[webkit-changes] [285530] trunk/Source/JavaScriptCore

Tue, 09 Nov 2021 13:34:13 -0800

Title: [285530] trunk/Source/_javascript_Core
Revision
285530
Author
commit-qu...@webkit.org
Date
2021-11-09 13:33:34 -0800 (Tue, 09 Nov 2021)

Log Message

Refactoring and PutByVal cleanup
https://bugs.webkit.org/show_bug.cgi?id=232265

Patch by Mikhail R. Gadelha <mikh...@igalia.com> on 2021-11-09
Reviewed by Saam Barati.

Follow-up from https://bugs.webkit.org/show_bug.cgi?id=232242,
this patch includes several small code changes but the patch doesn't
add/remove any feature:

1. Removed several calls to operationPutByVal*Cell* that were
only used by the 32 bit code paths due to the lack of registers.
These calls were replaced by the calls used by the 64 bit paths,
that expect EncodedJSValues
2. Because of #1, this patch removes those methods, since no one
uses them anymore.
3. Created compilePutByVal to handle all cases (similar to compileGetByVal).
4. Removed the Edge& childX from the PutByVal handling (and all methods
that expected them) in favor of getting them from node when needed.
5. Unified compileContiguousPutByVal so it could be used by both 32
and 64 bit archs.
6. Removed a lot of whitespace.

* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::compilePutByVal):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetPrivateName): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetPrivateNameByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetPrivateNameById): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByValWithThis): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutPrivateName): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutPrivateNameById): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckPrivateBrand): Deleted.
(JSC::DFG::SpeculativeJIT::compileSetPrivateBrand): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags): Deleted.
(JSC::DFG::SpeculativeJIT::compileParseInt): Deleted.
(JSC::DFG::SpeculativeJIT::compileOverridesHasInstance): Deleted.
(JSC::DFG::SpeculativeJIT::compileInstanceOfForCells): Deleted.
(JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueBitNot): Deleted.
(JSC::DFG::SpeculativeJIT::compileBitwiseNot): Deleted.
(JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): Deleted.
(JSC::DFG::SpeculativeJIT::compileBitwiseOp): Deleted.
(JSC::DFG::SpeculativeJIT::emitUntypedOrBigIntRightShiftBitOp): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueLShiftOp): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueBitRShift): Deleted.
(JSC::DFG::SpeculativeJIT::compileShiftOp): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueAdd): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueSub): Deleted.
(JSC::DFG::SpeculativeJIT::compileMathIC): Deleted.
(JSC::DFG::SpeculativeJIT::compileInstanceOfCustom): Deleted.
(JSC::DFG::SpeculativeJIT::compileIsCellWithType): Deleted.
(JSC::DFG::SpeculativeJIT::compileIsTypedArrayView): Deleted.
(JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithAbs): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithClz32): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithSub): Deleted.
(JSC::DFG::SpeculativeJIT::compileIncOrDec): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueNegate): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithNegate): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueMul): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithMul): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueDiv): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithDiv): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithFRound): Deleted.
(JSC::DFG::SpeculativeJIT::compileValueMod): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithMod): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithRounding): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithUnary): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithSqrt): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithMinMax): Deleted.
(JSC::DFG::compileArithPowIntegerFastPath): Deleted.
(JSC::DFG::SpeculativeJIT::compileValuePow): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithPow): Deleted.
(JSC::DFG::SpeculativeJIT::compare): Deleted.
(JSC::DFG::SpeculativeJIT::compileCompareUnsigned): Deleted.
(JSC::DFG::SpeculativeJIT::compileStrictEq): Deleted.
(JSC::DFG::SpeculativeJIT::compileBooleanCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
(JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileSymbolEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality): Deleted.
(JSC::DFG::SpeculativeJIT::emitBitwiseJSValueEquality): Deleted.
(JSC::DFG::SpeculativeJIT::emitBranchOnBitwiseJSValueEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileNotDoubleNeitherDoubleNorHeapBigIntNorStringStrictEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compilePeepHoleNotDoubleNeitherDoubleNorHeapBigIntNorStringStrictEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileStringEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileStringIdentEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileStringCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileStringIdentCompare): Deleted.
(JSC::DFG::SpeculativeJIT::compileSameValue): Deleted.
(JSC::DFG::SpeculativeJIT::compileToBooleanString): Deleted.
(JSC::DFG::SpeculativeJIT::compileToBooleanStringOrOther): Deleted.
(JSC::DFG::SpeculativeJIT::emitStringBranch): Deleted.
(JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch): Deleted.
(JSC::DFG::SpeculativeJIT::compileConstantStoragePointer): Deleted.
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetScope): Deleted.
(JSC::DFG::SpeculativeJIT::compileSkipScope): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetGlobalObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetGlobalThis): Deleted.
(JSC::DFG::SpeculativeJIT::canBeRope): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetArrayLength): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewFunction): Deleted.
(JSC::DFG::SpeculativeJIT::compileSetFunctionName): Deleted.
(JSC::DFG::SpeculativeJIT::compileVarargsLength): Deleted.
(JSC::DFG::SpeculativeJIT::compileLoadVarargs): Deleted.
(JSC::DFG::SpeculativeJIT::compileForwardVarargs): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateActivation): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetFromArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutToArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetArgument): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateScopedArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateClonedArguments): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateArgumentsButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateRest): Deleted.
(JSC::DFG::SpeculativeJIT::compileSpread): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewArray): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetRestLength): Deleted.
(JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex): Deleted.
(JSC::DFG::SpeculativeJIT::compileArraySlice): Deleted.
(JSC::DFG::SpeculativeJIT::compileArrayIndexOf): Deleted.
(JSC::DFG::SpeculativeJIT::compileArrayPush): Deleted.
(JSC::DFG::SpeculativeJIT::compileNotifyWrite): Deleted.
(JSC::DFG::SpeculativeJIT::compileIsObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileTypeOfIsObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileIsCallable): Deleted.
(JSC::DFG::SpeculativeJIT::compileIsConstructor): Deleted.
(JSC::DFG::SpeculativeJIT::compileTypeOf): Deleted.
(JSC::DFG::SpeculativeJIT::emitStructureCheck): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckIsConstant): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckNotEmpty): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckStructure): Deleted.
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): Deleted.
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): Deleted.
(JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetButterfly): Deleted.
(JSC::DFG::allocateTemporaryRegistersForSnippet): Deleted.
(JSC::DFG::SpeculativeJIT::compileCallDOM): Deleted.
(JSC::DFG::SpeculativeJIT::compileCallDOMGetter): Deleted.
(JSC::DFG::SpeculativeJIT::compileCheckJSCast): Deleted.
(JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf): Deleted.
(JSC::DFG::getExecutable): Deleted.
(JSC::DFG::SpeculativeJIT::compileFunctionToString): Deleted.
(JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant): Deleted.
(JSC::DFG::SpeculativeJIT::compileNumberToStringWithRadix): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewStringObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewSymbol): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): Deleted.
(JSC::DFG::SpeculativeJIT::emitNewTypedArrayWithSizeInRegister): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewRegexp): Deleted.
(JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering): Deleted.
(JSC::DFG::SpeculativeJIT::speculateCellType): Deleted.
(JSC::DFG::SpeculativeJIT::speculateInt32): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNumber): Deleted.
(JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
(JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): Deleted.
(JSC::DFG::SpeculativeJIT::speculateBoolean): Deleted.
(JSC::DFG::SpeculativeJIT::speculateCell): Deleted.
(JSC::DFG::SpeculativeJIT::speculateCellOrOther): Deleted.
(JSC::DFG::SpeculativeJIT::speculateObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateFunction): Deleted.
(JSC::DFG::SpeculativeJIT::speculateFinalObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateRegExpObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateArray): Deleted.
(JSC::DFG::SpeculativeJIT::speculateProxyObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateDerivedArray): Deleted.
(JSC::DFG::SpeculativeJIT::speculatePromiseObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateDateObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateMapObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateSetObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateWeakMapObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateWeakSetObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateDataViewObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther): Deleted.
(JSC::DFG::SpeculativeJIT::speculateString): Deleted.
(JSC::DFG::SpeculativeJIT::speculateStringOrOther): Deleted.
(JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Deleted.
(JSC::DFG::SpeculativeJIT::speculateStringIdent): Deleted.
(JSC::DFG::SpeculativeJIT::speculateStringObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNotStringVar): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNotSymbol): Deleted.
(JSC::DFG::SpeculativeJIT::speculateSymbol): Deleted.
(JSC::DFG::SpeculativeJIT::speculateHeapBigInt): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNotCell): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNotDouble): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigInt): Deleted.
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString): Deleted.
(JSC::DFG::SpeculativeJIT::speculateOther): Deleted.
(JSC::DFG::SpeculativeJIT::speculateMisc): Deleted.
(JSC::DFG::SpeculativeJIT::speculate): Deleted.
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump): Deleted.
(JSC::DFG::SpeculativeJIT::emitSwitchImm): Deleted.
(JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): Deleted.
(JSC::DFG::SpeculativeJIT::emitSwitchChar): Deleted.
(JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): Deleted.
(JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): Deleted.
(JSC::DFG::SpeculativeJIT::emitSwitchString): Deleted.
(JSC::DFG::SpeculativeJIT::emitSwitch): Deleted.
(JSC::DFG::SpeculativeJIT::addBranch): Deleted.
(JSC::DFG::SpeculativeJIT::linkBranches): Deleted.
(JSC::DFG::SpeculativeJIT::compileStoreBarrier): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutAccessorById): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutGetterSetterById): Deleted.
(JSC::DFG::SpeculativeJIT::compileResolveScope): Deleted.
(JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetGlobalVariable): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutGlobalVariable): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetDynamicVar): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutDynamicVar): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetClosureVar): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutClosureVar): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetInternalField): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutInternalField): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutAccessorByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex): Deleted.
(JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex): Deleted.
(JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
(JSC::DFG::SpeculativeJIT::compileRegExpTest): Deleted.
(JSC::DFG::SpeculativeJIT::compileStringReplace): Deleted.
(JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky): Deleted.
(JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal): Deleted.
(JSC::DFG::SpeculativeJIT::compileRegExpMatchFast): Deleted.
(JSC::DFG::SpeculativeJIT::compileLazyJSConstant): Deleted.
(JSC::DFG::SpeculativeJIT::compileMaterializeNewObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult): Deleted.
(JSC::DFG::SpeculativeJIT::compileDefineDataProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileDefineAccessorProperty): Deleted.
(JSC::DFG::SpeculativeJIT::emitAllocateButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetMapBucketHead): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetMapBucketNext): Deleted.
(JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket): Deleted.
(JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket): Deleted.
(JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet): Deleted.
(JSC::DFG::SpeculativeJIT::compileThrow): Deleted.
(JSC::DFG::SpeculativeJIT::compileThrowStaticError): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractIndex): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractMode): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorInByVal): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasOwnProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByIdFlush): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutById): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByIdDirect): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetByOffset): Deleted.
(JSC::DFG::SpeculativeJIT::compilePutByOffset): Deleted.
(JSC::DFG::SpeculativeJIT::compileMatchStructure): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetPropertyEnumerator): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetExecutable): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetGetter): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetSetter): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetCallee): Deleted.
(JSC::DFG::SpeculativeJIT::compileSetCallee): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): Deleted.
(JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis): Deleted.
(JSC::DFG::SpeculativeJIT::compileStrCat): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewArrayBuffer): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSize): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewTypedArray): Deleted.
(JSC::DFG::SpeculativeJIT::compileToThis): Deleted.
(JSC::DFG::SpeculativeJIT::compileObjectKeysOrObjectGetOwnPropertyNames): Deleted.
(JSC::DFG::SpeculativeJIT::compileObjectAssign): Deleted.
(JSC::DFG::SpeculativeJIT::compileObjectCreate): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateThis): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreatePromise): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateGenerator): Deleted.
(JSC::DFG::SpeculativeJIT::compileCreateAsyncGenerator): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewInternalFieldObjectImpl): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewGenerator): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewAsyncGenerator): Deleted.
(JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): Deleted.
(JSC::DFG::SpeculativeJIT::compileToPrimitive): Deleted.
(JSC::DFG::SpeculativeJIT::compileToPropertyKey): Deleted.
(JSC::DFG::SpeculativeJIT::compileToNumeric): Deleted.
(JSC::DFG::SpeculativeJIT::compileCallNumberConstructor): Deleted.
(JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue): Deleted.
(JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail): Deleted.
(JSC::DFG::SpeculativeJIT::compileSetAdd): Deleted.
(JSC::DFG::SpeculativeJIT::compileMapSet): Deleted.
(JSC::DFG::SpeculativeJIT::compileWeakMapGet): Deleted.
(JSC::DFG::SpeculativeJIT::compileWeakSetAdd): Deleted.
(JSC::DFG::SpeculativeJIT::compileWeakMapSet): Deleted.
(JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): Deleted.
(JSC::DFG::SpeculativeJIT::compileIdentity): Deleted.
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
(JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileExtractCatchLocal): Deleted.
(JSC::DFG::SpeculativeJIT::compileClearCatchLocals): Deleted.
(JSC::DFG::SpeculativeJIT::compileProfileType): Deleted.
(JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
(JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeCompare): Deleted.
(JSC::DFG::SpeculativeJIT::genericJSValuePeepholeBranch): Deleted.
(JSC::DFG::SpeculativeJIT::compileHeapBigIntEquality): Deleted.
(JSC::DFG::SpeculativeJIT::compileMakeRope): Deleted.
(JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfEmpty):
(JSC::AssemblyHelpers::branchIfNotEmpty):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (285529 => 285530)


