Changeset 98912 in webkit

Timestamp:

Oct 31, 2011 4:50:57 PM (13 years ago)

Author:

fpizlo@apple.com

Message:

DFG OSR exits should add to value profiles
​https://bugs.webkit.org/show_bug.cgi?id=71202

Reviewed by Oliver Hunt.

Value profiles now have an extra special slot not used by the old JIT's
profiling, which is reserved for OSR exits.

The DFG's OSR exit code now knows which register, node index, and value
profiling site was responsible for the (possibly flawed) information that
led to the OSR failure. This is somewhat opportunistic and imperfect;
if there's a lot of control flow between the value profiling site and the
OSR failure point, then this mechanism simply gives up. It also gives up
if the OSR failure is caused by either known deficiencies in the DFG
(like that we always assume that the index in a strict charCodeAt access
is within bounds) or where the OSR failure would be catalogues and
profiled through other means (like slow case counters).

This patch also adds the notion of a JSValueRegs, which is either a
single register in JSVALUE64 or a pair in JSVALUE32_64. We should
probably move the 32_64 DFG towards using this, since it often makes it
easier to share code between 64 and 32_64.

Also fixed a number of pathologies that this uncovered. op_method_check
didn't have a value profiling site on the slow path. GetById should not
always force OSR exit if it never executed in the old JIT; we may be
able to infer its type if it's a array or string length get. Finally,
these changes benefit from a slight tweak to optimization delay
heuristics (profile fullness is now 0.35 instead of 0.25).

3.8% speed-up on Kraken, mostly due to ~35% on both stanford-crypto-aes
and imaging-darkroom.

• bytecode/ValueProfile.cpp:

(JSC::ValueProfile::computeStatistics):
(JSC::ValueProfile::computeUpdatedPrediction):

• bytecode/ValueProfile.h:

(JSC::ValueProfile::ValueProfile):
(JSC::ValueProfile::specFailBucket):
(JSC::ValueProfile::numberOfSamples):
(JSC::ValueProfile::isLive):
(JSC::ValueProfile::numberOfInt32s):
(JSC::ValueProfile::numberOfDoubles):
(JSC::ValueProfile::numberOfCells):
(JSC::ValueProfile::numberOfObjects):
(JSC::ValueProfile::numberOfFinalObjects):
(JSC::ValueProfile::numberOfStrings):
(JSC::ValueProfile::numberOfArrays):
(JSC::ValueProfile::numberOfBooleans):
(JSC::ValueProfile::dump):

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
(JSC::DFG::ByteCodeParser::getPrediction):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGGPRInfo.h:

(JSC::DFG::JSValueRegs::JSValueRegs):
(JSC::DFG::JSValueRegs::operator!):
(JSC::DFG::JSValueRegs::gpr):
(JSC::DFG::JSValueSource::JSValueSource):
(JSC::DFG::JSValueSource::unboxedCell):
(JSC::DFG::JSValueSource::operator!):
(JSC::DFG::JSValueSource::isAddress):
(JSC::DFG::JSValueSource::offset):
(JSC::DFG::JSValueSource::base):
(JSC::DFG::JSValueSource::gpr):
(JSC::DFG::JSValueSource::asAddress):
(JSC::DFG::JSValueSource::notAddress):
(JSC::DFG::JSValueRegs::tagGPR):
(JSC::DFG::JSValueRegs::payloadGPR):
(JSC::DFG::JSValueSource::tagGPR):
(JSC::DFG::JSValueSource::payloadGPR):
(JSC::DFG::JSValueSource::hasKnownTag):
(JSC::DFG::JSValueSource::tag):

• dfg/DFGGenerationInfo.h:

(JSC::DFG::GenerationInfo::jsValueRegs):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::valueProfileFor):

• dfg/DFGJITCodeGenerator.h:

(JSC::JSValueOperand::jsValueRegs):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::exitSpeculativeWithOSR):

• dfg/DFGJITCompiler.h:

(JSC::DFG::JITCompiler::valueProfileFor):

• dfg/DFGJITCompiler32_64.cpp:

(JSC::DFG::JITCompiler::exitSpeculativeWithOSR):

• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::propagateNodePredictions):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::OSRExit::OSRExit):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::checkArgumentTypes):
(JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
(JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::speculationCheck):
(JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitSlow_op_method_check):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emitSlow_op_method_check):

• runtime/Heuristics.cpp:

(JSC::Heuristics::initializeHeuristics):

• runtime/JSValue.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/ValueProfile.cpp (modified) (2 diffs)
• bytecode/ValueProfile.h (modified) (14 diffs)
• dfg/DFGAbstractState.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (5 diffs)
• dfg/DFGGPRInfo.h (modified) (1 diff)
• dfg/DFGGenerationInfo.h (modified) (2 diffs)
• dfg/DFGGraph.h (modified) (1 diff)
• dfg/DFGJITCodeGenerator.h (modified) (2 diffs)
• dfg/DFGJITCompiler.cpp (modified) (12 diffs)
• dfg/DFGJITCompiler.h (modified) (1 diff)
• dfg/DFGJITCompiler32_64.cpp (modified) (11 diffs)
• dfg/DFGPropagator.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (13 diffs)
• dfg/DFGSpeculativeJIT.h (modified) (3 diffs)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (58 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (59 diffs)
• jit/JITPropertyAccess.cpp (modified) (1 diff)
• jit/JITPropertyAccess32_64.cpp (modified) (1 diff)
• runtime/Heuristics.cpp (modified) (1 diff)
• runtime/JSValue.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-10-31  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG OSR exits should add to value profiles
+        https://bugs.webkit.org/show_bug.cgi?id=71202
+
+        Reviewed by Oliver Hunt.
+        
+        Value profiles now have an extra special slot not used by the old JIT's
+        profiling, which is reserved for OSR exits.
+        
+        The DFG's OSR exit code now knows which register, node index, and value
+        profiling site was responsible for the (possibly flawed) information that
+        led to the OSR failure. This is somewhat opportunistic and imperfect;
+        if there's a lot of control flow between the value profiling site and the
+        OSR failure point, then this mechanism simply gives up. It also gives up
+        if the OSR failure is caused by either known deficiencies in the DFG
+        (like that we always assume that the index in a strict charCodeAt access
+        is within bounds) or where the OSR failure would be catalogues and
+        profiled through other means (like slow case counters).
+        
+        This patch also adds the notion of a JSValueRegs, which is either a
+        single register in JSVALUE64 or a pair in JSVALUE32_64. We should
+        probably move the 32_64 DFG towards using this, since it often makes it
+        easier to share code between 64 and 32_64.
+        
+        Also fixed a number of pathologies that this uncovered. op_method_check 
+        didn't have a value profiling site on the slow path. GetById should not
+        always force OSR exit if it never executed in the old JIT; we may be
+        able to infer its type if it's a array or string length get. Finally,
+        these changes benefit from a slight tweak to optimization delay
+        heuristics (profile fullness is now 0.35 instead of 0.25).
+        
+        3.8% speed-up on Kraken, mostly due to ~35% on both stanford-crypto-aes
+        and imaging-darkroom.
+
+        * bytecode/ValueProfile.cpp:
+        (JSC::ValueProfile::computeStatistics):
+        (JSC::ValueProfile::computeUpdatedPrediction):
+        * bytecode/ValueProfile.h:
+        (JSC::ValueProfile::ValueProfile):
+        (JSC::ValueProfile::specFailBucket):
+        (JSC::ValueProfile::numberOfSamples):
+        (JSC::ValueProfile::isLive):
+        (JSC::ValueProfile::numberOfInt32s):
+        (JSC::ValueProfile::numberOfDoubles):
+        (JSC::ValueProfile::numberOfCells):
+        (JSC::ValueProfile::numberOfObjects):
+        (JSC::ValueProfile::numberOfFinalObjects):
+        (JSC::ValueProfile::numberOfStrings):
+        (JSC::ValueProfile::numberOfArrays):
+        (JSC::ValueProfile::numberOfBooleans):
+        (JSC::ValueProfile::dump):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
+        (JSC::DFG::ByteCodeParser::getPrediction):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGGPRInfo.h:
+        (JSC::DFG::JSValueRegs::JSValueRegs):
+        (JSC::DFG::JSValueRegs::operator!):
+        (JSC::DFG::JSValueRegs::gpr):
+        (JSC::DFG::JSValueSource::JSValueSource):
+        (JSC::DFG::JSValueSource::unboxedCell):
+        (JSC::DFG::JSValueSource::operator!):
+        (JSC::DFG::JSValueSource::isAddress):
+        (JSC::DFG::JSValueSource::offset):
+        (JSC::DFG::JSValueSource::base):
+        (JSC::DFG::JSValueSource::gpr):
+        (JSC::DFG::JSValueSource::asAddress):
+        (JSC::DFG::JSValueSource::notAddress):
+        (JSC::DFG::JSValueRegs::tagGPR):
+        (JSC::DFG::JSValueRegs::payloadGPR):
+        (JSC::DFG::JSValueSource::tagGPR):
+        (JSC::DFG::JSValueSource::payloadGPR):
+        (JSC::DFG::JSValueSource::hasKnownTag):
+        (JSC::DFG::JSValueSource::tag):
+        * dfg/DFGGenerationInfo.h:
+        (JSC::DFG::GenerationInfo::jsValueRegs):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::valueProfileFor):
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::JSValueOperand::jsValueRegs):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::valueProfileFor):
+        * dfg/DFGJITCompiler32_64.cpp:
+        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
+        * dfg/DFGPropagator.cpp:
+        (JSC::DFG::Propagator::propagateNodePredictions):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::OSRExit::OSRExit):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
+        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::speculationCheck):
+        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+        (JSC::DFG::SpeculativeJIT::emitBranch):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitSlow_op_method_check):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emitSlow_op_method_check):
+        * runtime/Heuristics.cpp:
+        (JSC::Heuristics::initializeHeuristics):
+        * runtime/JSValue.h:
+
 2011-10-31  Sam Weinig  <sam@webkit.org>
 

trunk/Source/JavaScriptCore/bytecode/ValueProfile.cpp

@@ -60 +60 @@
 void ValueProfile::computeStatistics(Statistics& statistics) const
 {
-    for (unsigned i = 0; i < numberOfBuckets; ++i) {
+    for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
         JSValue value = JSValue::decode(m_buckets[i]);
         if (!value)
@@ -80 +80 @@
 PredictedType ValueProfile::computeUpdatedPrediction()
 {
-    for (unsigned i = 0; i < numberOfBuckets; ++i) {
+    for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
         JSValue value = JSValue::decode(m_buckets[i]);
         if (!value)

trunk/Source/JavaScriptCore/bytecode/ValueProfile.h

@@ -41 +41 @@
     static const unsigned logNumberOfBuckets = 3; // 8 buckets
     static const unsigned numberOfBuckets = 1 << logNumberOfBuckets;
+    static const unsigned numberOfSpecFailBuckets = 1;
     static const unsigned bucketIndexMask = numberOfBuckets - 1;
-    static const unsigned certainty = numberOfBuckets * numberOfBuckets;
+    static const unsigned totalNumberOfBuckets = numberOfBuckets + numberOfSpecFailBuckets;
+    static const unsigned certainty = totalNumberOfBuckets * totalNumberOfBuckets;
     static const unsigned majority = certainty / 2;
     
