodCheckData.prototype != m_jit.codeBlock()->globalObject()->methodCallDummy()) {
             m_jit.move(JITCompiler::TrustedImmPtr(methodCheckData.prototype->structureAddress()), scratchGPR);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -490 +490 @@
 }
 
-void SpeculativeJIT::compileObjectEquality(Node& node, void* vptr)
+void SpeculativeJIT::compileObjectEquality(Node& node, void* vptr, PredictionChecker predictionCheck)
 {
     SpeculateCellOperand op1(this, node.child1());
@@ -500 +500 @@
     GPRReg resultGPR = result.gpr();
     
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (!predictionCheck(m_state.forNode(node.child1()).m_type))
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (!predictionCheck(m_state.forNode(node.child2()).m_type))
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
     
     MacroAssembler::Jump falseCase = m_jit.branchPtr(MacroAssembler::NotEqual, op1GPR, op2GPR);
@@ -541 +543 @@
         jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
     } else if (node.op == CompareEq && Node::shouldSpeculateFinalObject(at(node.child1()), at(node.child2())))
-        compileObjectEquality(node, m_jit.globalData()->jsFinalObjectVPtr);
+        compileObjectEquality(node, m_jit.globalData()->jsFinalObjectVPtr, isFinalObjectPrediction);
     else if (node.op == CompareEq && Node::shouldSpeculateArray(at(node.child1()), at(node.child2())))
-        compileObjectEquality(node, m_jit.globalData()->jsArrayVPtr);
+        compileObjectEquality(node, m_jit.globalData()->jsArrayVPtr, isArrayPrediction);
     else
         nonSpeculativeNonPeepholeCompare(node, condition, operation);
@@ -569 +571 @@
 }
 
-void SpeculativeJIT::compileObjectOrOtherLogicalNot(NodeIndex nodeIndex, void *vptr)
+void SpeculativeJIT::compileObjectOrOtherLogicalNot(NodeIndex nodeIndex, void *vptr, bool needSpeculationCheck)
 {
     JSValueOperand value(this, nodeIndex);
@@ -577 +579 @@
     
     MacroAssembler::Jump notCell = m_jit.branchTestPtr(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (needSpeculationCheck)
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
     m_jit.move(TrustedImm32(static_cast<int32_t>(ValueFalse)), resultGPR);
     MacroAssembler::Jump done = m_jit.jump();
@@ -583 +586 @@
     notCell.link(&m_jit);
     
-    m_jit.move(valueGPR, resultGPR);
-    m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), resultGPR);
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, resultGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+    if (needSpeculationCheck) {
+        m_jit.move(valueGPR, resultGPR);
+        m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), resultGPR);
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, resultGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+    }
     m_jit.move(TrustedImm32(static_cast<int32_t>(ValueTrue)), resultGPR);
     
@@ -606 +611 @@
     }
     if (at(node.child1()).shouldSpeculateFinalObjectOrOther()) {
-        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsFinalObjectVPtr);
+        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsFinalObjectVPtr, !isFinalObjectOrOtherPrediction(m_state.forNode(node.child1()).m_type));
         return;
     }
     if (at(node.child1()).shouldSpeculateArrayOrOther()) {
-        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsArrayVPtr);
+        compileObjectOrOtherLogicalNot(node.child1(), m_jit.globalData()->jsArrayVPtr, !isArrayOrOtherPrediction(m_state.forNode(node.child1()).m_type));
         return;
     }
@@ -670 +675 @@
 }
 
-void SpeculativeJIT::emitObjectOrOtherBranch(NodeIndex nodeIndex, BlockIndex taken, BlockIndex notTaken, void *vptr)
+void SpeculativeJIT::emitObjectOrOtherBranch(NodeIndex nodeIndex, BlockIndex taken, BlockIndex notTaken, void *vptr, bool needSpeculationCheck)
 {
     JSValueOperand value(this, nodeIndex);
@@ -676 +681 @@
     
     MacroAssembler::Jump notCell = m_jit.branchTestPtr(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
+    if (needSpeculationCheck)
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
     addBranch(m_jit.jump(), taken);
     
     notCell.link(&m_jit);
     