--- trunk/Source/_javascript_Core/ChangeLog	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-11-09 21:33:34 UTC (rev 285530)
@@ -1,3 +1,344 @@
+2021-11-09  Mikhail R. Gadelha  <mikh...@igalia.com>
+
+        Refactoring and PutByVal cleanup
+        https://bugs.webkit.org/show_bug.cgi?id=232265
+
+        Reviewed by Saam Barati.
+
+        Follow-up from https://bugs.webkit.org/show_bug.cgi?id=232242,
+        this patch includes several small code changes but the patch doesn't
+        add/remove any feature:
+
+        1. Removed several calls to operationPutByVal*Cell* that were
+        only used by the 32 bit code paths due to the lack of registers.
+        These calls were replaced by the calls used by the 64 bit paths,
+        that expect EncodedJSValues
+        2. Because of #1, this patch removes those methods, since no one
+        uses them anymore.
+        3. Created compilePutByVal to handle all cases (similar to compileGetByVal).
+        4. Removed the Edge& childX from the PutByVal handling (and all methods
+        that expected them) in favor of getting them from node when needed.
+        5. Unified compileContiguousPutByVal so it could be used by both 32
+        and 64 bit archs.
+        6. Removed a lot of whitespace.
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
+        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+        (JSC::DFG::SpeculativeJIT::compilePutByVal):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetPrivateName): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetPrivateNameByVal): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetPrivateNameById): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithString): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutByValForCellWithSymbol): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetByValWithThis): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutPrivateName): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutPrivateNameById): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCheckPrivateBrand): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSetPrivateBrand): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileParseInt): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileOverridesHasInstance): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForCells): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueBitNot): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileBitwiseNot): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitUntypedOrAnyBigIntBitOp): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueBitwiseOp): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileBitwiseOp): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitUntypedOrBigIntRightShiftBitOp): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueLShiftOp): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueBitRShift): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileShiftOp): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueAdd): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueSub): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMathIC): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileIsCellWithType): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileIsTypedArrayView): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithAbs): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithClz32): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithDoubleUnaryOp): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithSub): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileIncOrDec): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueNegate): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithNegate): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueMul): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithMul): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueDiv): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithDiv): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithFRound): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValueMod): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithMod): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithRounding): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithUnary): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithSqrt): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithMinMax): Deleted.
+        (JSC::DFG::compileArithPowIntegerFastPath): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileValuePow): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArithPow): Deleted.
+        (JSC::DFG::SpeculativeJIT::compare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCompareUnsigned): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStrictEq): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileBooleanCompare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileInt32Compare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileDoubleCompare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileObjectEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSymbolEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleSymbolEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitBitwiseJSValueEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitBranchOnBitwiseJSValueEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNotDoubleNeitherDoubleNorHeapBigIntNorStringStrictEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleNotDoubleNeitherDoubleNorHeapBigIntNorStringStrictEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStringEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStringIdentEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStringCompare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStringIdentCompare): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSameValue): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToBooleanString): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToBooleanStringOrOther): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitStringBranch): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer): Deleted.
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetScope): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSkipScope): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetGlobalObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetGlobalThis): Deleted.
+        (JSC::DFG::SpeculativeJIT::canBeRope): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCheckIdent): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewFunction): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSetFunctionName): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileVarargsLength): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileLoadVarargs): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileForwardVarargs): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateActivation): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetFromArguments): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutToArguments): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetArgument): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateScopedArguments): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateClonedArguments): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateArgumentsButterfly): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateRest): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSpread): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewArray): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetRestLength): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArraySlice): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileArrayPush): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNotifyWrite): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileIsObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileTypeOfIsObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileIsCallable): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileIsConstructor): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileTypeOf): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitStructureCheck): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCheckIsConstant): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCheckNotEmpty): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCheckStructure): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetButterfly): Deleted.
+        (JSC::DFG::allocateTemporaryRegistersForSnippet): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCallDOM): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCallDOMGetter): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCheckJSCast): Deleted.
+        (JSC::DFG::SpeculativeJIT::temporaryRegisterForPutByVal): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOrStringValueOf): Deleted.
+        (JSC::DFG::getExecutable): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileFunctionToString): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNumberToStringWithValidRadixConstant): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNumberToStringWithRadix): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewStringObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewSymbol): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitNewTypedArrayWithSizeInRegister): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewRegexp): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateCellType): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateInt32): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNumber): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateBoolean): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateCell): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateCellOrOther): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateFunction): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateFinalObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateRegExpObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateArray): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateProxyObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateDerivedArray): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculatePromiseObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateDateObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateMapObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateSetObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateWeakMapObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateWeakSetObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateDataViewObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateString): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateStringOrOther): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateStringIdent): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateStringObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNotStringVar): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNotSymbol): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateSymbol): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateHeapBigInt): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNotCell): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNotDouble): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigInt): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateOther): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculateMisc): Deleted.
+        (JSC::DFG::SpeculativeJIT::speculate): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitSwitchImm): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitSwitchChar): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitSwitchString): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitSwitch): Deleted.
+        (JSC::DFG::SpeculativeJIT::addBranch): Deleted.
+        (JSC::DFG::SpeculativeJIT::linkBranches): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStoreBarrier): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutAccessorById): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutGetterSetterById): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileResolveScope): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetGlobalVariable): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutGlobalVariable): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetDynamicVar): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutDynamicVar): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetClosureVar): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutClosureVar): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetInternalField): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutInternalField): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutAccessorByVal): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetRegExpObjectLastIndex): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSetRegExpObjectLastIndex): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileRegExpExec): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileRegExpTest): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStringReplace): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileRegExpExecNonGlobalOrSticky): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileRegExpMatchFastGlobal): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileRegExpMatchFast): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileLazyJSConstant): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMaterializeNewObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileRecordRegExpCachedResult): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileDefineDataProperty): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileDefineAccessorProperty): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileThrow): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileThrowStaticError): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdateIndexAndMode): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractIndex): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorNextExtractMode): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorNextUpdatePropertyName): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorInByVal): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorHasOwnProperty): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutByIdFlush): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutById): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutByIdDirect): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetByOffset): Deleted.
+        (JSC::DFG::SpeculativeJIT::compilePutByOffset): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMatchStructure): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetPropertyEnumerator): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetExecutable): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetGetter): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetSetter): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetCallee): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSetCallee): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSetArgumentCountIncludingThis): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileStrCat): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArray): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToThis): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileObjectKeysOrObjectGetOwnPropertyNames): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileObjectAssign): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileObjectCreate): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateThis): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreatePromise): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateInternalFieldObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateGenerator): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCreateAsyncGenerator): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObjectImpl): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewGenerator): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewAsyncGenerator): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileNewInternalFieldObject): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToPrimitive): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToPropertyKey): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileToNumeric): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileCallNumberConstructor): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileSetAdd): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMapSet): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileWeakMapGet): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileWeakSetAdd): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileWeakMapSet): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileIdentity): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): Deleted.
+        (JSC::DFG::SpeculativeJIT::emitInitializeButterfly): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileExtractCatchLocal): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileClearCatchLocals): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileProfileType): Deleted.
+        (JSC::DFG::SpeculativeJIT::cachedPutById): Deleted.
+        (JSC::DFG::SpeculativeJIT::genericJSValueNonPeepholeCompare): Deleted.
+        (JSC::DFG::SpeculativeJIT::genericJSValuePeepholeBranch): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileHeapBigIntEquality): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileMakeRope): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal): Deleted.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfEmpty):
+        (JSC::AssemblyHelpers::branchIfNotEmpty):
+
 2021-11-09  Saam Barati  <sbar...@apple.com>
 