@@ -50 +52 @@
         , m_numberOfSamplesInPrediction(0)
     {
-        for (unsigned i = 0; i < numberOfBuckets; ++i)
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i)
             m_buckets[i] = JSValue::encode(JSValue());
+    }
+    
+    EncodedJSValue* specFailBucket(unsigned i)
+    {
+        ASSERT(numberOfBuckets + i < totalNumberOfBuckets);
+        return m_buckets + numberOfBuckets + i;
     }
     
@@ -68 +76 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (!!JSValue::decode(m_buckets[i]))
                 result++;
@@ -82 +90 @@
     bool isLive() const
     {
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (!!JSValue::decode(m_buckets[i]))
                 return true;
@@ -99 +107 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (JSValue::decode(m_buckets[i]).isInt32())
                 result++;
@@ -109 +117 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (JSValue::decode(m_buckets[i]).isDouble())
                 result++;
@@ -119 +127 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (!!classInfo(i))
                 result++;
@@ -129 +137 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             const ClassInfo* ci = classInfo(i);
             if (!!ci && ci->isSubClassOf(&JSObject::s_info))
@@ -140 +148 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (classInfo(i) == &JSFinalObject::s_info)
                 result++;
@@ -150 +158 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (classInfo(i) == &JSString::s_info)
                 result++;
@@ -160 +168 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (classInfo(i) == &JSArray::s_info)
                 result++;
@@ -170 +178 @@
     {
         unsigned result = 0;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             if (JSValue::decode(m_buckets[i]).isBoolean())
                 result++;
@@ -238 +246 @@
                 predictionToString(m_prediction), m_numberOfSamplesInPrediction);
         bool first = true;
-        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+        for (unsigned i = 0; i < totalNumberOfBuckets; ++i) {
             JSValue value = JSValue::decode(m_buckets[i]);
             if (!!value) {
@@ -285 +293 @@
     unsigned m_numberOfSamplesInPrediction;
     
-    EncodedJSValue m_buckets[numberOfBuckets];
+    EncodedJSValue m_buckets[totalNumberOfBuckets];
 };
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -552 +552 @@
     case GetById:
     case GetMethod:
+        if (!node.prediction()) {
+            m_isValid = false;
+            break;
+        }
         forNode(node.child1()).filter(PredictCell);
         clobberStructures(nodeIndex);

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -595 +595 @@
         return call;
     }
-
-    PredictedType getPrediction(NodeIndex nodeIndex, unsigned bytecodeIndex)
+    
+    PredictedType getPredictionWithoutOSRExit(NodeIndex nodeIndex, unsigned bytecodeIndex)
     {
         UNUSED_PARAM(nodeIndex);
@@ -607 +607 @@
 #endif
         
+        return prediction;
+    }
+
+    PredictedType getPrediction(NodeIndex nodeIndex, unsigned bytecodeIndex)
+    {
+        PredictedType prediction = getPredictionWithoutOSRExit(nodeIndex, bytecodeIndex);
+        
         if (prediction == PredictNone) {
             // We have no information about what values this node generates. Give up
@@ -614 +621 @@
         
         return prediction;
+    }
+    
+    PredictedType getPredictionWithoutOSRExit()
+    {
+        return getPredictionWithoutOSRExit(m_graph.size(), m_currentIndex);
     }
     
@@ -1652 +1664 @@
         }
         case op_get_by_id: {
-            PredictedType prediction = getPrediction();
+            PredictedType prediction = getPredictionWithoutOSRExit();
             
             NodeIndex base = get(currentInstruction[2].u.operand);
@@ -1719 +1731 @@
             if (offset != notFound) {
                 ASSERT(structureSet.size());
+                
+                // The implementation of GetByOffset does not know to terminate speculative
+                // execution if it doesn't have a prediction, so we do it manually.
+                if (prediction == PredictNone)
+                    addToGraph(ForceOSRExit);
+                
                 addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(structureSet)), base);
                 set(currentInstruction[1].u.operand, addToGraph(GetByOffset, OpInfo(m_graph.m_storageAccessData.size()), OpInfo(prediction), addToGraph(GetPropertyStorage, base)));

trunk/Source/JavaScriptCore/dfg/DFGGPRInfo.h

@@ -37 +37 @@
 #define InvalidGPRReg ((GPRReg)-1)
 
+#if USE(JSVALUE64)
+class JSValueRegs {
+public:
+    JSValueRegs()
+        : m_gpr(InvalidGPRReg)
+    {
+    }
+    
+    explicit JSValueRegs(GPRReg gpr)
+        : m_gpr(gpr)
+    {
+    }
+    
+    bool operator!() const { return m_gpr == InvalidGPRReg; }
+    
+    GPRReg gpr() const { return m_gpr; }
+    
+private:
+    GPRReg m_gpr;
+};
+
+class JSValueSource {
+public:
+    JSValueSource()
+        : m_offset(notAddress())
+        , m_base(InvalidGPRReg)
+    {
+    }
+    
+    JSValueSource(JSValueRegs regs)
+        : m_offset(notAddress())
+        , m_base(regs.gpr())
+    {
+    }
+    
+    explicit JSValueSource(GPRReg gpr)
+        : m_offset(notAddress())
+        , m_base(gpr)
+    {
+    }
+    
+    JSValueSource(MacroAssembler::Address address)
+        : m_offset(address.offset)
+        , m_base(address.base)
+    {
+        ASSERT(m_offset != notAddress());
+        ASSERT(m_base != InvalidGPRReg);
+    }
+    
+    static JSValueSource unboxedCell(GPRReg payloadGPR)
+    {
+        return JSValueSource(payloadGPR);
+    }
+    
+    bool operator!() const { return m_base == InvalidGPRReg; }
+    
+    bool isAddress() const { return m_offset != notAddress(); }
+    
+    int32_t offset() const
+    {
+        ASSERT(isAddress());
+        return m_offset;
+    }
+    
+    GPRReg base() const
+    {
+        ASSERT(isAddress());
+        return m_base;
+    }
+    
+    GPRReg gpr() const
+    {
+        ASSERT(!isAddress());
+        return m_base;
+    }
+    
+    MacroAssembler::Address asAddress() const { return MacroAssembler::Address(base(), offset()); }
+    
+private:
+    static inline int32_t notAddress() { return 0x80000000; }     
+          
+    int32_t m_offset;
+    GPRReg m_base;
+};
+#endif
+
+#if USE(JSVALUE32_64)
+class JSValueRegs {
+public:
+    JSValueRegs()
+        : m_tagGPR(static_cast<int8_t>(InvalidGPRReg))
+        , m_payloadGPR(static_cast<int8_t>(InvalidGPRReg))
+    {
+    }
+    
+    JSValueRegs(GPRReg tagGPR, GPRReg payloadGPR)
+        : m_tagGPR(tagGPR)
+        , m_payloadGPR(payloadGPR)
+    {
+        ASSERT((static_cast<GPRReg>(m_tagGPR) == InvalidGPRReg) == (static_cast<GPRReg>(payloadGPR) == InvalidGPRReg));
+    }
+    
+    bool operator!() const { return static_cast<GPRReg>(m_tagGPR) == InvalidGPRReg; }
+    
+    GPRReg tagGPR() const { return static_cast<GPRReg>(m_tagGPR); }
+    GPRReg payloadGPR() const { return static_cast<GPRReg>(m_payloadGPR); }
+
+private:
+    int8_t m_tagGPR;
+    int8_t m_payloadGPR;
+};
+
+class JSValueSource {
+public:
+    JSValueSource()
+        : m_offset(notAddress())
+        , m_baseOrTag(static_cast<int8_t>(InvalidGPRReg))
+        , m_payload(static_cast<int8_t>(InvalidGPRReg))
+        , m_tagType(0)
+    {
+    }
+    
+    JSValueSource(JSValueRegs regs)
+        : m_offset(notAddress())
+        , m_baseOrTag(regs.tagGPR())
+        , m_payload(regs.payloadGPR())
+        , m_tagType(0)
+    {
+    }
+    
+    JSValueSource(GPRReg tagGPR, GPRReg payloadGPR)
+        : m_offset(notAddress())
+        , m_baseOrTag(static_cast<int8_t>(tagGPR))
+        , m_payload(static_cast<int8_t>(payloadGPR))
+        , m_tagType(0)
+    {
+    }
+    
+    JSValueSource(MacroAssembler::Address address)
+        : m_offset(address.offset)
+        , m_baseOrTag(static_cast<int8_t>(address.base))
+        , m_payload(static_cast<int8_t>(InvalidGPRReg))
+        , m_tagType(0)
+    {
+        ASSERT(m_offset != notAddress());
+        ASSERT(static_cast<GPRReg>(m_baseOrTag) != InvalidGPRReg);
+    }
+    
+    static JSValueSource unboxedCell(GPRReg payloadGPR)
+    {
+        JSValueSource result;
+        result.m_offset = notAddress();
+        result.m_baseOrTag = static_cast<int8_t>(InvalidGPRReg);
+        result.m_payload = static_cast<int8_t>(payloadGPR);
+        result.m_tagType = static_cast<int8_t>(JSValue::CellTag);
+        return result;
+    }
+    
+    bool operator!() const { return static_cast<GPRReg>(m_baseOrTag) == InvalidGPRReg && static_cast<GPRReg>(m_payload) == InvalidGPRReg; }
+    
+    bool isAddress() const
+    {
+        ASSERT(!!*this);
+        return m_offset != notAddress();
+    }
+    
+    int32_t offset() const
+    {
+        ASSERT(isAddress());
+        return m_offset;
+    }
+    
+    GPRReg base() const
+    {
+        ASSERT(isAddress());
+        return static_cast<GPRReg>(m_baseOrTag);
+    }
+    
+    GPRReg tagGPR() const
+    {
+        ASSERT(!isAddress() && m_baseOrTag != InvalidGPRReg);
+        return static_cast<GPRReg>(m_baseOrTag);
+    }
+    
+    GPRReg payloadGPR() const
+    {
+        ASSERT(!isAddress());
+        return static_cast<GPRReg>(m_payload);
+    }
+    
+    bool hasKnownTag() const
+    {
+        ASSERT(!!*this);
+        ASSERT(!isAddress());
+        return static_cast<GPRReg>(m_baseOrTag) == InvalidGPRReg;
+    }
+    
+    uint32_t tag() const
+    {
+        return static_cast<int32_t>(m_tagType);
+    }
+    
+    MacroAssembler::Address asAddress(unsigned additionalOffset = 0) const { return MacroAssembler::Address(base(), offset() + additionalOffset); }
+    
+private:
+    static inline int32_t notAddress() { return 0x80000000; }     
+          
+    int32_t m_offset;
+    int8_t m_baseOrTag;
+    int8_t m_payload; 
+    int8_t m_tagType; // Contains the low bits of the tag.
+};
+#endif
+
 #if CPU(X86)
 