-    m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), valueGPR);
-    speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, valueGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+    if (needSpeculationCheck) {
+        m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), valueGPR);
+        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, valueGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+    }
     if (notTaken != (m_block + 1))
         addBranch(m_jit.jump(), notTaken);
@@ -694 +702 @@
     GPRReg valueGPR = value.gpr();
     
-    BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(node.takenBytecodeOffset());
-    BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(node.notTakenBytecodeOffset());
+    BlockIndex taken = node.takenBlockIndex();
+    BlockIndex notTaken = node.notTakenBlockIndex();
     
     if (isKnownBoolean(node.child1())) {
@@ -713 +721 @@
         noResult(m_compileIndex);
     } else if (at(node.child1()).shouldSpeculateFinalObjectOrOther()) {
-        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsFinalObjectVPtr);
+        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsFinalObjectVPtr, !isFinalObjectOrOtherPrediction(m_state.forNode(node.child1()).m_type));
     } else if (at(node.child1()).shouldSpeculateArrayOrOther()) {
-        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsArrayVPtr);
+        emitObjectOrOtherBranch(node.child1(), taken, notTaken, m_jit.globalData()->jsArrayVPtr, !isArrayOrOtherPrediction(m_state.forNode(node.child1()).m_type));
     } else if (at(node.child1()).shouldSpeculateNumber()) {
         if (at(node.child1()).shouldSpeculateInteger()) {
@@ -748 +756 @@
             addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(false)))), notTaken);
             addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(true)))), taken);
-        }
-        
-        if (predictBoolean) {
+
             speculationCheck(m_jit.jump());
             value.use();
@@ -788 +794 @@
     case GetLocal: {
         PredictedType prediction = node.variableAccessData()->prediction();
+        AbstractValue& value = block()->valuesAtHead.operand(node.local());
 
         // If we have no prediction for this local, then don't attempt to compile.
-        if (prediction == PredictNone) {
+        if (prediction == PredictNone || value.isClear()) {
             terminateSpeculativeExecution();
             break;
@@ -796 +803 @@
         
         GPRTemporary result(this);
-        if (isInt32Prediction(prediction)) {
+        if (isInt32Prediction(value.m_type)) {
             m_jit.load32(JITCompiler::payloadFor(node.local()), result.gpr());
 
@@ -815 +822 @@
 
         DataFormat format;
-        if (isArrayPrediction(prediction))
+        if (isCellPrediction(value.m_type))
             format = DataFormatJSCell;
-        else if (isBooleanPrediction(prediction))
+        else if (isBooleanPrediction(value.m_type))
             format = DataFormatJSBoolean;
         else
@@ -860 +867 @@
             SpeculateCellOperand cell(this, node.child1());
             GPRReg cellGPR = cell.gpr();
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
+                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
             m_jit.storePtr(cellGPR, JITCompiler::addressFor(node.local()));
             noResult(m_compileIndex);
@@ -1463 +1471 @@
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
         // If we have predicted the base to be type array, we can skip the check.
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
@@ -1513 +1521 @@
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
         // If we have predicted the base to be type array, we can skip the check.
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
 
@@ -1596 +1604 @@
         writeBarrier(baseGPR, valueGPR, node.child2(), WriteBarrierForPropertyAccess, storageGPR, storageLengthGPR);
 
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
@@ -1639 +1647 @@
         GPRReg storageLengthGPR = storageLength.gpr();
         
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
@@ -1682 +1690 @@
 
     case DFG::Jump: {
-        BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(node.takenBytecodeOffset());
+        BlockIndex taken = node.takenBlockIndex();
         if (taken != (m_block + 1))
             addBranch(m_jit.jump(), taken);
@@ -1693 +1701 @@
             SpeculateIntegerOperand op(this, node.child1());
             
-            BlockIndex taken = m_jit.graph().blockIndexForBytecodeOffset(node.takenBytecodeOffset());
-            BlockIndex notTaken = m_jit.graph().blockIndexForBytecodeOffset(node.notTakenBytecodeOffset());
+            BlockIndex taken = node.takenBlockIndex();
+            BlockIndex notTaken = node.notTakenBlockIndex();
             
             MacroAssembler::ResultCondition condition = MacroAssembler::NonZero;
@@ -1867 +1875 @@
             GPRReg scratchGPR = scratch.gpr();
             