         When inlining NewSymbol in the DFG don't universally call ToString on the input

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (285529 => 285530)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2021-11-09 21:33:34 UTC (rev 285530)
@@ -820,24 +820,6 @@
     putByValInternal<false, false>(globalObject, vm, encodedBase, encodedProperty, encodedValue);
 }
 
-JSC_DEFINE_JIT_OPERATION(operationPutByValCellStrict, void, (JSGlobalObject* globalObject, JSCell* cell, EncodedJSValue encodedProperty, EncodedJSValue encodedValue))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    
-    putByValInternal<true, false>(globalObject, vm, JSValue::encode(cell), encodedProperty, encodedValue);
-}
-
-JSC_DEFINE_JIT_OPERATION(operationPutByValCellNonStrict, void, (JSGlobalObject* globalObject, JSCell* cell, EncodedJSValue encodedProperty, EncodedJSValue encodedValue))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    
-    putByValInternal<false, false>(globalObject, vm, JSValue::encode(cell), encodedProperty, encodedValue);
-}
-
 JSC_DEFINE_JIT_OPERATION(operationPutByValCellStringStrict, void, (JSGlobalObject* globalObject, JSCell* cell, JSCell* string, EncodedJSValue encodedValue))
 {
     VM& vm = globalObject->vm();
@@ -996,24 +978,6 @@
     putByValInternal<false, true>(globalObject, vm, encodedBase, encodedProperty, encodedValue);
 }
 
-JSC_DEFINE_JIT_OPERATION(operationPutByValDirectCellStrict, void, (JSGlobalObject* globalObject, JSCell* cell, EncodedJSValue encodedProperty, EncodedJSValue encodedValue))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    
-    putByValInternal<true, true>(globalObject, vm, JSValue::encode(cell), encodedProperty, encodedValue);
-}
-
-JSC_DEFINE_JIT_OPERATION(operationPutByValDirectCellNonStrict, void, (JSGlobalObject* globalObject, JSCell* cell, EncodedJSValue encodedProperty, EncodedJSValue encodedValue))
-{
-    VM& vm = globalObject->vm();
-    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
-    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
-    
-    putByValInternal<false, true>(globalObject, vm, JSValue::encode(cell), encodedProperty, encodedValue);
-}
-
 JSC_DEFINE_JIT_OPERATION(operationPutByValDirectCellStringStrict, void, (JSGlobalObject* globalObject, JSCell* cell, JSCell* string, EncodedJSValue encodedValue))
 {
     VM& vm = globalObject->vm();

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.h (285529 => 285530)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.h	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.h	2021-11-09 21:33:34 UTC (rev 285530)
@@ -145,8 +145,6 @@
 
 JSC_DECLARE_JIT_OPERATION(operationPutByValStrict, void, (JSGlobalObject*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValNonStrict, void, (JSGlobalObject*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
-JSC_DECLARE_JIT_OPERATION(operationPutByValCellStrict, void, (JSGlobalObject*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
-JSC_DECLARE_JIT_OPERATION(operationPutByValCellNonStrict, void, (JSGlobalObject*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValCellStringStrict, void, (JSGlobalObject*, JSCell*, JSCell* string, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValCellStringNonStrict, void, (JSGlobalObject*, JSCell*, JSCell* string, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValCellSymbolStrict, void, (JSGlobalObject*, JSCell*, JSCell* symbol, EncodedJSValue encodedValue));
@@ -155,8 +153,6 @@
 JSC_DECLARE_JIT_OPERATION(operationPutByValBeyondArrayBoundsNonStrict, void, (JSGlobalObject*, JSObject*, int32_t index, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValDirectStrict, void, (JSGlobalObject*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValDirectNonStrict, void, (JSGlobalObject*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
-JSC_DECLARE_JIT_OPERATION(operationPutByValDirectCellStrict, void, (JSGlobalObject*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
-JSC_DECLARE_JIT_OPERATION(operationPutByValDirectCellNonStrict, void, (JSGlobalObject*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValDirectCellStringStrict, void, (JSGlobalObject*, JSCell*, JSCell* string, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValDirectCellStringNonStrict, void, (JSGlobalObject*, JSCell*, JSCell* string, EncodedJSValue encodedValue));
 JSC_DECLARE_JIT_OPERATION(operationPutByValDirectCellSymbolStrict, void, (JSGlobalObject*, JSCell*, JSCell* symbol, EncodedJSValue encodedValue));

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (285529 => 285530)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-11-09 21:33:34 UTC (rev 285530)
@@ -2481,28 +2481,93 @@
     noResult(node);
 }
 
-void SpeculativeJIT::compileDoublePutByVal(Node* node, SpeculateCellOperand& base, SpeculateStrictInt32Operand& property)
+void SpeculativeJIT::compileContiguousPutByVal(Node* node)
 {
-    Edge child3 = m_jit.graph().varArgChild(node, 2);
-    Edge child4 = m_jit.graph().varArgChild(node, 3);
+    SpeculateCellOperand base(this, m_jit.graph().varArgChild(node, 0));
+    SpeculateStrictInt32Operand property(this, m_jit.graph().varArgChild(node, 1));
+    JSValueOperand value(this, m_jit.graph().varArgChild(node, 2), ManualOperandSpeculation);
 
+    GPRReg baseReg = base.gpr();
+    GPRReg propertyReg = property.gpr();
+    JSValueRegs valueRegs = value.jsValueRegs();
+
+    if (!m_compileOkay)
+        return;
+
+    StorageOperand storage(this, m_jit.graph().varArgChild(node, 3));
+    GPRReg storageReg = storage.gpr();
+
+    if (node->op() == PutByValAlias) {
+        // Store the value to the array.
+        GPRReg propertyReg = property.gpr();
+        m_jit.storeValue(valueRegs, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
+        noResult(node);
+        return;
+    }
+
+    GPRTemporary temporary;
+    GPRReg temporaryReg = temporaryRegisterForPutByVal(temporary, node);
+
+    MacroAssembler::Jump slowCase;
+
     ArrayMode arrayMode = node->arrayMode();
-    
+    if (arrayMode.isInBounds()) {
+        speculationCheck(
+            OutOfBounds, JSValueRegs(), nullptr,
+            m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
+    } else {
+        MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
+
+        slowCase = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfVectorLength()));
+
+        if (!arrayMode.isOutOfBounds())
+            speculationCheck(OutOfBounds, JSValueRegs(), nullptr, slowCase);
+
+        m_jit.add32(TrustedImm32(1), propertyReg, temporaryReg);
+        m_jit.store32(temporaryReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
+
+        inBounds.link(&m_jit);
+    }
+
+    m_jit.storeValue(valueRegs, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
+
+    base.use();
+    property.use();
+    value.use();
+    storage.use();
+
+    if (arrayMode.isOutOfBounds()) {
+        addSlowPathGenerator(slowPathCall(
+            slowCase, this,
+            node->ecmaMode().isStrict() ?
+                (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsStrict) :
+                (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsNonStrict : operationPutByValBeyondArrayBoundsNonStrict),
+            NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, valueRegs));
+    }
+
+    noResult(node, UseChildrenCalledExplicitly);
+}
+
+void SpeculativeJIT::compileDoublePutByVal(Node* node)
+{
+    ArrayMode arrayMode = node->arrayMode();
+
+    SpeculateCellOperand base(this, m_jit.graph().varArgChild(node, 0));
+    SpeculateStrictInt32Operand property(this, m_jit.graph().varArgChild(node, 1));
+    SpeculateDoubleOperand value(this, m_jit.graph().varArgChild(node, 2));
+
     GPRReg baseReg = base.gpr();
     GPRReg propertyReg = property.gpr();
-    
-    SpeculateDoubleOperand value(this, child3);
+    FPRReg valueReg = value.fpr();
 
-    FPRReg valueReg = value.fpr();
-    
     DFG_TYPE_CHECK(
-        JSValueRegs(), child3, SpecFullRealNumber,
+        JSValueRegs(), m_jit.graph().varArgChild(node, 2), SpecFullRealNumber,
         m_jit.branchIfNaN(valueReg));
-    
+
     if (!m_compileOkay)
         return;
-    
-    StorageOperand storage(this, child4);
+
+    StorageOperand storage(this, m_jit.graph().varArgChild(node, 3));
     GPRReg storageReg = storage.gpr();
 
     if (node->op() == PutByValAlias) {
@@ -2510,16 +2575,16 @@
         GPRReg propertyReg = property.gpr();
         FPRReg valueReg = value.fpr();
         m_jit.storeDouble(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
-        
+
         noResult(m_currentNode);
         return;
     }
-    
+
     GPRTemporary temporary;
     GPRReg temporaryReg = temporaryRegisterForPutByVal(temporary, node);
 