trunk/Source/JavaScriptCore/dfg/DFGGenerationInfo.h

@@ -340 +340 @@
     GPRReg gpr() { ASSERT(m_registerFormat && m_registerFormat != DataFormatDouble); return u.gpr; }
     FPRReg fpr() { ASSERT(m_registerFormat == DataFormatDouble); return u.fpr; }
+    JSValueRegs jsValueRegs() { ASSERT(m_registerFormat & DataFormatJS); return JSValueRegs(u.gpr); }
 #elif USE(JSVALUE32_64)
     GPRReg gpr() { ASSERT(!(m_registerFormat & DataFormatJS) && m_registerFormat != DataFormatDouble); return u.gpr; }
@@ -345 +346 @@
     GPRReg payloadGPR() { ASSERT(m_registerFormat & DataFormatJS); return u.v.payloadGPR; }
     FPRReg fpr() { ASSERT(m_registerFormat == DataFormatDouble || m_registerFormat == DataFormatJSDouble); return u.fpr; }
+    JSValueRegs jsValueRegs() { ASSERT(m_registerFormat & DataFormatJS); return JSValueRegs(u.v.tagGPR, u.v.payloadGPR); }
 #endif
 

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -220 +220 @@
         return &m_structureTransitionData.last();
     }
+    
+    ValueProfile* valueProfileFor(NodeIndex nodeIndex, CodeBlock* profiledBlock)
+    {
+        if (nodeIndex == NoNode)
+            return 0;
+        
+        Node& node = at(nodeIndex);
+        
+        switch (node.op) {
+        case GetLocal: {
+            if (!operandIsArgument(node.local()))
+                return 0;
+            int argument = node.local() + m_arguments.size() + RegisterFile::CallFrameHeaderSize;
+            if (node.variableAccessData() != at(m_arguments[argument]).variableAccessData())
+                return 0;
+            return profiledBlock->valueProfileForArgument(argument);
+        }
+        
+        // Nodes derives from calls need special handling because the value profile is
+        // associated with the op_call_put_result instruction.
+        case Call:
+        case Construct:
+        case ArrayPop:
+        case ArrayPush: {
+            ASSERT(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_construct));
+            return profiledBlock->valueProfileForBytecodeOffset(node.codeOrigin.bytecodeIndex + OPCODE_LENGTH(op_call));
+        }
+
+        default:
+            if (node.hasHeapPrediction())
+                return profiledBlock->valueProfileForBytecodeOffset(node.codeOrigin.bytecodeIndex);
+            return 0;
+        }
+    }
 
     Vector< OwnPtr<BasicBlock> , 8> m_blocks;

trunk/Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h

@@ -1890 +1890 @@
         return m_gprOrInvalid;
     }
+    JSValueRegs jsValueRegs()
+    {
+        return JSValueRegs(gpr());
+    }
 #elif USE(JSVALUE32_64)
     bool isDouble() { return m_isDouble; }
@@ -1911 +1915 @@
         ASSERT(!m_isDouble);
         return m_register.pair.payloadGPR;
+    }
+
+    JSValueRegs jsValueRegs()
+    {
+        return JSValueRegs(tagGPR(), payloadGPR());
     }
 

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -99 +99 @@
     emitCount(counter);
 #endif
-
+    
     // 2) Perform speculation recovery. This only comes into play when an operation
     //    starts mutating state before verifying the speculation it has already made.
@@ -122 +122 @@
     }
 
-    // 3) Figure out how many scratch slots we'll need. We need one for every GPR/FPR
+    // 3) Refine some value profile, if appropriate.
+    
+    if (!!exit.m_jsValueSource && !!exit.m_valueProfile) {
+        if (exit.m_jsValueSource.isAddress()) {
+            // We can't be sure that we have a spare register. So use the tagTypeNumberRegister,
+            // since we know how to restore it.
+            loadPtr(Address(exit.m_jsValueSource.asAddress()), GPRInfo::tagTypeNumberRegister);
+            storePtr(GPRInfo::tagTypeNumberRegister, exit.m_valueProfile->specFailBucket(0));
+            move(TrustedImmPtr(bitwise_cast<void*>(TagTypeNumber)), GPRInfo::tagTypeNumberRegister);
+        } else
+            storePtr(exit.m_jsValueSource.gpr(), exit.m_valueProfile->specFailBucket(0));
+    }
+
+    // 4) Figure out how many scratch slots we'll need. We need one for every GPR/FPR
     //    whose destination is now occupied by a DFG virtual register, and we need
     //    one for every displaced virtual register if there are more than
@@ -218 +231 @@
     // between when something is computed and when it is stored.
     
-    // 4) Perform all reboxing of integers.
+    // 5) Perform all reboxing of integers.
     
     if (haveUnboxedInt32s) {
@@ -239 +252 @@
     }
     
-    // 5) Dump all non-poisoned GPRs. For poisoned GPRs, save them into the scratch storage.
+    // 6) Dump all non-poisoned GPRs. For poisoned GPRs, save them into the scratch storage.
     //    Note that GPRs do not have a fast change (like haveFPRs) because we expect that
     //    most OSR failure points will have at least one GPR that needs to be dumped.
@@ -263 +276 @@
     
     if (haveFPRs) {
-        // 6) Box all doubles (relies on there being more GPRs than FPRs)
+        // 7) Box all doubles (relies on there being more GPRs than FPRs)
         
         for (int index = 0; index < exit.numberOfRecoveries(); ++index) {
@@ -274 +287 @@
         }
         
-        // 7) Dump all doubles into the register file, or to the scratch storage if
+        // 8) Dump all doubles into the register file, or to the scratch storage if
         //    the destination virtual register is poisoned.
         
@@ -291 +304 @@
     ASSERT(scratchIndex == numberOfPoisonedVirtualRegisters);
     
-    // 8) Reshuffle displaced virtual registers. Optimize for the case that
+    // 9) Reshuffle displaced virtual registers. Optimize for the case that
     //    the number of displaced virtual registers is not more than the number
     //    of available physical registers.
@@ -407 +420 @@
     }
     
-    // 9) Dump all poisoned virtual registers.
+    // 10) Dump all poisoned virtual registers.
     
     scratchIndex = 0;
@@ -431 +444 @@
     ASSERT(scratchIndex == numberOfPoisonedVirtualRegisters);
     
-    // 10) Dump all constants. Optimize for Undefined, since that's a constant we see
+    // 11) Dump all constants. Optimize for Undefined, since that's a constant we see
     //     often.
 
@@ -449 +462 @@
     }
     
-    // 11) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
+    // 12) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
     //     that all new calls into this code will go to the new JIT, so the execute
     //     counter only affects call frames that performed OSR exit and call frames
@@ -512 +525 @@
     doneAdjusting.link(this);
     
-    // 12) Load the result of the last bytecode operation into regT0.
+    // 13) Load the result of the last bytecode operation into regT0.
     
     if (exit.m_lastSetOperand != std::numeric_limits<int>::max())
         loadPtr(addressFor((VirtualRegister)exit.m_lastSetOperand), GPRInfo::cachedResultRegister);
     
-    // 13) Fix call frame(s).
+    // 14) Fix call frame(s).
     
     ASSERT(codeBlock()->alternative()->getJITType() == JITCode::BaselineJIT);
@@ -553 +566 @@
         addPtr(Imm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);
     
-    // 14) Jump into the corresponding baseline JIT code.
+    // 15) Jump into the corresponding baseline JIT code.
     
     CodeBlock* baselineCodeBlock = baselineCodeBlockFor(exit.m_codeOrigin);

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h

@@ -425 +425 @@
     }
 
+    ValueProfile* valueProfileFor(NodeIndex nodeIndex)
+    {
+        if (nodeIndex == NoNode)
+            return 0;
+        
+        return m_graph.valueProfileFor(nodeIndex, baselineCodeBlockFor(m_graph[nodeIndex].codeOrigin));
+    }
+    
 private:
     // Internal implementation to compile.

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler32_64.cpp

@@ -92 +92 @@
     }
 
-    // 3) Figure out how many scratch slots we'll need. We need one for every GPR/FPR
+    // 3) Refine some value profile, if appropriate.
+    
+    if (!!exit.m_jsValueSource && !!exit.m_valueProfile) {
+        if (exit.m_jsValueSource.isAddress()) {
+            // Save a register so we can use it.
+            GPRReg scratch = GPRInfo::regT0;
+            if (scratch == exit.m_jsValueSource.base())
+                scratch = GPRInfo::regT1;
+            EncodedJSValue* scratchBuffer = static_cast<EncodedJSValue*>(globalData()->scratchBufferForSize(sizeof(uint32_t)));
+            store32(scratch, scratchBuffer);
+            load32(exit.m_jsValueSource.asAddress(OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)), scratch);
+            store32(scratch, &bitwise_cast<EncodedValueDescriptor*>(exit.m_valueProfile->specFailBucket(0))->asBits.tag);
+            load32(exit.m_jsValueSource.asAddress(OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)), scratch);
+            store32(scratch, &bitwise_cast<EncodedValueDescriptor*>(exit.m_valueProfile->specFailBucket(0))->asBits.payload);
+            load32(scratchBuffer, scratch);
+        } else if (exit.m_jsValueSource.hasKnownTag()) {
+            store32(Imm32(exit.m_jsValueSource.tag()), &bitwise_cast<EncodedValueDescriptor*>(exit.m_valueProfile->specFailBucket(0))->asBits.tag);
+            store32(exit.m_jsValueSource.payloadGPR(), &bitwise_cast<EncodedValueDescriptor*>(exit.m_valueProfile->specFailBucket(0))->asBits.payload);
+        } else {
+            store32(exit.m_jsValueSource.tagGPR(), &bitwise_cast<EncodedValueDescriptor*>(exit.m_valueProfile->specFailBucket(0))->asBits.tag);
+            store32(exit.m_jsValueSource.payloadGPR(), &bitwise_cast<EncodedValueDescriptor*>(exit.m_valueProfile->specFailBucket(0))->asBits.payload);
+        }
+    }
+    
+    // 4) Figure out how many scratch slots we'll need. We need one for every GPR/FPR
     //    whose destination is now occupied by a DFG virtual register, and we need
     //    one for every displaced virtual register if there are more than
@@ -180 +204 @@
     // between when something is computed and when it is stored.
     
