Imported WebKit commit e89504fa9195b2063b2530961d4b73dd08de3242 (http://svn.webkit.org/repository/webkit/trunk@135485)

Change-Id: I03774e5ac79721c13ffa30d152537a74d0b12e66
Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>

1 files changed, 73 insertions, 0 deletions

diff --git a/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp b/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
index 35800f3dd..7d6ba0987 100644
--- a/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
+++ b/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
@@ -29,6 +29,7 @@
 #include "CodeBlock.h"
 #include "LLIntData.h"
 #include "LowLevelInterpreter.h"
+#include "Operations.h"
 #include "Structure.h"
 #include "StructureChain.h"
 
@@ -134,5 +135,77 @@ PutByIdStatus PutByIdStatus::computeFor(CodeBlock* profiledBlock, unsigned bytec
 #endif // ENABLE(JIT)
 }
 
+PutByIdStatus PutByIdStatus::computeFor(JSGlobalData& globalData, JSGlobalObject* globalObject, Structure* structure, Identifier& ident, bool isDirect)
+{
+    if (PropertyName(ident).asIndex() != PropertyName::NotAnIndex)
+        return PutByIdStatus(TakesSlowPath);
+    
+    if (structure->typeInfo().overridesGetOwnPropertySlot())
+        return PutByIdStatus(TakesSlowPath);
+
+    if (!structure->propertyAccessesAreCacheable())
+        return PutByIdStatus(TakesSlowPath);
+    
+    unsigned attributes;
+    JSCell* specificValueIgnored;
+    PropertyOffset offset = structure->get(globalData, ident, attributes, specificValueIgnored);
+    if (isValidOffset(offset)) {
+        if (attributes & (Accessor | ReadOnly))
+            return PutByIdStatus(TakesSlowPath);
+        return PutByIdStatus(SimpleReplace, structure, 0, 0, offset);
+    }
+    
+    // Our hypothesis is that we're doing a transition. Before we prove that this is really
+    // true, we want to do some sanity checks.
+    
+    // Don't cache put transitions on dictionaries.
+    if (structure->isDictionary())
+        return PutByIdStatus(TakesSlowPath);
+
+    // If the structure corresponds to something that isn't an object, then give up, since
+    // we don't want to be adding properties to strings.
+    if (structure->typeInfo().type() == StringType)
+        return PutByIdStatus(TakesSlowPath);
+    
+    if (!isDirect) {
+        // If the prototype chain has setters or read-only properties, then give up.
+        if (structure->prototypeChainMayInterceptStoreTo(globalData, ident))
+            return PutByIdStatus(TakesSlowPath);
+        
+        // If the prototype chain hasn't been normalized (i.e. there are proxies or dictionaries)
+        // then give up. The dictionary case would only happen if this structure has not been
+        // used in an optimized put_by_id transition. And really the only reason why we would
+        // bail here is that I don't really feel like having the optimizing JIT go and flatten
+        // dictionaries if we have evidence to suggest that those objects were never used as
+        // prototypes in a cacheable prototype access - i.e. there's a good chance that some of
+        // the other checks below will fail.
+        if (!isPrototypeChainNormalized(globalObject, structure))
+            return PutByIdStatus(TakesSlowPath);
+    }
+    
+    // We only optimize if there is already a structure that the transition is cached to.
+    // Among other things, this allows us to guard against a transition with a specific
+    // value.
+    //
+    // - If we're storing a value that could be specific: this would only be a problem if
+    //   the existing transition did have a specific value already, since if it didn't,
+    //   then we would behave "as if" we were not storing a specific value. If it did
+    //   have a specific value, then we'll know - the fact that we pass 0 for
+    //   specificValue will tell us.
+    //
+    // - If we're not storing a value that could be specific: again, this would only be a
+    //   problem if the existing transition did have a specific value, which we check for
+    //   by passing 0 for the specificValue.
+    Structure* transition = Structure::addPropertyTransitionToExistingStructure(structure, ident, 0, 0, offset);
+    if (!transition)
+        return PutByIdStatus(TakesSlowPath); // This occurs in bizarre cases only. See above.
+    ASSERT(!transition->transitionDidInvolveSpecificValue());
+    ASSERT(isValidOffset(offset));
+    
+    return PutByIdStatus(
+        SimpleTransition, structure, transition,
+        structure->prototypeChain(globalData, globalObject), offset);
+}
+
 } // namespace JSC