     MacroAssembler::Jump slowCase;
-    
+
     if (arrayMode.isInBounds()) {
         speculationCheck(
             OutOfBounds, JSValueRegs(), nullptr,
@@ -2526,18 +2591,18 @@
             m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
     } else {
         MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
-        
+
         slowCase = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfVectorLength()));
-        
+
         if (!arrayMode.isOutOfBounds())
             speculationCheck(OutOfBounds, JSValueRegs(), nullptr, slowCase);
-        
+
         m_jit.add32(TrustedImm32(1), propertyReg, temporaryReg);
         m_jit.store32(temporaryReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
 
         inBounds.link(&m_jit);
     }
-    
+
     m_jit.storeDouble(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
 
     base.use();
@@ -2544,14 +2609,14 @@
     property.use();
     value.use();
     storage.use();
-    
+
     if (arrayMode.isOutOfBounds()) {
         addSlowPathGenerator(
             slowPathCall(
                 slowCase, this,
-                node->ecmaMode().isStrict()
-                    ? (node->op() == PutByValDirect ? operationPutDoubleByValDirectBeyondArrayBoundsStrict : operationPutDoubleByValBeyondArrayBoundsStrict)
-                    : (node->op() == PutByValDirect ? operationPutDoubleByValDirectBeyondArrayBoundsNonStrict : operationPutDoubleByValBeyondArrayBoundsNonStrict),
+                node->ecmaMode().isStrict() ?
+                    (node->op() == PutByValDirect ? operationPutDoubleByValDirectBeyondArrayBoundsStrict : operationPutDoubleByValBeyondArrayBoundsStrict) :
+                    (node->op() == PutByValDirect ? operationPutDoubleByValDirectBeyondArrayBoundsNonStrict : operationPutDoubleByValBeyondArrayBoundsNonStrict),
                 NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, valueReg));
     }
 
@@ -2558,6 +2623,226 @@
     noResult(m_currentNode, UseChildrenCalledExplicitly);
 }
 
+void SpeculativeJIT::compilePutByVal(Node* node)
+{
+    ArrayMode arrayMode = node->arrayMode().modeForPut();
+    switch (arrayMode.type()) {
+    case Array::AnyTypedArray:
+    case Array::ForceExit:
+    case Array::SelectUsingArguments:
+    case Array::SelectUsingPredictions:
+    case Array::Unprofiled:
+    case Array::String:
+    case Array::DirectArguments:
+    case Array::ScopedArguments:
+    case Array::Undecided:
+#if USE(JSVALUE32_64)
+    case Array::BigInt64Array:
+    case Array::BigUint64Array:
+#endif
+        DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
+        break;
+#if USE(JSVALUE64)
+    case Array::BigInt64Array:
+    case Array::BigUint64Array:
+#endif
+    case Array::Generic: {
+        DFG_ASSERT(m_jit.graph(), node, node->op() == PutByVal || node->op() == PutByValDirect, node->op());
+        if (m_graph.m_slowPutByVal.contains(node)) {
+            if (m_jit.graph().varArgChild(node, 0).useKind() == CellUse) {
+                if (m_jit.graph().varArgChild(node, 1).useKind() == StringUse) {
+                    compilePutByValForCellWithString(node);
+                    break;
+                }
+
+                if (m_jit.graph().varArgChild(node, 1).useKind() == SymbolUse) {
+                    compilePutByValForCellWithSymbol(node);
+                    break;
+                }
+            }
+
+            JSValueOperand base(this, m_jit.graph().varArgChild(node, 0));
+            JSValueOperand property(this, m_jit.graph().varArgChild(node, 1));
+            JSValueOperand value(this, m_jit.graph().varArgChild(node, 2));
+            JSValueRegs baseRegs = base.jsValueRegs();
+            JSValueRegs propertyRegs = property.jsValueRegs();
+            JSValueRegs valueRegs = value.jsValueRegs();
+
+            flushRegisters();
+            if (node->op() == PutByValDirect)
+                callOperation(node->ecmaMode().isStrict() ? operationPutByValDirectStrict : operationPutByValDirectNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyRegs, valueRegs);
+            else
+                callOperation(node->ecmaMode().isStrict() ? operationPutByValStrict : operationPutByValNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyRegs, valueRegs);
+            m_jit.exceptionCheck();
+
+            noResult(node);
+            break;
+        }
+
+        JSValueOperand base(this, m_jit.graph().varArgChild(node, 0), ManualOperandSpeculation);
+        JSValueOperand property(this, m_jit.graph().varArgChild(node, 1), ManualOperandSpeculation);
+        JSValueOperand value(this, m_jit.graph().varArgChild(node, 2), ManualOperandSpeculation);
+        JSValueRegs baseRegs = base.jsValueRegs();
+        JSValueRegs propertyRegs = property.jsValueRegs();
+        JSValueRegs valueRegs = value.jsValueRegs();
+
+        GPRReg stubInfoGPR = InvalidGPRReg;
+        GPRTemporary stubInfo;
+        if (JITCode::useDataIC(JITType::DFGJIT)) {
+            stubInfo = GPRTemporary(this);
+            stubInfoGPR = stubInfo.gpr();
+        }
+
+        speculate(node, m_jit.graph().varArgChild(node, 0));
+        speculate(node, m_jit.graph().varArgChild(node, 1));
+        speculate(node, m_jit.graph().varArgChild(node, 2));
+
+        CodeOrigin codeOrigin = node->origin.semantic;
+        CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
+        RegisterSet usedRegisters = this->usedRegisters();
+        bool isDirect = node->op() == PutByValDirect;
+        ECMAMode ecmaMode = node->ecmaMode();
+
+        JITPutByValGenerator gen(
+            m_jit.codeBlock(), &m_jit.jitCode()->common.m_stubInfos, JITType::DFGJIT, codeOrigin, callSite, AccessType::PutByVal, usedRegisters,
+            baseRegs, propertyRegs, valueRegs, InvalidGPRReg, stubInfoGPR);
+
+        if (m_state.forNode(m_jit.graph().varArgChild(node, 1)).isType(SpecString))
+            gen.stubInfo()->propertyIsString = true;
+        else if (m_state.forNode(m_jit.graph().varArgChild(node, 1)).isType(SpecInt32Only))
+            gen.stubInfo()->propertyIsInt32 = true;
+        else if (m_state.forNode(m_jit.graph().varArgChild(node, 1)).isType(SpecSymbol))
+            gen.stubInfo()->propertyIsSymbol = true;
+
+        gen.generateFastPath(m_jit);
+
+        JITCompiler::JumpList slowCases;
+        if (!JITCode::useDataIC(JITType::DFGJIT))
+            slowCases.append(gen.slowPathJump());
+
+        std::unique_ptr<SlowPathGenerator> slowPath;
+        auto operation = isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize);
+        if (JITCode::useDataIC(JITType::DFGJIT)) {
+            slowPath = slowPathICCall(
+                slowCases, this, gen.stubInfo(), stubInfoGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), operation,
+                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseRegs, propertyRegs, valueRegs, stubInfoGPR, nullptr);
+        } else {
+            slowPath = slowPathCall(
+                slowCases, this, operation,
+                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseRegs, propertyRegs, valueRegs, gen.stubInfo(), nullptr);
+        }
+
+        m_jit.addPutByVal(gen, slowPath.get());
+        addSlowPathGenerator(WTFMove(slowPath));
+
+        noResult(node);
+        break;
+    }
+    case Array::Int32: {
+        speculateInt32(m_jit.graph().varArgChild(node, 2));
+        FALLTHROUGH;
+    }
+    case Array::Contiguous: {
+        compileContiguousPutByVal(node);
+        break;
+    }
+    case Array::Double: {
+        compileDoublePutByVal(node);
+        break;
+    }
+    case Array::ArrayStorage:
+    case Array::SlowPutArrayStorage: {
+        SpeculateCellOperand base(this, m_jit.graph().varArgChild(node, 0));
+        SpeculateStrictInt32Operand property(this, m_jit.graph().varArgChild(node, 1));
+        JSValueOperand value(this, m_jit.graph().varArgChild(node, 2));
+        StorageOperand storage(this, m_jit.graph().varArgChild(node, 3));
+
+        GPRReg baseReg = base.gpr();
+        GPRReg propertyReg = property.gpr();
+        JSValueRegs valueRegs = value.jsValueRegs();
+        GPRReg storageReg = storage.gpr();
+
+        if (node->op() == PutByValAlias) {
+            // Store the value to the array.
+            GPRReg propertyReg = property.gpr();
+            m_jit.storeValue(valueRegs, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()));
+            noResult(node);
+            break;
+        }
+
+        GPRTemporary temporary;
+        GPRReg temporaryReg = temporaryRegisterForPutByVal(temporary, node);
+
+        MacroAssembler::JumpList slowCases;
+
+        MacroAssembler::Jump beyondArrayBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, ArrayStorage::vectorLengthOffset()));
+        if (!arrayMode.isOutOfBounds())
+            speculationCheck(OutOfBounds, JSValueRegs(), nullptr, beyondArrayBounds);
+        else
+            slowCases.append(beyondArrayBounds);
+
+        // Check if we're writing to a hole; if so increment m_numValuesInVector.
+        if (arrayMode.isInBounds()) {
+            speculationCheck(
+                StoreToHole, JSValueRegs(), nullptr,
+                m_jit.branchIfEmpty(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset())));
+        } else {
+            MacroAssembler::Jump notHoleValue = m_jit.branchIfNotEmpty(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()));
+            if (arrayMode.isSlowPut()) {
+                // This is sort of strange. If we wanted to optimize this code path, we would invert
+                // the above branch. But it's simply not worth it since this only happens if we're
+                // already having a bad time.
+                slowCases.append(m_jit.jump());
+            } else {
+                m_jit.add32(TrustedImm32(1), MacroAssembler::Address(storageReg, ArrayStorage::numValuesInVectorOffset()));
+
+                // If we're writing to a hole we might be growing the array;
+                MacroAssembler::Jump lengthDoesNotNeedUpdate = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, ArrayStorage::lengthOffset()));
+                m_jit.add32(TrustedImm32(1), propertyReg, temporaryReg);
+                m_jit.store32(temporaryReg, MacroAssembler::Address(storageReg, ArrayStorage::lengthOffset()));
+
+                lengthDoesNotNeedUpdate.link(&m_jit);
+            }
+            notHoleValue.link(&m_jit);
+        }
+
+        // Store the value to the array.
+        m_jit.storeValue(valueRegs, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()));
+
+        base.use();
+        property.use();
+        value.use();
+        storage.use();
+
+        if (!slowCases.empty()) {
+            addSlowPathGenerator(slowPathCall(
+                slowCases, this,
+                node->ecmaMode().isStrict() ?
+                    (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsStrict) :
+                    (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsNonStrict : operationPutByValBeyondArrayBoundsNonStrict),
+                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, valueRegs));
+        }
+
+        noResult(node, UseChildrenCalledExplicitly);
+        break;
+    }
+    case Array::Int8Array:
+    case Array::Int16Array:
+    case Array::Int32Array:
+    case Array::Uint8Array:
+    case Array::Uint8ClampedArray:
+    case Array::Uint16Array:
+    case Array::Uint32Array:
+    case Array::Float32Array:
+    case Array::Float64Array: {
+        TypedArrayType type = arrayMode.typedArrayType();
+        if (isInt(type))
+            compilePutByValForIntTypedArray(node, type);
+        else
+            compilePutByValForFloatTypedArray(node, type);
+    } }
+}
+
 void SpeculativeJIT::compileGetCharCodeAt(Node* node)
 {
     SpeculateCellOperand string(this, node->child1());
@@ -3567,16 +3852,19 @@
     return result;
 }
 