-    // 4) Perform all reboxing of integers and cells, except for those in registers.
+    // 5) Perform all reboxing of integers and cells, except for those in registers.
 
     if (haveUnboxedInt32InRegisterFile || haveUnboxedCellInRegisterFile || haveUnboxedBooleanInRegisterFile) {
@@ -204 +228 @@
     }
 
-    // 5) Dump all non-poisoned GPRs. For poisoned GPRs, save them into the scratch storage.
+    // 6) Dump all non-poisoned GPRs. For poisoned GPRs, save them into the scratch storage.
     //    Note that GPRs do not have a fast change (like haveFPRs) because we expect that
     //    most OSR failure points will have at least one GPR that needs to be dumped.
@@ -261 +285 @@
     
     if (haveFPRs) {
-        // 6) Box all doubles (relies on there being more GPRs than FPRs)
+        // 7) Box all doubles (relies on there being more GPRs than FPRs)
         //    For JSValue32_64, no need to box doubles.
         
-        // 7) Dump all doubles into the register file, or to the scratch storage if
+        // 8) Dump all doubles into the register file, or to the scratch storage if
         //    the destination virtual register is poisoned.
         
@@ -280 +304 @@
     ASSERT(scratchIndex == numberOfPoisonedVirtualRegisters);
     
-    // 8) Reshuffle displaced virtual registers. Optimize for the case that
+    // 9) Reshuffle displaced virtual registers. Optimize for the case that
     //    the number of displaced virtual registers is not more than the number
     //    of available physical registers.
@@ -351 +375 @@
     }
     
-    // 9) Dump all poisoned virtual registers.
+    // 10) Dump all poisoned virtual registers.
     
     scratchIndex = 0;
@@ -380 +404 @@
     ASSERT(scratchIndex == numberOfPoisonedVirtualRegisters);
     
-    // 10) Dump all constants. Optimize for Undefined, since that's a constant we see
+    // 11) Dump all constants. Optimize for Undefined, since that's a constant we see
     //     often.
 
@@ -403 +427 @@
     }
     
-    // 11) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
+    // 12) Adjust the old JIT's execute counter. Since we are exiting OSR, we know
     //     that all new calls into this code will go to the new JIT, so the execute
     //     counter only affects call frames that performed OSR exit and call frames
@@ -466 +490 @@
     doneAdjusting.link(this);
     
-    // 12) Load the result of the last bytecode operation into regT0.
+    // 13) Load the result of the last bytecode operation into regT0.
     
     if (exit.m_lastSetOperand != std::numeric_limits<int>::max()) {
@@ -473 +497 @@
     }
     
-    // 13) Fix call frame (s).
+    // 14) Fix call frame (s).
     
     ASSERT(codeBlock()->alternative()->getJITType() == JITCode::BaselineJIT);
@@ -513 +537 @@
         addPtr(Imm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);
 
-    // 14) Jump into the corresponding baseline JIT code.
+    // 15) Jump into the corresponding baseline JIT code.
     
     CodeBlock* baselineCodeBlock = baselineCodeBlockFor(exit.m_codeOrigin);

trunk/Source/JavaScriptCore/dfg/DFGPropagator.cpp

@@ -441 +441 @@
         }
             
-        case GetById:
+        case GetById: {
+            if (node.getHeapPrediction())
+                changed |= mergePrediction(node.getHeapPrediction());
+            else if (m_codeBlock->identifier(node.identifierNumber()) == m_globalData.propertyNames->length) {
+                // If there is no prediction from value profiles, check if we might be
+                // able to infer the type ourselves.
+                bool isArray = isArrayPrediction(m_graph[node.child1()].prediction());
+                bool isString = isStringPrediction(m_graph[node.child1()].prediction());
+                bool isByteArray = m_graph[node.child1()].shouldSpeculateByteArray();
+                if (isArray || isString || isByteArray)
+                    changed |= mergePrediction(PredictInt32);
+            }
+            break;
+        }
+            
         case GetMethod:
         case GetByVal: {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -116 +116 @@
 #endif
 
-OSRExit::OSRExit(MacroAssembler::Jump check, SpeculativeJIT* jit, unsigned recoveryIndex)
-    : m_check(check)
+OSRExit::OSRExit(JSValueSource jsValueSource, ValueProfile* valueProfile, MacroAssembler::Jump check, SpeculativeJIT* jit, unsigned recoveryIndex)
+    : m_jsValueSource(jsValueSource)
+    , m_valueProfile(valueProfile)
+    , m_check(check)
     , m_nodeIndex(jit->m_compileIndex)
     , m_codeOrigin(jit->m_codeOriginForOSR)
@@ -180 +182 @@
     
     if (!predictionCheck(m_state.forNode(node.child1()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueSource::unboxedCell(op1GPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
     if (!predictionCheck(m_state.forNode(node.child2()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueSource::unboxedCell(op2GPR), node.child2(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
     
     addBranch(m_jit.branchPtr(condition, op1GPR, op2GPR), taken);
@@ -393 +395 @@
 #if USE(JSVALUE64)
         if (isInt32Prediction(predictedType))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::Below, JITCompiler::addressFor(virtualRegister), GPRInfo::tagTypeNumberRegister));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(MacroAssembler::Below, JITCompiler::addressFor(virtualRegister), GPRInfo::tagTypeNumberRegister));
         else if (isArrayPrediction(predictedType)) {
             GPRTemporary temp(this);
             m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), temp.gpr());
-            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, temp.gpr(), GPRInfo::tagMaskRegister));
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchTestPtr(MacroAssembler::NonZero, temp.gpr(), GPRInfo::tagMaskRegister));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         } else if (isByteArrayPrediction(predictedType)) {
             GPRTemporary temp(this);
             m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), temp.gpr());
-            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, temp.gpr(), GPRInfo::tagMaskRegister));
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchTestPtr(MacroAssembler::NonZero, temp.gpr(), GPRInfo::tagMaskRegister));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
         } else if (isBooleanPrediction(predictedType)) {
             GPRTemporary temp(this);
             m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), temp.gpr());
             m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), temp.gpr());
-            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, temp.gpr(), TrustedImm32(static_cast<int32_t>(~1))));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchTestPtr(MacroAssembler::NonZero, temp.gpr(), TrustedImm32(static_cast<int32_t>(~1))));
         }
 #else
         if (isInt32Prediction(predictedType))
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::Int32Tag)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::Int32Tag)));
         else if (isArrayPrediction(predictedType)) {
             GPRTemporary temp(this);
             m_jit.load32(JITCompiler::tagFor(virtualRegister), temp.gpr());
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, temp.gpr(), TrustedImm32(JSValue::CellTag)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::NotEqual, temp.gpr(), TrustedImm32(JSValue::CellTag)));
             m_jit.load32(JITCompiler::payloadFor(virtualRegister), temp.gpr());
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         } else if (isByteArrayPrediction(predictedType)) {
             GPRTemporary temp(this);
             m_jit.load32(JITCompiler::tagFor(virtualRegister), temp.gpr());
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, temp.gpr(), TrustedImm32(JSValue::CellTag)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::NotEqual, temp.gpr(), TrustedImm32(JSValue::CellTag)));
             m_jit.load32(JITCompiler::payloadFor(virtualRegister), temp.gpr());
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(temp.gpr()), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
         } else if (isBooleanPrediction(predictedType))
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::BooleanTag)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::BooleanTag)));
 #endif
     }
@@ -587 +589 @@
 
     if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(stringReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+        speculationCheck(JSValueSource::unboxedCell(stringReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(stringReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
 
     // unsigned comparison so we can filter out negative indices and indices that are too large
-    speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, indexReg, MacroAssembler::Address(stringReg, JSString::offsetOfLength())));
+    speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, indexReg, MacroAssembler::Address(stringReg, JSString::offsetOfLength())));
 
     GPRTemporary scratch(this);
@@ -598 +600 @@
 
     // Speculate that we're not accessing a rope
-    speculationCheck(m_jit.branchTest32(MacroAssembler::Zero, scratchReg));
+    speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(MacroAssembler::Zero, scratchReg));
 
     // Load the character into scratchReg
@@ -627 +629 @@
 
     if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+        speculationCheck(JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
 
     // unsigned comparison so we can filter out negative indices and indices that are too large
-    speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSString::offsetOfLength())));
+    speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSString::offsetOfLength())));
 
     GPRTemporary scratch(this);
@@ -638 +640 @@
 
     // Speculate that we're not accessing a rope
-    speculationCheck(m_jit.branchTest32(MacroAssembler::Zero, scratchReg));
+    speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(MacroAssembler::Zero, scratchReg));
 
     // Load the character into scratchReg
@@ -653 +655 @@
 
     // We only support ascii characters
-    speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, scratchReg, TrustedImm32(0x100)));
+    speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, scratchReg, TrustedImm32(0x100)));
 