-            m_jit.move(thisValueGPR, scratchGPR);
-            m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), scratchGPR);
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+            if (!isOtherPrediction(m_state.forNode(node.child1()).m_type)) {
+                m_jit.move(thisValueGPR, scratchGPR);
+                m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), scratchGPR);
+                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+            }
             
             m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), scratchGPR);
@@ -1879 +1889 @@
             SpeculateCellOperand thisValue(this, node.child1());
             
-            speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValue.gpr()), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+            if (!isObjectPrediction(m_state.forNode(node.child1()).m_type))
+                speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValue.gpr()), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
             
             cellResult(thisValue.gpr(), m_compileIndex);
@@ -1919 +1930 @@
         // that it's a FinalObject then we speculate on that directly. Otherwise we
         // do the slow (structure-based) check.
-        if (at(node.child1()).shouldSpeculateFinalObject())
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
-        else {
+        if (at(node.child1()).shouldSpeculateFinalObject()) {
+            if (!isFinalObjectPrediction(m_state.forNode(node.child1()).m_type))
+                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
+        } else {
             m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
             slowPath.append(m_jit.branch8(MacroAssembler::Below, MacroAssembler::Address(scratchGPR, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
@@ -2050 +2062 @@
         GPRReg resultGPR = result.gpr();
         
-        if (!isKnownArray(node.child1()))
+        if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
@@ -2069 +2081 @@
         GPRReg resultGPR = result.gpr();
         
-        if (!isKnownString(node.child1()))
+        if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
         
@@ -2084 +2096 @@
     }
     case CheckStructure: {
+        if (m_state.forNode(node.child1()).m_structure.isSubsetOf(node.structureSet())) {
+            noResult(m_compileIndex);
+            break;
+        }
+        
         SpeculateCellOperand base(this, node.child1());
         
@@ -2203 +2220 @@
         GPRReg scratchGPR = scratch.gpr();
         
-        speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
+        if (!m_state.forNode(node.child1()).m_structure.doesNotContainAnyOtherThan(methodCheckData.structure))
+            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
         if (methodCheckData.prototype != m_jit.codeBlock()->globalObject()->methodCallDummy()) {
             m_jit.move(JITCompiler::TrustedImmPtr(methodCheckData.prototype->structureAddress()), scratchGPR);

trunk/Source/JavaScriptCore/dfg/DFGStructureSet.h

@@ -27 +27 @@
 #define DFGStructureSet_h
 
+#include <wtf/Platform.h>
+
+#if ENABLE(DFG_JIT)
+
+#include "PredictedType.h"
+#include <stdio.h>
 #include <wtf/Vector.h>
 
@@ -35 +41 @@
 namespace DFG {
 
+class StructureAbstractValue;
+
 class StructureSet {
 public:
@@ -42 +50 @@
     {
         m_structures.append(structure);
+    }
+    
+    void clear()
+    {
+        m_structures.clear();
     }
     
@@ -105 +118 @@
     Structure* last() const { return m_structures.last(); }
 
+    PredictedType predictionFromStructures() const
+    {
+        PredictedType result = PredictNone;
+        
+        for (size_t i = 0; i < m_structures.size(); ++i)
+            mergePrediction(result, predictionFromStructure(m_structures[i]));
+        
+        return result;
+    }
+    
+    bool operator==(const StructureSet& other) const
+    {
+        if (m_structures.size() != other.m_structures.size())
+            return false;
+        
+        for (size_t i = 0; i < m_structures.size(); ++i) {
+            if (!other.contains(m_structures[i]))
+                return false;
+        }
+        
+        return true;
+    }
+    
+#ifndef NDEBUG
+    void dump(FILE* out)
+    {
+        fprintf(out, "[");
+        for (size_t i = 0; i < m_structures.size(); ++i) {
+            if (i)
+                fprintf(out, ", ");
+            fprintf(out, "%p", m_structures[i]);
+        }
+        fprintf(out, "]");
+    }
+#endif
+    
 private:
+    friend class StructureAbstractValue;
+    
     Vector<Structure*, 2> m_structures;
 };
@@ -111 +162 @@
 } } // namespace JSC::DFG
 
+#endif // ENABLE(DFG_JIT)
+
 #endif // DFGStructureSet_h