-void SpeculativeJIT::compilePutByValForIntTypedArray(GPRReg base, GPRReg property, Node* node, TypedArrayType type)
+void SpeculativeJIT::compilePutByValForIntTypedArray(Node* node, TypedArrayType type)
 {
     ASSERT(isInt(type));
-    
+
+    SpeculateCellOperand base(this, m_jit.graph().varArgChild(node, 0));
+    SpeculateStrictInt32Operand property(this, m_jit.graph().varArgChild(node, 1));
     StorageOperand storage(this, m_jit.graph().varArgChild(node, 3));
+
     GPRTemporary scratch(this);
     GPRReg storageReg = storage.gpr();
-    
-    Edge valueUse = m_jit.graph().varArgChild(node, 2);
-    
+    GPRReg baseReg = base.gpr();
+    GPRReg propertyReg = property.gpr();
+
     GPRTemporary value;
 #if USE(JSVALUE32_64)
     GPRTemporary propertyTag;
@@ -3584,13 +3872,13 @@
 #endif
 
     JITCompiler::JumpList slowPathCases;
-    
+
     bool result = getIntTypedArrayStoreOperand(
-        value, property,
+        value, propertyReg,
 #if USE(JSVALUE32_64)
         propertyTag, valueTag,
 #endif
-        valueUse, slowPathCases, isClamped(type));
+        m_jit.graph().varArgChild(node, 2), slowPathCases, isClamped(type));
     if (!result) {
         noResult(node);
         return;
@@ -3602,57 +3890,42 @@
     GPRReg valueTagGPR = valueTag.gpr();
 #endif
 
-    ASSERT_UNUSED(valueGPR, valueGPR != property);
-    ASSERT(valueGPR != base);
+    ASSERT_UNUSED(valueGPR, valueGPR != propertyReg);
+    ASSERT(valueGPR != baseReg);
     ASSERT(valueGPR != storageReg);
-    JITCompiler::Jump outOfBounds = jumpForTypedArrayOutOfBounds(node, base, property, scratch.gpr());
+    JITCompiler::Jump outOfBounds = jumpForTypedArrayOutOfBounds(node, baseReg, propertyReg, scratch.gpr());
 
     switch (elementSize(type)) {
     case 1:
-        m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesOne));
+        m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesOne));
         break;
     case 2:
-        m_jit.store16(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesTwo));
+        m_jit.store16(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesTwo));
         break;
     case 4:
-        m_jit.store32(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesFour));
+        m_jit.store32(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour));
         break;
     default:
         CRASH();
     }
 
-    JITCompiler::Jump done = jumpForTypedArrayIsDetachedIfOutOfBounds(node, base, outOfBounds);
+    JITCompiler::Jump done = jumpForTypedArrayIsDetachedIfOutOfBounds(node, baseReg, outOfBounds);
     if (done.isSet())
         done.link(&m_jit);
 
     if (!slowPathCases.empty()) {
+        addSlowPathGenerator(slowPathCall(
+            slowPathCases, this,
+            node->ecmaMode().isStrict() ?
+                (node->op() == PutByValDirect ? operationPutByValDirectStrict : operationPutByValStrict) :
+                (node->op() == PutByValDirect ? operationPutByValDirectNonStrict : operationPutByValNonStrict),
 #if USE(JSVALUE64)
-        if (node->op() == PutByValDirect) {
-            addSlowPathGenerator(slowPathCall(
-                slowPathCases, this,
-                node->ecmaMode().isStrict() ? operationPutByValDirectStrict : operationPutByValDirectNonStrict,
-                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), base, property, valueGPR));
-        } else {
-            addSlowPathGenerator(slowPathCall(
-                slowPathCases, this,
-                node->ecmaMode().isStrict() ? operationPutByValStrict : operationPutByValNonStrict,
-                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), base, property, valueGPR));
-        }
+            NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, valueGPR));
 #else // not USE(JSVALUE64)
-        if (node->op() == PutByValDirect) {
-            addSlowPathGenerator(slowPathCall(
-                slowPathCases, this,
-                node->ecmaMode().isStrict() ? operationPutByValDirectCellStrict : operationPutByValDirectCellNonStrict,
-                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), base, JSValueRegs(propertyTagGPR, property), JSValueRegs(valueTagGPR, valueGPR)));
-        } else {
-            addSlowPathGenerator(slowPathCall(
-                slowPathCases, this,
-                node->ecmaMode().isStrict() ? operationPutByValCellStrict : operationPutByValCellNonStrict,
-                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), base, JSValueRegs(propertyTagGPR, property), JSValueRegs(valueTagGPR, valueGPR)));
-        }
+            NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), CCallHelpers::CellValue(baseReg), JSValueRegs(propertyTagGPR, propertyReg), JSValueRegs(valueTagGPR, valueGPR)));
 #endif
     }
-    
+
     noResult(node);
 }
 
@@ -3699,39 +3972,40 @@
     }
 }
 
-void SpeculativeJIT::compilePutByValForFloatTypedArray(GPRReg base, GPRReg property, Node* node, TypedArrayType type)
+void SpeculativeJIT::compilePutByValForFloatTypedArray(Node* node, TypedArrayType type)
 {
     ASSERT(isFloat(type));
-    
+
+    SpeculateCellOperand base(this, m_jit.graph().varArgChild(node, 0));
+    SpeculateStrictInt32Operand property(this, m_jit.graph().varArgChild(node, 1));
+    SpeculateDoubleOperand valueOp(this, m_jit.graph().varArgChild(node, 2));
     StorageOperand storage(this, m_jit.graph().varArgChild(node, 3));
-    GPRReg storageReg = storage.gpr();
-    
-    Edge valueUse = m_jit.graph().varArgChild(node, 2);
 
-    SpeculateDoubleOperand valueOp(this, valueUse);
     FPRTemporary scratch(this);
     GPRTemporary gpScratch(this);
     FPRReg valueFPR = valueOp.fpr();
     FPRReg scratchFPR = scratch.fpr();
+    GPRReg baseReg = base.gpr();
+    GPRReg propertyReg = property.gpr();
     GPRReg scratchGPR = gpScratch.gpr();
+    GPRReg storageReg = storage.gpr();
 
-    MacroAssembler::Jump outOfBounds = jumpForTypedArrayOutOfBounds(node, base, property, scratchGPR);
-    
+    MacroAssembler::Jump outOfBounds = jumpForTypedArrayOutOfBounds(node, baseReg, propertyReg, scratchGPR);
     switch (elementSize(type)) {
     case 4: {
         m_jit.moveDouble(valueFPR, scratchFPR);
         m_jit.convertDoubleToFloat(valueFPR, scratchFPR);
-        m_jit.storeFloat(scratchFPR, MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesFour));
+        m_jit.storeFloat(scratchFPR, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour));
         break;
     }
     case 8:
-        m_jit.storeDouble(valueFPR, MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesEight));
+        m_jit.storeDouble(valueFPR, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
         break;
     default:
         RELEASE_ASSERT_NOT_REACHED();
     }
 
-    JITCompiler::Jump done = jumpForTypedArrayIsDetachedIfOutOfBounds(node, base, outOfBounds);
+    JITCompiler::Jump done = jumpForTypedArrayIsDetachedIfOutOfBounds(node, baseReg, outOfBounds);
     if (done.isSet())
         done.link(&m_jit);
     noResult(node);
@@ -3919,23 +4193,23 @@
     }
 }
 
-void SpeculativeJIT::compilePutByValForCellWithString(Node* node, Edge& child1, Edge& child2, Edge& child3)
+void SpeculativeJIT::compilePutByValForCellWithString(Node* node)
 {
-    SpeculateCellOperand arg1(this, child1);
-    SpeculateCellOperand arg2(this, child2);
-    JSValueOperand arg3(this, child3);
+    SpeculateCellOperand arg1(this, m_jit.graph().varArgChild(node, 0));
+    SpeculateCellOperand arg2(this, m_jit.graph().varArgChild(node, 1));
+    JSValueOperand arg3(this, m_jit.graph().varArgChild(node, 2));
 
     GPRReg arg1GPR = arg1.gpr();
     GPRReg arg2GPR = arg2.gpr();
     JSValueRegs arg3Regs = arg3.jsValueRegs();
 