     // 8 bit string values don't need the isASCII check.
@@ -662 +664 @@
     m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.globalData()->smallStrings.singleCharacterStrings()), smallStringsReg);
     m_jit.loadPtr(MacroAssembler::BaseIndex(smallStringsReg, scratchReg, MacroAssembler::ScalePtr, 0), scratchReg);
-    speculationCheck(m_jit.branchTest32(MacroAssembler::Zero, scratchReg));
+    speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(MacroAssembler::Zero, scratchReg));
     cellResult(scratchReg, m_compileIndex);
 }
@@ -729 +731 @@
     
     if (!isByteArrayPrediction(m_state.forNode(baseIndex).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+        speculationCheck(JSValueSource::unboxedCell(base), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
     GPRTemporary value;
     GPRReg valueGPR;
@@ -736 +738 @@
         JSValue jsValue = valueOfJSConstant(valueIndex);
         if (!jsValue.isNumber()) {
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             noResult(m_compileIndex);
             return;
@@ -797 +799 @@
     
     if (!isByteArrayPrediction(m_state.forNode(node.child1()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+        speculationCheck(JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
 
     // Load the character into scratchReg
@@ -805 +807 @@
     
     // unsigned comparison so we can filter out negative indices and indices that are too large
-    speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, ByteArray::offsetOfSize())));
+    speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, ByteArray::offsetOfSize())));
 
     m_jit.load8(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesOne, ByteArray::offsetOfData()), storageReg);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -339 +339 @@
 // going into baseline code.
 struct OSRExit {
-    OSRExit(MacroAssembler::Jump, SpeculativeJIT*, unsigned recoveryIndex = 0);
+    OSRExit(JSValueSource, ValueProfile*, MacroAssembler::Jump, SpeculativeJIT*, unsigned recoveryIndex = 0);
+    
+    JSValueSource m_jsValueSource;
+    ValueProfile* m_valueProfile;
     
     MacroAssembler::Jump m_check;
@@ -506 +509 @@
 
     // Add a speculation check without additional recovery.
-    void speculationCheck(MacroAssembler::Jump jumpToFail)
+    void speculationCheck(JSValueSource jsValueSource, NodeIndex nodeIndex, MacroAssembler::Jump jumpToFail)
     {
         if (!m_compileOkay)
             return;
-        m_osrExits.append(OSRExit(jumpToFail, this));
+        m_osrExits.append(OSRExit(jsValueSource, m_jit.valueProfileFor(nodeIndex), jumpToFail, this));
     }
     // Add a speculation check with additional recovery.
-    void speculationCheck(MacroAssembler::Jump jumpToFail, const SpeculationRecovery& recovery)
+    void speculationCheck(JSValueSource jsValueSource, NodeIndex nodeIndex, MacroAssembler::Jump jumpToFail, const SpeculationRecovery& recovery)
     {
         if (!m_compileOkay)
             return;
         m_speculationRecoveryList.append(recovery);
-        m_osrExits.append(OSRExit(jumpToFail, this, m_speculationRecoveryList.size()));
+        m_osrExits.append(OSRExit(jsValueSource, m_jit.valueProfileFor(nodeIndex), jumpToFail, this, m_speculationRecoveryList.size()));
     }
 
     // Called when we statically determine that a speculation will fail.
-    void terminateSpeculativeExecution()
+    void terminateSpeculativeExecution(JSValueRegs jsValueRegs, NodeIndex nodeIndex)
     {
 #if DFG_ENABLE(DEBUG_VERBOSE)
@@ -529 +532 @@
         if (!m_compileOkay)
             return;
-        speculationCheck(m_jit.jump());
+        speculationCheck(jsValueRegs, nodeIndex, m_jit.jump());
         m_compileOkay = false;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -69 +69 @@
                 return gpr;
             }
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             returnFormat = DataFormatInteger;
             return allocate();
@@ -81 +81 @@
         // If we know this was spilled as an integer we can fill without checking.
         if (spillFormat != DataFormatJSInteger)
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::Int32Tag)));
+            speculationCheck(JSValueSource(JITCompiler::addressFor(virtualRegister)), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::Int32Tag)));
 
         m_jit.load32(JITCompiler::payloadFor(virtualRegister), gpr);
@@ -97 +97 @@
         m_gprs.lock(payloadGPR);
         if (info.registerFormat() != DataFormatJSInteger) 
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, tagGPR, TrustedImm32(JSValue::Int32Tag)));
+            speculationCheck(JSValueRegs(tagGPR, payloadGPR), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, tagGPR, TrustedImm32(JSValue::Int32Tag)));
         m_gprs.unlock(tagGPR);
         m_gprs.release(tagGPR);
@@ -121 +121 @@
     case DataFormatJSCell:
     case DataFormatJSBoolean: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         returnFormat = DataFormatInteger;
         return allocate();
@@ -172 +172 @@
                 return fpr;
             } else {
-                terminateSpeculativeExecution();
+                terminateSpeculativeExecution(JSValueRegs(), NoNode);
                 return fprAllocate();
             }
@@ -188 +188 @@
             FPRReg fpr = fprAllocate();
             JITCompiler::Jump isInteger = m_jit.branch32(MacroAssembler::Equal, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::Int32Tag));
-            speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::LowestTag)));
+            speculationCheck(JSValueSource(JITCompiler::addressFor(virtualRegister)), nodeIndex, m_jit.branch32(MacroAssembler::AboveOrEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::LowestTag)));
             m_jit.loadDouble(JITCompiler::addressFor(virtualRegister), fpr);
             JITCompiler::Jump hasUnboxedDouble = m_jit.jump();
@@ -210 +210 @@
 
     case DataFormatCell:
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         return fprAllocate();
 
@@ -229 +229 @@
             FPRTemporary scratch(this);
             JITCompiler::Jump isInteger = m_jit.branch32(MacroAssembler::Equal, tagGPR, TrustedImm32(JSValue::Int32Tag));
-            speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, tagGPR, TrustedImm32(JSValue::LowestTag)));
+            speculationCheck(JSValueRegs(tagGPR, payloadGPR), nodeIndex, m_jit.branch32(MacroAssembler::AboveOrEqual, tagGPR, TrustedImm32(JSValue::LowestTag)));
             unboxDouble(tagGPR, payloadGPR, fpr, scratch.fpr());
             hasUnboxedDouble = m_jit.jump();
@@ -292 +292 @@
                 return gpr;
             }
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             return gpr;
         }
@@ -298 +298 @@
         m_jit.load32(JITCompiler::tagFor(virtualRegister), gpr);
         if (info.spillFormat() != DataFormatJSCell)
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, gpr, TrustedImm32(JSValue::CellTag)));
+            speculationCheck(JSValueSource(JITCompiler::addressFor(virtualRegister)), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, gpr, TrustedImm32(JSValue::CellTag)));
         m_jit.load32(JITCompiler::payloadFor(virtualRegister), gpr);
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -318 +318 @@
         m_gprs.lock(payloadGPR);
         if (info.spillFormat() != DataFormatJSCell)
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, tagGPR, TrustedImm32(JSValue::CellTag)));
+            speculationCheck(JSValueRegs(tagGPR, payloadGPR), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, tagGPR, TrustedImm32(JSValue::CellTag)));
         m_gprs.unlock(tagGPR);
         m_gprs.release(tagGPR);
@@ -333 +333 @@
     case DataFormatJSBoolean:
     case DataFormatBoolean: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         return allocate();
     }
@@ -366 +366 @@
                 return gpr;
             }
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             return gpr;
         }
@@ -373 +373 @@
 
         if (info.spillFormat() != DataFormatJSBoolean)
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::BooleanTag)));
+            speculationCheck(JSValueSource(JITCompiler::addressFor(virtualRegister)), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::BooleanTag)));
 
         m_jit.load32(JITCompiler::payloadFor(virtualRegister), gpr);
@@ -393 +393 @@
         m_gprs.lock(payloadGPR);
         if (info.registerFormat() != DataFormatJSBoolean)
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, tagGPR, TrustedImm32(JSValue::BooleanTag)));
+            speculationCheck(JSValueRegs(tagGPR, payloadGPR), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, tagGPR, TrustedImm32(JSValue::BooleanTag)));
 
         m_gprs.unlock(tagGPR);
@@ -409 +409 @@
     case DataFormatJSCell:
     case DataFormatCell: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         return allocate();
     }
@@ -450 +450 @@
     
     if (!predictionCheck(m_state.forNode(node.child1()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueSource::unboxedCell(op1GPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
     if (!predictionCheck(m_state.forNode(node.child2()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueSource::unboxedCell(op2GPR), node.child2(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
     
     MacroAssembler::Jump falseCase = m_jit.branchPtr(MacroAssembler::NotEqual, op1GPR, op2GPR);
@@ -535 +535 @@
     MacroAssembler::Jump notCell = m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::CellTag));
     if (needSpeculationCheck)
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueRegs(valueTagGPR, valuePayloadGPR), nodeIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
     m_jit.move(TrustedImm32(0), resultPayloadGPR);
     MacroAssembler::Jump done = m_jit.jump();
@@ -545 +545 @@
         m_jit.move(valueTagGPR, resultPayloadGPR);
         m_jit.or32(TrustedImm32(1), resultPayloadGPR);
-        speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, resultPayloadGPR, TrustedImm32(JSValue::NullTag)));
+        speculationCheck(JSValueRegs(valueTagGPR, valuePayloadGPR), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, resultPayloadGPR, TrustedImm32(JSValue::NullTag)));
     }
     m_jit.move(TrustedImm32(1), resultPayloadGPR);
@@ -592 +592 @@
     JSValueOperand value(this, node.child1());
     GPRTemporary resultPayload(this, value, false);
-    speculationCheck(m_jit.branch32(JITCompiler::NotEqual, value.tagGPR(), TrustedImm32(JSValue::BooleanTag)));
+    speculationCheck(JSValueRegs(value.tagGPR(), value.payloadGPR()), node.child1(), m_jit.branch32(JITCompiler::NotEqual, value.tagGPR(), TrustedImm32(JSValue::BooleanTag)));
     m_jit.move(value.payloadGPR(), resultPayload.gpr());
     m_jit.xor32(TrustedImm32(1), resultPayload.gpr());
@@ -636 +636 @@
     MacroAssembler::Jump notCell = m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::CellTag));
     if (needSpeculationCheck)
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueRegs(valueTagGPR, valuePayloadGPR), nodeIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
     addBranch(m_jit.jump(), taken);
     
@@ -645 +645 @@
         m_jit.move(valueTagGPR, scratchGPR);
         m_jit.or32(TrustedImm32(1), scratchGPR);
-        speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, scratchGPR, TrustedImm32(JSValue::NullTag)));
+        speculationCheck(JSValueRegs(valueTagGPR, valuePayloadGPR), nodeIndex, m_jit.branch32(MacroAssembler::NotEqual, scratchGPR, TrustedImm32(JSValue::NullTag)));
     }
 
@@ -748 +748 @@
         // If we have no prediction for this local, then don't attempt to compile.
         if (prediction == PredictNone) {
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             break;
         }
@@ -826 +826 @@
             GPRReg cellGPR = cell.gpr();
             if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+                speculationCheck(JSValueSource::unboxedCell(cellGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
             m_jit.storePtr(cellGPR, JITCompiler::payloadFor(node.local()));
             noResult(m_compileIndex);
@@ -833 +833 @@
             GPRReg cellGPR = cell.gpr();
             if (!isByteArrayPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+                speculationCheck(JSValueSource::unboxedCell(cellGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
             m_jit.storePtr(cellGPR, JITCompiler::payloadFor(node.local()));
             noResult(m_compileIndex);
@@ -939 +939 @@
 
         // Test the operand is positive.
-        speculationCheck(m_jit.branch32(MacroAssembler::LessThan, op1.gpr(), TrustedImm32(0)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, op1.gpr(), TrustedImm32(0)));
 
         m_jit.move(op1.gpr(), result.gpr());
@@ -987 +987 @@
                     m_jit.add32(Imm32(imm1), result.gpr());
                 } else
-                    speculationCheck(m_jit.branchAdd32(MacroAssembler::Overflow, op2.gpr(), Imm32(imm1), result.gpr()));
+                    speculationCheck(JSValueRegs(), NoNode, m_jit.branchAdd32(MacroAssembler::Overflow, op2.gpr(), Imm32(imm1), result.gpr()));
 
                 integerResult(result.gpr(), m_compileIndex);
@@ -1002 +1002 @@
                     m_jit.add32(Imm32(imm2), result.gpr());
                 } else
-                    speculationCheck(m_jit.branchAdd32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
+                    speculationCheck(JSValueRegs(), NoNode, m_jit.branchAdd32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
 
                 integerResult(result.gpr(), m_compileIndex);
@@ -1027 +1027 @@
                 
                 if (gpr1 == gprResult)
-                    speculationCheck(check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr2));
+                    speculationCheck(JSValueRegs(), NoNode, check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr2));
                 else if (gpr2 == gprResult)
-                    speculationCheck(check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr1));
+                    speculationCheck(JSValueRegs(), NoNode, check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr1));
                 else
-                    speculationCheck(check);
+                    speculationCheck(JSValueRegs(), NoNode, check);
             }
 
@@ -1067 +1067 @@
                     m_jit.sub32(Imm32(imm2), result.gpr());
                 } else
-                    speculationCheck(m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
+                    speculationCheck(JSValueRegs(), NoNode, m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
 
                 integerResult(result.gpr(), m_compileIndex);
@@ -1081 +1081 @@
                 m_jit.sub32(op2.gpr(), result.gpr());
             } else
-                speculationCheck(m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), op2.gpr(), result.gpr()));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), op2.gpr(), result.gpr()));
 
             integerResult(result.gpr(), m_compileIndex);
@@ -1116 +1116 @@
             // domain.
             
-            speculationCheck(m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
             
             // Check for negative zero, if the users of this node care about such things.
             if (!nodeCanIgnoreNegativeZero(node.arithNodeFlags())) {
                 MacroAssembler::Jump resultNonZero = m_jit.branchTest32(MacroAssembler::NonZero, result.gpr());
-                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg1, TrustedImm32(0)));
-                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg2, TrustedImm32(0)));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, reg1, TrustedImm32(0)));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, reg2, TrustedImm32(0)));
                 resultNonZero.link(&m_jit);
             }
@@ -1152 +1152 @@
             GPRReg op2GPR = op2.gpr();
             
-            speculationCheck(m_jit.branchTest32(JITCompiler::Zero, op2GPR));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(JITCompiler::Zero, op2GPR));
             
             // If the user cares about negative zero, then speculate that we're not about
@@ -1158 +1158 @@
             if (!nodeCanIgnoreNegativeZero(node.arithNodeFlags())) {
                 MacroAssembler::Jump numeratorNonZero = m_jit.branchTest32(MacroAssembler::NonZero, op1GPR);
-                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, op2GPR, TrustedImm32(0)));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, op2GPR, TrustedImm32(0)));
                 numeratorNonZero.link(&m_jit);
             }
@@ -1178 +1178 @@
             // Check that there was no remainder. If there had been, then we'd be obligated to
             // produce a double result instead.
-            speculationCheck(m_jit.branchTest32(JITCompiler::NonZero, edx.gpr()));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(JITCompiler::NonZero, edx.gpr()));
             
             integerResult(eax.gpr(), m_compileIndex);
@@ -1222 +1222 @@
         GPRReg op2Gpr = op2.gpr();
 
-        speculationCheck(m_jit.branchTest32(JITCompiler::Zero, op2Gpr));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(JITCompiler::Zero, op2Gpr));
 
         GPRReg temp2 = InvalidGPRReg;
@@ -1252 +1252 @@
             m_jit.add32(scratch.gpr(), result.gpr());
             m_jit.xor32(scratch.gpr(), result.gpr());
-            speculationCheck(m_jit.branch32(MacroAssembler::Equal, result.gpr(), MacroAssembler::TrustedImm32(1 << 31)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Equal, result.gpr(), MacroAssembler::TrustedImm32(1 << 31)));
             integerResult(result.gpr(), m_compileIndex);
             break;
@@ -1439 +1439 @@
         // If we have predicted the base to be type array, we can skip the check.
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
-        speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
+            speculationCheck(JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
 
         // FIXME: In cases where there are subsequent by_val accesses to the same base it might help to cache
@@ -1446 +1446 @@
         // then we'll need to allocate a new temporary for result.
         m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTag.gpr());
-        speculationCheck(m_jit.branch32(MacroAssembler::Equal, resultTag.gpr(), TrustedImm32(JSValue::EmptyValueTag)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Equal, resultTag.gpr(), TrustedImm32(JSValue::EmptyValueTag)));
         m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), storageReg);
 
@@ -1497 +1497 @@
         // If we have predicted the base to be type array, we can skip the check.
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueSource::unboxedCell(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
 
         base.use();
@@ -1585 +1585 @@
 
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
@@ -1591 +1591 @@
         
         // Refuse to handle bizarre lengths.
-        speculationCheck(m_jit.branch32(MacroAssembler::Above, storageLengthGPR, TrustedImm32(0x7ffffffe)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Above, storageLengthGPR, TrustedImm32(0x7ffffffe)));
         
         MacroAssembler::Jump slowPath = m_jit.branch32(MacroAssembler::AboveOrEqual, storageLengthGPR, MacroAssembler::Address(baseGPR, JSArray::vectorLengthOffset()));
@@ -1631 +1631 @@
         
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
@@ -1752 +1752 @@
         // We expect that throw statements are rare and are intended to exit the code block
         // anyway, so we just OSR back to the old JIT for now.
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         break;
     }
@@ -1898 +1898 @@
             m_jit.move(thisValueTagGPR, scratchGPR);
             m_jit.or32(TrustedImm32(1), scratchGPR);
-            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, scratchGPR, TrustedImm32(JSValue::NullTag)));
+            // This is hard. It would be better to save the value, but we can't quite do it,
+            // since this operation does not otherwise get the payload.
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::NotEqual, scratchGPR, TrustedImm32(JSValue::NullTag)));
             
             m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), scratchGPR);
@@ -1912 +1914 @@
             
             if (!isObjectPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValueGPR), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+                speculationCheck(JSValueSource::unboxedCell(thisValueGPR), node.child1(), m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValueGPR), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
             
             m_jit.move(thisValueGPR, resultGPR);
@@ -1957 +1959 @@
         if (at(node.child1()).shouldSpeculateFinalObject()) {
             if (!isFinalObjectPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
+                speculationCheck(JSValueSource::unboxedCell(protoGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
         } else {
             m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
@@ -2065 +2067 @@
         
     case GetById: {
+        if (!node.prediction()) {
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
+            break;
+        }
+        
         SpeculateCellOperand base(this, node.child1());
         GPRTemporary resultTag(this, base);
@@ -2095 +2102 @@
         
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), resultGPR);
         m_jit.load32(MacroAssembler::Address(resultGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultGPR);
         
-        speculationCheck(m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
         
         integerResult(resultGPR, m_compileIndex);
@@ -2114 +2121 @@
         
         if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+            speculationCheck(JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
         
         m_jit.load32(MacroAssembler::Address(baseGPR, JSString::offsetOfLength()), resultGPR);
@@ -2130 +2137 @@
         
         if (!isByteArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+            speculationCheck(JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR);
@@ -2141 +2148 @@
     case CheckFunction: {
         SpeculateCellOperand function(this, node.child1());
-        speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, function.gpr(), JITCompiler::TrustedImmPtr(node.function())));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, function.gpr(), JITCompiler::TrustedImmPtr(node.function())));
         noResult(m_compileIndex);
         break;
@@ -2157 +2164 @@
         
         if (node.structureSet().size() == 1)
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(base.gpr(), JSCell::structureOffset()), JITCompiler::TrustedImmPtr(node.structureSet()[0])));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(base.gpr(), JSCell::structureOffset()), JITCompiler::TrustedImmPtr(node.structureSet()[0])));
         else {
             GPRTemporary structure(this);
@@ -2168 +2175 @@
                 done.append(m_jit.branchPtr(JITCompiler::Equal, structure.gpr(), JITCompiler::TrustedImmPtr(node.structureSet()[i])));
             
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, structure.gpr(), JITCompiler::TrustedImmPtr(node.structureSet().last())));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, structure.gpr(), JITCompiler::TrustedImmPtr(node.structureSet().last())));
             
             done.link(&m_jit);
@@ -2279 +2286 @@
         
         if (!m_state.forNode(node.child1()).m_structure.doesNotContainAnyOtherThan(methodCheckData.structure))
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
         if (methodCheckData.prototype != m_jit.codeBlock()->globalObject()->methodCallDummy()) {
             m_jit.move(JITCompiler::TrustedImmPtr(methodCheckData.prototype->structureAddress()), scratchGPR);
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(scratchGPR), JITCompiler::TrustedImmPtr(methodCheckData.prototypeStructure)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(scratchGPR), JITCompiler::TrustedImmPtr(methodCheckData.prototypeStructure)));
         }
         