-    speculateString(child2, arg2GPR);
+    speculateString(m_jit.graph().varArgChild(node, 1), arg2GPR);
 
     flushRegisters();
     callOperation(
-        node->ecmaMode().isStrict()
-            ? (node->op() == PutByValDirect ? operationPutByValDirectCellStringStrict : operationPutByValCellStringStrict)
-            : (node->op() == PutByValDirect ? operationPutByValDirectCellStringNonStrict : operationPutByValCellStringNonStrict),
+        node->ecmaMode().isStrict() ?
+            (node->op() == PutByValDirect ? operationPutByValDirectCellStringStrict : operationPutByValCellStringStrict) :
+            (node->op() == PutByValDirect ? operationPutByValDirectCellStringNonStrict : operationPutByValCellStringNonStrict),
         TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), arg1GPR, arg2GPR, arg3Regs);
     m_jit.exceptionCheck();
 
@@ -3942,17 +4216,17 @@
     noResult(node);
 }
 
-void SpeculativeJIT::compilePutByValForCellWithSymbol(Node* node, Edge& child1, Edge& child2, Edge& child3)
+void SpeculativeJIT::compilePutByValForCellWithSymbol(Node* node)
 {
-    SpeculateCellOperand arg1(this, child1);
-    SpeculateCellOperand arg2(this, child2);
-    JSValueOperand arg3(this, child3);
+    SpeculateCellOperand arg1(this, m_jit.graph().varArgChild(node, 0));
+    SpeculateCellOperand arg2(this, m_jit.graph().varArgChild(node, 1));
+    JSValueOperand arg3(this, m_jit.graph().varArgChild(node, 2));
 
     GPRReg arg1GPR = arg1.gpr();
     GPRReg arg2GPR = arg2.gpr();
     JSValueRegs arg3Regs = arg3.jsValueRegs();
 
-    speculateSymbol(child2, arg2GPR);
+    speculateSymbol(m_jit.graph().varArgChild(node, 1), arg2GPR);
 
     flushRegisters();
     callOperation(

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (285529 => 285530)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2021-11-09 21:33:34 UTC (rev 285530)
@@ -1342,11 +1342,8 @@
     void compileGetPrototypeOf(Node*);
     void compileIdentity(Node*);
     
-#if USE(JSVALUE32_64)
-    template<typename BaseOperandType, typename PropertyOperandType, typename ValueOperandType, typename TagType>
-    void compileContiguousPutByVal(Node*, BaseOperandType&, PropertyOperandType&, ValueOperandType&, GPRReg valuePayloadReg, TagType valueTag);
-#endif
-    void compileDoublePutByVal(Node*, SpeculateCellOperand& base, SpeculateStrictInt32Operand& property);
+    void compileContiguousPutByVal(Node*);
+    void compileDoublePutByVal(Node*);
     bool putByValWillNeedExtraRegister(ArrayMode arrayMode)
     {
         return arrayMode.mayStoreToHole();
@@ -1357,6 +1354,8 @@
         return temporaryRegisterForPutByVal(temporary, node->arrayMode());
     }
     
+    void compilePutByVal(Node*);
+
     // We use a scopedLambda to placate register allocation validation.
     enum class CanUseFlush { Yes, No };
     void compileGetByVal(Node*, const ScopedLambda<std::tuple<JSValueRegs, DataFormat, CanUseFlush>(DataFormat preferredFormat)>& prefix);
@@ -1447,13 +1446,13 @@
     void compileGetTypedArrayByteOffsetAsInt52(Node*);
 #endif
     void compileGetByValOnIntTypedArray(Node*, TypedArrayType, const ScopedLambda<std::tuple<JSValueRegs, DataFormat, CanUseFlush>(DataFormat preferredFormat)>& prefix);
-    void compilePutByValForIntTypedArray(GPRReg base, GPRReg property, Node*, TypedArrayType);
+    void compilePutByValForIntTypedArray(Node*, TypedArrayType);
     void compileGetByValOnFloatTypedArray(Node*, TypedArrayType, const ScopedLambda<std::tuple<JSValueRegs, DataFormat, CanUseFlush>(DataFormat preferredFormat)>& prefix);
-    void compilePutByValForFloatTypedArray(GPRReg base, GPRReg property, Node*, TypedArrayType);
+    void compilePutByValForFloatTypedArray(Node*, TypedArrayType);
     void compileGetByValForObjectWithString(Node*, const ScopedLambda<std::tuple<JSValueRegs, DataFormat, CanUseFlush>(DataFormat preferredFormat)>& prefix);
     void compileGetByValForObjectWithSymbol(Node*, const ScopedLambda<std::tuple<JSValueRegs, DataFormat, CanUseFlush>(DataFormat preferredFormat)>& prefix);
-    void compilePutByValForCellWithString(Node*, Edge& child1, Edge& child2, Edge& child3);
-    void compilePutByValForCellWithSymbol(Node*, Edge& child1, Edge& child2, Edge& child3);
+    void compilePutByValForCellWithString(Node*);
+    void compilePutByValForCellWithSymbol(Node*);
     void compileGetByValWithThis(Node*);
     void compilePutPrivateName(Node*);
     void compilePutPrivateNameById(Node*);

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (285529 => 285530)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2021-11-09 21:33:34 UTC (rev 285530)
@@ -1746,75 +1746,6 @@
     }
 }
 