@@ -2367 +2374 @@
         // Speculate that base 'ImplementsDefaultHasInstance'.
         m_jit.loadPtr(MacroAssembler::Address(base.gpr(), JSCell::structureOffset()), structure.gpr());
-        speculationCheck(m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(structure.gpr(), Structure::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(structure.gpr(), Structure::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
 
         noResult(m_compileIndex);
@@ -2386 +2393 @@
         // Check that prototype is an object.
         m_jit.loadPtr(MacroAssembler::Address(prototypeReg, JSCell::structureOffset()), scratchReg);
-        speculationCheck(m_jit.branch8(MacroAssembler::NotEqual, MacroAssembler::Address(scratchReg, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch8(MacroAssembler::NotEqual, MacroAssembler::Address(scratchReg, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
 
         // Initialize scratchReg with the value being checked.
@@ -2495 +2502 @@
 
     case ForceOSRExit: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -48 +48 @@
     case DataFormatNone: {
         if ((node.hasConstant() && !isInt32Constant(nodeIndex)) || info.spillFormat() == DataFormatDouble) {
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             returnFormat = DataFormatInteger;
             return allocate();
@@ -98 +98 @@
         GPRReg gpr = info.gpr();
         m_gprs.lock(gpr);
-        speculationCheck(m_jit.branchPtr(MacroAssembler::Below, gpr, GPRInfo::tagTypeNumberRegister));
+        speculationCheck(JSValueRegs(gpr), nodeIndex, m_jit.branchPtr(MacroAssembler::Below, gpr, GPRInfo::tagTypeNumberRegister));
         info.fillJSValue(gpr, DataFormatJSInteger);
         // If !strict we're done, return.
@@ -147 +147 @@
     case DataFormatJSCell:
     case DataFormatJSBoolean: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         returnFormat = DataFormatInteger;
         return allocate();
@@ -206 +206 @@
                 return fpr;
             }
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             return fprAllocate();
         }
@@ -249 +249 @@
 
     case DataFormatCell:
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         return fprAllocate();
 
@@ -262 +262 @@
         JITCompiler::Jump isInteger = m_jit.branchPtr(MacroAssembler::AboveOrEqual, jsValueGpr, GPRInfo::tagTypeNumberRegister);
 
-        speculationCheck(m_jit.branchTestPtr(MacroAssembler::Zero, jsValueGpr, GPRInfo::tagTypeNumberRegister));
+        speculationCheck(JSValueRegs(jsValueGpr), nodeIndex, m_jit.branchTestPtr(MacroAssembler::Zero, jsValueGpr, GPRInfo::tagTypeNumberRegister));
 
         // First, if we get here we have a double encoded as a JSValue
@@ -336 +336 @@
     case DataFormatNone: {
         if (info.spillFormat() == DataFormatInteger || info.spillFormat() == DataFormatDouble) {
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             return allocate();
         }
@@ -350 +350 @@
                 return gpr;
             }
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             return gpr;
         }
@@ -359 +359 @@
         info.fillJSValue(gpr, DataFormatJS);
         if (info.spillFormat() != DataFormatJSCell)
-            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister));
+            speculationCheck(JSValueRegs(gpr), nodeIndex, m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister));
         info.fillJSValue(gpr, DataFormatJSCell);
         return gpr;
@@ -374 +374 @@
         GPRReg gpr = info.gpr();
         m_gprs.lock(gpr);
-        speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister));
+        speculationCheck(JSValueRegs(gpr), nodeIndex, m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, GPRInfo::tagMaskRegister));
         info.fillJSValue(gpr, DataFormatJSCell);
         return gpr;
@@ -385 +385 @@
     case DataFormatJSBoolean:
     case DataFormatBoolean: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         return allocate();
     }
@@ -409 +409 @@
     case DataFormatNone: {
         if (info.spillFormat() == DataFormatInteger || info.spillFormat() == DataFormatDouble) {
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             return allocate();
         }
@@ -423 +423 @@
                 return gpr;
             }
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             return gpr;
         }
@@ -433 +433 @@
         if (info.spillFormat() != DataFormatJSBoolean) {
             m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
-            speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, TrustedImm32(static_cast<int32_t>(~1))), SpeculationRecovery(BooleanSpeculationCheck, gpr, InvalidGPRReg));
+            speculationCheck(JSValueRegs(gpr), nodeIndex, m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, TrustedImm32(static_cast<int32_t>(~1))), SpeculationRecovery(BooleanSpeculationCheck, gpr, InvalidGPRReg));
             m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
         }
@@ -451 +451 @@
         m_gprs.lock(gpr);
         m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
-        speculationCheck(m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, TrustedImm32(static_cast<int32_t>(~1))), SpeculationRecovery(BooleanSpeculationCheck, gpr, InvalidGPRReg));
+        speculationCheck(JSValueRegs(gpr), nodeIndex, m_jit.branchTestPtr(MacroAssembler::NonZero, gpr, TrustedImm32(static_cast<int32_t>(~1))), SpeculationRecovery(BooleanSpeculationCheck, gpr, InvalidGPRReg));
         m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), gpr);
         info.fillJSValue(gpr, DataFormatJSBoolean);
@@ -463 +463 @@
     case DataFormatJSCell:
     case DataFormatCell: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         return allocate();
     }
@@ -506 +506 @@
     
     if (!predictionCheck(m_state.forNode(node.child1()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueRegs(op1GPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op1GPR), MacroAssembler::TrustedImmPtr(vptr)));
     if (!predictionCheck(m_state.forNode(node.child2()).m_type))
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueRegs(op2GPR), node.child2(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(op2GPR), MacroAssembler::TrustedImmPtr(vptr)));
     
     MacroAssembler::Jump falseCase = m_jit.branchPtr(MacroAssembler::NotEqual, op1GPR, op2GPR);
@@ -585 +585 @@
     MacroAssembler::Jump notCell = m_jit.branchTestPtr(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
     if (needSpeculationCheck)
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueRegs(valueGPR), nodeIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
     m_jit.move(TrustedImm32(static_cast<int32_t>(ValueFalse)), resultGPR);
     MacroAssembler::Jump done = m_jit.jump();
@@ -594 +594 @@
         m_jit.move(valueGPR, resultGPR);
         m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), resultGPR);
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, resultGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+        speculationCheck(JSValueRegs(valueGPR), nodeIndex, m_jit.branchPtr(MacroAssembler::NotEqual, resultGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
     }
     m_jit.move(TrustedImm32(static_cast<int32_t>(ValueTrue)), resultGPR);
@@ -650 +650 @@
         m_jit.move(value.gpr(), result.gpr());
         m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), result.gpr());
-        speculationCheck(m_jit.branchTestPtr(JITCompiler::NonZero, result.gpr(), TrustedImm32(static_cast<int32_t>(~1))));
+        speculationCheck(JSValueRegs(value.gpr()), node.child1(), m_jit.branchTestPtr(JITCompiler::NonZero, result.gpr(), TrustedImm32(static_cast<int32_t>(~1))));
         m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueTrue)), result.gpr());
         
@@ -689 +689 @@
     MacroAssembler::Jump notCell = m_jit.branchTestPtr(MacroAssembler::NonZero, valueGPR, GPRInfo::tagMaskRegister);
     if (needSpeculationCheck)
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
+        speculationCheck(JSValueRegs(valueGPR), nodeIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valueGPR), MacroAssembler::TrustedImmPtr(vptr)));
     addBranch(m_jit.jump(), taken);
     
@@ -697 +697 @@
         m_jit.move(valueGPR, scratchGPR);
         m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), scratchGPR);
-        speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+        speculationCheck(JSValueRegs(valueGPR), nodeIndex, m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
     }
     if (notTaken != (m_block + 1))
@@ -765 +765 @@
             addBranch(m_jit.branchPtr(MacroAssembler::Equal, valueGPR, MacroAssembler::ImmPtr(JSValue::encode(jsBoolean(true)))), taken);
 
-            speculationCheck(m_jit.jump());
+            speculationCheck(JSValueRegs(valueGPR), node.child1(), m_jit.jump());
             value.use();
         } else {
@@ -806 +806 @@
         // If we have no prediction for this local, then don't attempt to compile.
         if (prediction == PredictNone || value.isClear()) {
-            terminateSpeculativeExecution();
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
             break;
         }
@@ -876 +876 @@
             GPRReg cellGPR = cell.gpr();
             if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+                speculationCheck(JSValueRegs(cellGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
             m_jit.storePtr(cellGPR, JITCompiler::addressFor(node.local()));
             noResult(m_compileIndex);
@@ -883 +883 @@
             GPRReg cellGPR = cell.gpr();
             if (!isByteArrayPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+                speculationCheck(JSValueRegs(cellGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
             m_jit.storePtr(cellGPR, JITCompiler::addressFor(node.local()));
             noResult(m_compileIndex);
@@ -988 +988 @@
 
         // Test the operand is positive.
-        speculationCheck(m_jit.branch32(MacroAssembler::LessThan, op1.gpr(), TrustedImm32(0)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, op1.gpr(), TrustedImm32(0)));
 
         m_jit.move(op1.gpr(), result.gpr());
@@ -1036 +1036 @@
                     m_jit.add32(Imm32(imm1), result.gpr());
                 } else
-                    speculationCheck(m_jit.branchAdd32(MacroAssembler::Overflow, op2.gpr(), Imm32(imm1), result.gpr()));
+                    speculationCheck(JSValueRegs(), NoNode, m_jit.branchAdd32(MacroAssembler::Overflow, op2.gpr(), Imm32(imm1), result.gpr()));
 
                 integerResult(result.gpr(), m_compileIndex);
@@ -1051 +1051 @@
                     m_jit.add32(Imm32(imm2), result.gpr());
                 } else
-                    speculationCheck(m_jit.branchAdd32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
+                    speculationCheck(JSValueRegs(), NoNode, m_jit.branchAdd32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
 
                 integerResult(result.gpr(), m_compileIndex);
@@ -1076 +1076 @@
                 
                 if (gpr1 == gprResult)
-                    speculationCheck(check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr2));
+                    speculationCheck(JSValueRegs(), NoNode, check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr2));
                 else if (gpr2 == gprResult)
-                    speculationCheck(check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr1));
+                    speculationCheck(JSValueRegs(), NoNode, check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr1));
                 else
-                    speculationCheck(check);
+                    speculationCheck(JSValueRegs(), NoNode, check);
             }
 
@@ -1116 +1116 @@
                     m_jit.sub32(Imm32(imm2), result.gpr());
                 } else
-                    speculationCheck(m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
+                    speculationCheck(JSValueRegs(), NoNode, m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), Imm32(imm2), result.gpr()));
 
                 integerResult(result.gpr(), m_compileIndex);
@@ -1130 +1130 @@
                 m_jit.sub32(op2.gpr(), result.gpr());
             } else
-                speculationCheck(m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), op2.gpr(), result.gpr()));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branchSub32(MacroAssembler::Overflow, op1.gpr(), op2.gpr(), result.gpr()));
 
             integerResult(result.gpr(), m_compileIndex);
@@ -1165 +1165 @@
             // domain.
             
-            speculationCheck(m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
             
             // Check for negative zero, if the users of this node care about such things.
             if (!nodeCanIgnoreNegativeZero(node.arithNodeFlags())) {
                 MacroAssembler::Jump resultNonZero = m_jit.branchTest32(MacroAssembler::NonZero, result.gpr());
-                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg1, TrustedImm32(0)));
-                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, reg2, TrustedImm32(0)));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, reg1, TrustedImm32(0)));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, reg2, TrustedImm32(0)));
                 resultNonZero.link(&m_jit);
             }
@@ -1201 +1201 @@
             GPRReg op2GPR = op2.gpr();
             
-            speculationCheck(m_jit.branchTest32(JITCompiler::Zero, op2GPR));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(JITCompiler::Zero, op2GPR));
             
             // If the user cares about negative zero, then speculate that we're not about
@@ -1207 +1207 @@
             if (!nodeCanIgnoreNegativeZero(node.arithNodeFlags())) {
                 MacroAssembler::Jump numeratorNonZero = m_jit.branchTest32(MacroAssembler::NonZero, op1GPR);
-                speculationCheck(m_jit.branch32(MacroAssembler::LessThan, op2GPR, TrustedImm32(0)));
+                speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, op2GPR, TrustedImm32(0)));
                 numeratorNonZero.link(&m_jit);
             }
@@ -1227 +1227 @@
             // Check that there was no remainder. If there had been, then we'd be obligated to
             // produce a double result instead.
-            speculationCheck(m_jit.branchTest32(JITCompiler::NonZero, edx.gpr()));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(JITCompiler::NonZero, edx.gpr()));
             
             integerResult(eax.gpr(), m_compileIndex);
@@ -1271 +1271 @@
         GPRReg op2Gpr = op2.gpr();
 
-        speculationCheck(m_jit.branchTest32(JITCompiler::Zero, op2Gpr));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest32(JITCompiler::Zero, op2Gpr));
 
         GPRReg temp2 = InvalidGPRReg;
@@ -1301 +1301 @@
             m_jit.add32(scratch.gpr(), result.gpr());
             m_jit.xor32(scratch.gpr(), result.gpr());
-            speculationCheck(m_jit.branch32(MacroAssembler::Equal, result.gpr(), MacroAssembler::TrustedImm32(1 << 31)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Equal, result.gpr(), MacroAssembler::TrustedImm32(1 << 31)));
             integerResult(result.gpr(), m_compileIndex);
             break;
@@ -1485 +1485 @@
         // If we have predicted the base to be type array, we can skip the check.
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
-        speculationCheck(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
+            speculationCheck(JSValueRegs(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));
 
         // FIXME: In cases where there are subsequent by_val accesses to the same base it might help to cache
@@ -1493 +1493 @@
         GPRTemporary& result = storage;
         m_jit.loadPtr(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])), result.gpr());
-        speculationCheck(m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr()));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr()));
 
         jsValueResult(result.gpr(), m_compileIndex);
@@ -1540 +1540 @@
         // If we have predicted the base to be type array, we can skip the check.
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueRegs(baseReg), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
 
         base.use();
@@ -1628 +1628 @@
 
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
@@ -1634 +1634 @@
         
         // Refuse to handle bizarre lengths.
-        speculationCheck(m_jit.branch32(MacroAssembler::Above, storageLengthGPR, TrustedImm32(0x7ffffffe)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Above, storageLengthGPR, TrustedImm32(0x7ffffffe)));
         
         MacroAssembler::Jump slowPath = m_jit.branch32(MacroAssembler::AboveOrEqual, storageLengthGPR, MacroAssembler::Address(baseGPR, JSArray::vectorLengthOffset()));
@@ -1671 +1671 @@
         
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), storageGPR);
@@ -1776 +1776 @@
         // We expect that throw statements are rare and are intended to exit the code block
         // anyway, so we just OSR back to the old JIT for now.
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         break;
     }
@@ -1909 +1909 @@
                 m_jit.move(thisValueGPR, scratchGPR);
                 m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), scratchGPR);
-                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
+                speculationCheck(JSValueRegs(thisValueGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
             }
             
@@ -1924 +1924 @@
             
             if (!isObjectPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValueGPR), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+                speculationCheck(JSValueRegs(thisValueGPR), node.child1(), m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValueGPR), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
             
             m_jit.move(thisValueGPR, resultGPR);
@@ -1968 +1968 @@
         if (at(node.child1()).shouldSpeculateFinalObject()) {
             if (!isFinalObjectPrediction(m_state.forNode(node.child1()).m_type))
-                speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
+                speculationCheck(JSValueRegs(protoGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
         } else {
             m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
@@ -2071 +2071 @@
     }
     case GetById: {
+        if (!node.prediction()) {
+            terminateSpeculativeExecution(JSValueRegs(), NoNode);
+            break;
+        }
+        
         SpeculateCellOperand base(this, node.child1());
         GPRTemporary result(this, base);
@@ -2099 +2104 @@
         
         if (!isArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            speculationCheck(JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArray::storageOffset()), resultGPR);
         m_jit.load32(MacroAssembler::Address(resultGPR, OBJECT_OFFSETOF(ArrayStorage, m_length)), resultGPR);
         
-        speculationCheck(m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::LessThan, resultGPR, MacroAssembler::TrustedImm32(0)));
         
         integerResult(resultGPR, m_compileIndex);
@@ -2118 +2123 @@
         
         if (!isStringPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
+            speculationCheck(JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
         
         m_jit.load32(MacroAssembler::Address(baseGPR, JSString::offsetOfLength()), resultGPR);
@@ -2134 +2139 @@
         
         if (!isByteArrayPrediction(m_state.forNode(node.child1()).m_type))
-            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
+            speculationCheck(JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR);
@@ -2145 +2150 @@
     case CheckFunction: {
         SpeculateCellOperand function(this, node.child1());
-        speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, function.gpr(), JITCompiler::TrustedImmPtr(node.function())));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, function.gpr(), JITCompiler::TrustedImmPtr(node.function())));
         noResult(m_compileIndex);
         break;
@@ -2160 +2165 @@
         
         if (node.structureSet().size() == 1)
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(base.gpr(), JSCell::structureOffset()), JITCompiler::TrustedImmPtr(node.structureSet()[0])));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(base.gpr(), JSCell::structureOffset()), JITCompiler::TrustedImmPtr(node.structureSet()[0])));
         else {
             GPRTemporary structure(this);
@@ -2171 +2176 @@
                 done.append(m_jit.branchPtr(JITCompiler::Equal, structure.gpr(), JITCompiler::TrustedImmPtr(node.structureSet()[i])));
             
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, structure.gpr(), JITCompiler::TrustedImmPtr(node.structureSet().last())));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, structure.gpr(), JITCompiler::TrustedImmPtr(node.structureSet().last())));
             
             done.link(&m_jit);
@@ -2275 +2280 @@
         
         if (!m_state.forNode(node.child1()).m_structure.doesNotContainAnyOtherThan(methodCheckData.structure))
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
         if (methodCheckData.prototype != m_jit.codeBlock()->globalObject()->methodCallDummy()) {
             m_jit.move(JITCompiler::TrustedImmPtr(methodCheckData.prototype->structureAddress()), scratchGPR);
-            speculationCheck(m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(scratchGPR), JITCompiler::TrustedImmPtr(methodCheckData.prototypeStructure)));
+            speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(scratchGPR), JITCompiler::TrustedImmPtr(methodCheckData.prototypeStructure)));
         }
         
@@ -2358 +2363 @@
         // Speculate that base 'ImplementsDefaultHasInstance'.
         m_jit.loadPtr(MacroAssembler::Address(base.gpr(), JSCell::structureOffset()), structure.gpr());
-        speculationCheck(m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(structure.gpr(), Structure::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(structure.gpr(), Structure::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
 
         noResult(m_compileIndex);
@@ -2377 +2382 @@
         // Check that prototype is an object.
         m_jit.loadPtr(MacroAssembler::Address(prototypeReg, JSCell::structureOffset()), scratchReg);
-        speculationCheck(m_jit.branchIfNotObject(scratchReg));
+        speculationCheck(JSValueRegs(), NoNode, m_jit.branchIfNotObject(scratchReg));
 
         // Initialize scratchReg with the value being checked.
@@ -2479 +2484 @@
 
     case ForceOSRExit: {
-        terminateSpeculativeExecution();
+        terminateSpeculativeExecution(JSValueRegs(), NoNode);
         break;
     }

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -348 +348 @@
 
     compileGetByIdSlowCase(resultVReg, baseVReg, ident, iter, true);
+    emitValueProfilingSite(SubsequentProfilingSite);
 
     // We've already generated the following get_by_id, so make sure it's skipped over.

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -162 +162 @@
     
     compileGetByIdSlowCase(dst, base, &(m_codeBlock->identifier(ident)), iter, true);
+    emitValueProfilingSite(SubsequentProfilingSite);
     
     // We've already generated the following get_by_id, so make sure it's skipped over.

trunk/Source/JavaScriptCore/runtime/Heuristics.cpp

@@ -147 +147 @@
     SET(maximumOptimizationDelay,   5);
     SET(desiredProfileLivenessRate, 0.75);
-    SET(desiredProfileFullnessRate, 0.25);
+    SET(desiredProfileFullnessRate, 0.35);
     
     ASSERT(executionCounterValueForDontOptimizeAnytimeSoon <= executionCounterValueForOptimizeAfterLongWarmUp);

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -50 +50 @@
         class JITCompiler;
         class JITCodeGenerator;
+        class JSValueSource;
         class SpeculativeJIT;
     }
@@ -111 +112 @@
         friend class DFG::JITCompiler;
         friend class DFG::JITCodeGenerator;
+        friend class DFG::JSValueSource;
         friend class DFG::SpeculativeJIT;
 #endif