-template<typename BaseOperandType, typename PropertyOperandType, typename ValueOperandType, typename TagType>
-void SpeculativeJIT::compileContiguousPutByVal(Node* node, BaseOperandType& base, PropertyOperandType& property, ValueOperandType& value, GPRReg valuePayloadReg, TagType valueTag)
-{
-    Edge child4 = m_jit.graph().varArgChild(node, 3);
-
-    ArrayMode arrayMode = node->arrayMode();
-    
-    GPRReg baseReg = base.gpr();
-    GPRReg propertyReg = property.gpr();
-    
-    StorageOperand storage(this, child4);
-    GPRReg storageReg = storage.gpr();
-
-    if (node->op() == PutByValAlias) {
-        // Store the value to the array.
-        GPRReg propertyReg = property.gpr();
-        m_jit.store32(valueTag, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-        m_jit.store32(valuePayloadReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-        
-        noResult(node);
-        return;
-    }
-    
-    MacroAssembler::Jump slowCase;
-
-    if (arrayMode.isInBounds()) {
-        speculationCheck(
-            OutOfBounds, JSValueRegs(), 0,
-            m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
-    } else {
-        MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
-        
-        slowCase = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfVectorLength()));
-        
-        if (!arrayMode.isOutOfBounds())
-            speculationCheck(OutOfBounds, JSValueRegs(), 0, slowCase);
-        
-        m_jit.add32(TrustedImm32(1), propertyReg);
-        m_jit.store32(propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
-        m_jit.sub32(TrustedImm32(1), propertyReg);
-        
-        inBounds.link(&m_jit);
-    }
-    
-    m_jit.store32(valueTag, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-    m_jit.store32(valuePayloadReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-    
-    base.use();
-    property.use();
-    value.use();
-    storage.use();
-    
-    if (arrayMode.isOutOfBounds()) {
-        if (node->op() == PutByValDirect) {
-            addSlowPathGenerator(slowPathCall(
-                slowCase, this,
-                node->ecmaMode().isStrict() ? operationPutByValDirectBeyondArrayBoundsStrict : operationPutByValDirectBeyondArrayBoundsNonStrict,
-                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, JSValueRegs(valueTag, valuePayloadReg)));
-        } else {
-            addSlowPathGenerator(slowPathCall(
-                slowCase, this,
-                node->ecmaMode().isStrict() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict,
-                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, JSValueRegs(valueTag, valuePayloadReg)));
-        }
-    }
-
-    noResult(node, UseChildrenCalledExplicitly);    
-}
-
 void SpeculativeJIT::compileGetByVal(Node* node, const ScopedLambda<std::tuple<JSValueRegs, DataFormat, CanUseFlush>(DataFormat preferredFormat)>& prefix)
 {
     switch (node->arrayMode().type()) {
@@ -2712,230 +2643,7 @@
     case PutByValDirect:
     case PutByVal:
     case PutByValAlias: {
-        Edge child1 = m_jit.graph().varArgChild(node, 0);
-        Edge child2 = m_jit.graph().varArgChild(node, 1);
-        Edge child3 = m_jit.graph().varArgChild(node, 2);
-        Edge child4 = m_jit.graph().varArgChild(node, 3);
-        
-        ArrayMode arrayMode = node->arrayMode().modeForPut();
-        bool alreadyHandled = false;
-        
-        switch (arrayMode.type()) {
-        case Array::SelectUsingPredictions:
-        case Array::ForceExit:
-            RELEASE_ASSERT_NOT_REACHED();
-#if COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE)
-            terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
-            alreadyHandled = true;
-#endif
-            break;
-        case Array::Generic: {
-            ASSERT(node->op() == PutByVal || node->op() == PutByValDirect);
-            if (m_graph.m_slowPutByVal.contains(node)) {
-                if (child1.useKind() == CellUse) {
-                    if (child2.useKind() == StringUse) {
-                        compilePutByValForCellWithString(node, child1, child2, child3);
-                        alreadyHandled = true;
-                        break;
-                    }
-
-                    if (child2.useKind() == SymbolUse) {
-                        compilePutByValForCellWithSymbol(node, child1, child2, child3);
-                        alreadyHandled = true;
-                        break;
-                    }
-                }
-
-                JSValueOperand base(this, child1);
-                JSValueOperand property(this, child2);
-                JSValueOperand value(this, child3);
-                JSValueRegs baseRegs = base.jsValueRegs();
-                JSValueRegs propertyRegs = property.jsValueRegs();
-                JSValueRegs valueRegs = value.jsValueRegs();
-
-                flushRegisters();
-                if (node->op() == PutByValDirect)
-                    callOperation(node->ecmaMode().isStrict() ? operationPutByValDirectStrict : operationPutByValDirectNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs,  propertyRegs, valueRegs);
-                else
-                    callOperation(node->ecmaMode().isStrict() ? operationPutByValStrict : operationPutByValNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs,  propertyRegs, valueRegs);
-                m_jit.exceptionCheck();
-
-                noResult(node);
-                alreadyHandled = true;
-                break;
-            }
-
-            JSValueOperand base(this, child1, ManualOperandSpeculation);
-            JSValueOperand property(this, child2, ManualOperandSpeculation);
-            JSValueOperand value(this, child3, ManualOperandSpeculation);
-            JSValueRegs baseRegs = base.jsValueRegs();
-            JSValueRegs propertyRegs = property.jsValueRegs();
-            JSValueRegs valueRegs = value.jsValueRegs();
-
-            speculate(node, child1);
-            speculate(node, child2);
-            speculate(node, child3);
-
-            CodeOrigin codeOrigin = node->origin.semantic;
-            CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
-            RegisterSet usedRegisters = this->usedRegisters();
-            bool isDirect = node->op() == PutByValDirect;
-            ECMAMode ecmaMode = node->ecmaMode();
-
-            JITPutByValGenerator gen(
-                m_jit.codeBlock(), &m_jit.jitCode()->common.m_stubInfos, JITType::DFGJIT, codeOrigin, callSite, AccessType::PutByVal, usedRegisters,
-                baseRegs, propertyRegs, valueRegs, InvalidGPRReg, InvalidGPRReg);
-
-            if (m_state.forNode(child2).isType(SpecString))
-                gen.stubInfo()->propertyIsString = true;
-            else if (m_state.forNode(child2).isType(SpecInt32Only))
-                gen.stubInfo()->propertyIsInt32 = true;
-            else if (m_state.forNode(child2).isType(SpecSymbol))
-                gen.stubInfo()->propertyIsSymbol = true;
-
-            gen.generateFastPath(m_jit);
-
-            JITCompiler::JumpList slowCases;
-            slowCases.append(gen.slowPathJump());
-
-            std::unique_ptr<SlowPathGenerator> slowPath;
-            auto operation = isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize);
-            slowPath = slowPathCall(
-                slowCases, this, operation,
-                NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseRegs, propertyRegs, valueRegs, gen.stubInfo(), nullptr);
-
-            m_jit.addPutByVal(gen, slowPath.get());
-            addSlowPathGenerator(WTFMove(slowPath));
-
-            noResult(node);
-            alreadyHandled = true;
-            break;
-        }
-        default:
-            break;
-        }
-        
-        if (alreadyHandled)
-            break;
-        
-        SpeculateCellOperand base(this, child1);
-        SpeculateStrictInt32Operand property(this, child2);
-        
-        GPRReg baseReg = base.gpr();
-        GPRReg propertyReg = property.gpr();
-
-        switch (arrayMode.type()) {
-        case Array::Int32: {
-            speculateInt32(child3);
-            FALLTHROUGH;
-        }
-        case Array::Contiguous: {
-            JSValueOperand value(this, child3, ManualOperandSpeculation);
-
-            GPRReg valueTagReg = value.tagGPR();
-            GPRReg valuePayloadReg = value.payloadGPR();
-        
-            if (!m_compileOkay)
-                return;
-
-            compileContiguousPutByVal(node, base, property, value, valuePayloadReg, valueTagReg);
-            break;
-        }
-        case Array::Double: {
-            compileDoublePutByVal(node, base, property);
-            break;
-        }
-        case Array::ArrayStorage:
-        case Array::SlowPutArrayStorage: {
-            JSValueOperand value(this, child3);
-
-            GPRReg valueTagReg = value.tagGPR();
-            GPRReg valuePayloadReg = value.payloadGPR();
-            
-            if (!m_compileOkay)
-                return;
-
-            StorageOperand storage(this, child4);
-            GPRReg storageReg = storage.gpr();
-
-            if (node->op() == PutByValAlias) {
-                // Store the value to the array.
-                GPRReg propertyReg = property.gpr();
-                m_jit.store32(value.tagGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-                m_jit.store32(value.payloadGPR(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-                
-                noResult(node);
-                break;
-            }
-
-            MacroAssembler::JumpList slowCases;
-
-            MacroAssembler::Jump beyondArrayBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, ArrayStorage::vectorLengthOffset()));
-            if (!arrayMode.isOutOfBounds())
-                speculationCheck(OutOfBounds, JSValueRegs(), 0, beyondArrayBounds);
-            else
-                slowCases.append(beyondArrayBounds);
-
-            // Check if we're writing to a hole; if so increment m_numValuesInVector.
-            if (arrayMode.isInBounds()) {
-                speculationCheck(
-                    StoreToHole, JSValueRegs(), 0,
-                    m_jit.branch32(MacroAssembler::Equal, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag)));
-            } else {
-                MacroAssembler::Jump notHoleValue = m_jit.branch32(MacroAssembler::NotEqual, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
-                if (arrayMode.isSlowPut()) {
-                    // This is sort of strange. If we wanted to optimize this code path, we would invert
-                    // the above branch. But it's simply not worth it since this only happens if we're
-                    // already having a bad time.
-                    slowCases.append(m_jit.jump());
-                } else {
-                    m_jit.add32(TrustedImm32(1), MacroAssembler::Address(storageReg, ArrayStorage::numValuesInVectorOffset()));
-                
-                    // If we're writing to a hole we might be growing the array; 
-                    MacroAssembler::Jump lengthDoesNotNeedUpdate = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, ArrayStorage::lengthOffset()));
-                    m_jit.add32(TrustedImm32(1), propertyReg);
-                    m_jit.store32(propertyReg, MacroAssembler::Address(storageReg, ArrayStorage::lengthOffset()));
-                    m_jit.sub32(TrustedImm32(1), propertyReg);
-                
-                    lengthDoesNotNeedUpdate.link(&m_jit);
-                }
-                notHoleValue.link(&m_jit);
-            }
-    
-            // Store the value to the array.
-            m_jit.store32(valueTagReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
-            m_jit.store32(valuePayloadReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-
-            base.use();
-            property.use();
-            value.use();
-            storage.use();
-            
-            if (!slowCases.empty()) {
-                if (node->op() == PutByValDirect) {
-                    addSlowPathGenerator(slowPathCall(
-                        slowCases, this,
-                        node->ecmaMode().isStrict() ? operationPutByValDirectBeyondArrayBoundsStrict : operationPutByValDirectBeyondArrayBoundsNonStrict,
-                        NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, JSValueRegs(valueTagReg, valuePayloadReg)));
-                } else {
-                    addSlowPathGenerator(slowPathCall(
-                        slowCases, this,
-                        node->ecmaMode().isStrict() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict,
-                        NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, JSValueRegs(valueTagReg, valuePayloadReg)));
-                }
-            }
-
-            noResult(node, UseChildrenCalledExplicitly);
-            break;
-        }
-            
-        default: {
-            TypedArrayType type = arrayMode.typedArrayType();
-            if (isInt(type))
-                compilePutByValForIntTypedArray(base.gpr(), property.gpr(), node, type);
-            else
-                compilePutByValForFloatTypedArray(base.gpr(), property.gpr(), node, type);
-        } }
+        compilePutByVal(node);
         break;
     }

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (285529 => 285530)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2021-11-09 21:33:34 UTC (rev 285530)
@@ -3334,315 +3334,7 @@
     case PutByValDirect:
     case PutByVal:
     case PutByValAlias: {
-        Edge child1 = m_jit.graph().varArgChild(node, 0);
-        Edge child2 = m_jit.graph().varArgChild(node, 1);
-        Edge child3 = m_jit.graph().varArgChild(node, 2);
-        Edge child4 = m_jit.graph().varArgChild(node, 3);
-        
-        ArrayMode arrayMode = node->arrayMode().modeForPut();
-        bool alreadyHandled = false;
-        
-        switch (arrayMode.type()) {
-        case Array::SelectUsingPredictions:
-        case Array::ForceExit:
-            DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
-            break;
-        case Array::BigInt64Array:
-        case Array::BigUint64Array:
-        case Array::Generic: {
-            DFG_ASSERT(m_jit.graph(), node, node->op() == PutByVal || node->op() == PutByValDirect, node->op());
-            if (m_graph.m_slowPutByVal.contains(node) || (child1.useKind() != CellUse && child1.useKind() != KnownCellUse)) {
-                if (child1.useKind() == CellUse) {
-                    if (child2.useKind() == StringUse) {
-                        compilePutByValForCellWithString(node, child1, child2, child3);
-                        alreadyHandled = true;
-                        break;
-                    }
-
-                    if (child2.useKind() == SymbolUse) {
-                        compilePutByValForCellWithSymbol(node, child1, child2, child3);
-                        alreadyHandled = true;
-                        break;
-                    }
-                }
-
-                JSValueOperand arg1(this, child1);
-                JSValueOperand arg2(this, child2);
-                JSValueOperand arg3(this, child3);
-                GPRReg arg1GPR = arg1.gpr();
-                GPRReg arg2GPR = arg2.gpr();
-                GPRReg arg3GPR = arg3.gpr();
-                flushRegisters();
-                if (node->op() == PutByValDirect)
-                    callOperation(node->ecmaMode().isStrict() ? operationPutByValDirectStrict : operationPutByValDirectNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), arg1GPR, arg2GPR, arg3GPR);
-                else
-                    callOperation(node->ecmaMode().isStrict() ? operationPutByValStrict : operationPutByValNonStrict, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), arg1GPR, arg2GPR, arg3GPR);
-                m_jit.exceptionCheck();
-
-                noResult(node);
-                alreadyHandled = true;
-                break;
-            }
-
-            SpeculateCellOperand base(this, child1);
-            JSValueOperand property(this, child2, ManualOperandSpeculation);
-            JSValueOperand value(this, child3, ManualOperandSpeculation);
-            GPRReg baseGPR = base.gpr();
-            GPRReg propertyGPR = property.gpr();
-            GPRReg valueGPR = value.gpr();
-
-            GPRTemporary stubInfo;
-            GPRReg stubInfoGPR = InvalidGPRReg;
-            if (JITCode::useDataIC(JITType::DFGJIT)) {
-                stubInfo = GPRTemporary(this);
-                stubInfoGPR = stubInfo.gpr();
-            }
-
-            speculate(node, child2);
-            speculate(node, child3);
-
-            CodeOrigin codeOrigin = node->origin.semantic;
-            CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size());
-            RegisterSet usedRegisters = this->usedRegisters();
-            bool isDirect = node->op() == PutByValDirect;
-            ECMAMode ecmaMode = node->ecmaMode();
-
-            JITPutByValGenerator gen(
-                m_jit.codeBlock(), &m_jit.jitCode()->common.m_stubInfos, JITType::DFGJIT, codeOrigin, callSite, AccessType::PutByVal, usedRegisters,
-                JSValueRegs(baseGPR), JSValueRegs(propertyGPR), JSValueRegs(valueGPR), InvalidGPRReg, stubInfoGPR);
-
-            if (m_state.forNode(child2).isType(SpecString))
-                gen.stubInfo()->propertyIsString = true;
-            else if (m_state.forNode(child2).isType(SpecInt32Only))
-                gen.stubInfo()->propertyIsInt32 = true;
-            else if (m_state.forNode(child2).isType(SpecSymbol))
-                gen.stubInfo()->propertyIsSymbol = true;
-
-            gen.generateFastPath(m_jit);
-
-            JITCompiler::JumpList slowCases;
-            if (!JITCode::useDataIC(JITType::DFGJIT))
-                slowCases.append(gen.slowPathJump());
-
-            std::unique_ptr<SlowPathGenerator> slowPath;
-            auto operation = isDirect ? (ecmaMode.isStrict() ? operationDirectPutByValStrictOptimize : operationDirectPutByValNonStrictOptimize) : (ecmaMode.isStrict() ? operationPutByValStrictOptimize : operationPutByValNonStrictOptimize);
-            if (JITCode::useDataIC(JITType::DFGJIT)) {
-                slowPath = slowPathICCall(
-                    slowCases, this, gen.stubInfo(), stubInfoGPR, CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), operation,
-                    NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseGPR, propertyGPR, valueGPR, stubInfoGPR, nullptr);
-            } else {
-                slowPath = slowPathCall(
-                    slowCases, this, operation,
-                    NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(codeOrigin)), baseGPR, propertyGPR, valueGPR, gen.stubInfo(), nullptr);
-            }
-
-            m_jit.addPutByVal(gen, slowPath.get());
-            addSlowPathGenerator(WTFMove(slowPath));
-
-            noResult(node);
-            alreadyHandled = true;
-            break;
-        }
-        default:
-            break;
-        }
-        
-        if (alreadyHandled)
-            break;
-
-        SpeculateCellOperand base(this, child1);
-        SpeculateStrictInt32Operand property(this, child2);
-        
-        GPRReg baseReg = base.gpr();
-        GPRReg propertyReg = property.gpr();
-
-        switch (arrayMode.type()) {
-        case Array::Int32:
-        case Array::Contiguous: {
-            JSValueOperand value(this, child3, ManualOperandSpeculation);
-
-            GPRReg valueReg = value.gpr();
-        
-            if (!m_compileOkay)
-                return;
-            
-            if (arrayMode.type() == Array::Int32) {
-                DFG_TYPE_CHECK(
-                    JSValueRegs(valueReg), child3, SpecInt32Only,
-                    m_jit.branchIfNotInt32(valueReg));
-            }
-
-            StorageOperand storage(this, child4);
-            GPRReg storageReg = storage.gpr();
-
-            if (node->op() == PutByValAlias) {
-                // Store the value to the array.
-                GPRReg propertyReg = property.gpr();
-                GPRReg valueReg = value.gpr();
-                m_jit.store64(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
-                
-                noResult(node);
-                break;
-            }
-            
-            GPRTemporary temporary;
-            GPRReg temporaryReg = temporaryRegisterForPutByVal(temporary, node);
-
-            MacroAssembler::Jump slowCase;
-            
-            if (arrayMode.isInBounds()) {
-                speculationCheck(
-                    OutOfBounds, JSValueRegs(), nullptr,
-                    m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
-            } else {
-                MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
-                
-                slowCase = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfVectorLength()));
-                
-                if (!arrayMode.isOutOfBounds())
-                    speculationCheck(OutOfBounds, JSValueRegs(), nullptr, slowCase);
-                
-                m_jit.add32(TrustedImm32(1), propertyReg, temporaryReg);
-                m_jit.store32(temporaryReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
-
-                inBounds.link(&m_jit);
-            }
-
-            m_jit.store64(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
-
-            base.use();
-            property.use();
-            value.use();
-            storage.use();
-            
-            if (arrayMode.isOutOfBounds()) {
-                addSlowPathGenerator(slowPathCall(
-                    slowCase, this,
-                    node->ecmaMode().isStrict()
-                        ? (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsStrict)
-                        : (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsNonStrict : operationPutByValBeyondArrayBoundsNonStrict),
-                    NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, valueReg));
-            }
-
-            noResult(node, UseChildrenCalledExplicitly);
-            break;
-        }
-            
-        case Array::Double: {
-            compileDoublePutByVal(node, base, property);
-            break;
-        }
-            
-        case Array::ArrayStorage:
-        case Array::SlowPutArrayStorage: {
-            JSValueOperand value(this, child3);
-
-            GPRReg valueReg = value.gpr();
-        
-            if (!m_compileOkay)
-                return;
-
-            StorageOperand storage(this, child4);
-            GPRReg storageReg = storage.gpr();
-
-            if (node->op() == PutByValAlias) {
-                // Store the value to the array.
-                GPRReg propertyReg = property.gpr();
-                GPRReg valueReg = value.gpr();
-                m_jit.store64(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()));
-                
-                noResult(node);
-                break;
-            }
-            
-            GPRTemporary temporary;
-            GPRReg temporaryReg = temporaryRegisterForPutByVal(temporary, node);
-
-            MacroAssembler::JumpList slowCases;
-
-            MacroAssembler::Jump beyondArrayBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, ArrayStorage::vectorLengthOffset()));
-            if (!arrayMode.isOutOfBounds())
-                speculationCheck(OutOfBounds, JSValueRegs(), nullptr, beyondArrayBounds);
-            else
-                slowCases.append(beyondArrayBounds);
-
-            // Check if we're writing to a hole; if so increment m_numValuesInVector.
-            if (arrayMode.isInBounds()) {
-                speculationCheck(
-                    StoreToHole, JSValueRegs(), nullptr,
-                    m_jit.branchTest64(MacroAssembler::Zero, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset())));
-            } else {
-                MacroAssembler::Jump notHoleValue = m_jit.branchTest64(MacroAssembler::NonZero, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()));
-                if (arrayMode.isSlowPut()) {
-                    // This is sort of strange. If we wanted to optimize this code path, we would invert
-                    // the above branch. But it's simply not worth it since this only happens if we're
-                    // already having a bad time.
-                    slowCases.append(m_jit.jump());
-                } else {
-                    m_jit.add32(TrustedImm32(1), MacroAssembler::Address(storageReg, ArrayStorage::numValuesInVectorOffset()));
-                
-                    // If we're writing to a hole we might be growing the array; 
-                    MacroAssembler::Jump lengthDoesNotNeedUpdate = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, ArrayStorage::lengthOffset()));
-                    m_jit.add32(TrustedImm32(1), propertyReg, temporaryReg);
-                    m_jit.store32(temporaryReg, MacroAssembler::Address(storageReg, ArrayStorage::lengthOffset()));
-                
-                    lengthDoesNotNeedUpdate.link(&m_jit);
-                }
-                notHoleValue.link(&m_jit);
-            }
-    
-            // Store the value to the array.
-            m_jit.store64(valueReg, MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, ArrayStorage::vectorOffset()));
-
-            base.use();
-            property.use();
-            value.use();
-            storage.use();
-            
-            if (!slowCases.empty()) {
-                addSlowPathGenerator(slowPathCall(
-                    slowCases, this,
-                    node->ecmaMode().isStrict()
-                        ? (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsStrict)
-                        : (node->op() == PutByValDirect ? operationPutByValDirectBeyondArrayBoundsNonStrict : operationPutByValBeyondArrayBoundsNonStrict),
-                    NoResult, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseReg, propertyReg, valueReg));
-            }
-
-            noResult(node, UseChildrenCalledExplicitly);
-            break;
-        }
-            
-        case Array::Int8Array:
-        case Array::Int16Array:
-        case Array::Int32Array:
-        case Array::Uint8Array:
-        case Array::Uint8ClampedArray:
-        case Array::Uint16Array:
-        case Array::Uint32Array:
-        case Array::Float32Array:
-        case Array::Float64Array: {
-            TypedArrayType type = arrayMode.typedArrayType();
-            if (isInt(type))
-                compilePutByValForIntTypedArray(base.gpr(), property.gpr(), node, type);
-            else
-                compilePutByValForFloatTypedArray(base.gpr(), property.gpr(), node, type);
-            break;
-        }
-
-        case Array::AnyTypedArray:
-        case Array::String:
-        case Array::DirectArguments:
-        case Array::ForceExit:
-        case Array::Generic:
-        case Array::ScopedArguments:
-        case Array::SelectUsingArguments:
-        case Array::SelectUsingPredictions:
-        case Array::Undecided:
-        case Array::Unprofiled:
-        case Array::BigInt64Array:
-        case Array::BigUint64Array:
-            RELEASE_ASSERT_NOT_REACHED();
-        }
+        compilePutByVal(node);
         break;
     }

Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (285529 => 285530)


--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h	2021-11-09 21:25:30 UTC (rev 285529)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h	2021-11-09 21:33:34 UTC (rev 285530)
@@ -969,6 +969,15 @@
 #endif
     }
 
+    Jump branchIfEmpty(BaseIndex address)
+    {
+#if USE(JSVALUE64)
+        return branchTest64(Zero, address);
+#else
+        return branch32(Equal, address.withOffset(TagOffset), TrustedImm32(JSValue::EmptyValueTag));
+#endif
+    }
+
     Jump branchIfEmpty(GPRReg gpr)
     {
 #if USE(JSVALUE64)
@@ -987,6 +996,15 @@
 #endif
     }
 
+    Jump branchIfNotEmpty(BaseIndex address)
+    {
+#if USE(JSVALUE64)
+        return branchTest64(NonZero, address);
+#else
+        return branch32(NotEqual, address.withOffset(TagOffset), TrustedImm32(JSValue::EmptyValueTag));
+#endif
+    }
+
     Jump branchIfNotEmpty(GPRReg gpr)
     {
 #if USE(JSVALUE64)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to