BenjaminPoulain · May 27, 2015 19:43
diff --git a/gistfile1.txt b/gistfile1.txt
 This is the fast part of put by val:
 ---
 [ 336] put_by_id_transition_normal loc3, constructor(@id12), loc2 llint(prev = 0x1224e640, next = 0x1224e5f0 (offset = 0), chain = 0x120a26e0: [struct = 0x1233b450 (offset = 0), struct = 0x1232cd40 (offset = 0), struct = 0x1203ecd0 (offset = 111)])
          0x17d72c8a: mov -0x20(%ebp), %edx // Loading the value
          0x17d72c8d: mov -0x1c(%ebp), %eax // Loading the tag
          0x17d72c90: cmp $0xfb, %eax // Checking the tag
          0x17d72c93: jnz 0x17d72cc9 // Slow path if we don't have an object
          0x17d72c99: cmp $0x0, 0x7(%edx) // This is a repatch point based on structure check
          0x17d72c9d: jnz 0x17d72cc9
          0x17d72ca3: mov %ebp, (%esp)
          0x17d72ca6: mov %edx, 0x4(%esp)
          0x17d72caa: mov $0x1224978c, 0x1c(%ebp)
          0x17d72cb1: mov %ebp, 0x1201d440
          0x17d72cb7: call 0x32a5650
          0x17d72cbc: cmp $0xfa, 0x1201e36c
          0x17d72cc3: jnz 0x17d73b70
          
 --> Say we reach here without loss of generality. Note that the following code loads the tag in EDX, the value in EAX. The code after that exect those values to be in those registers.
          0x17d72cc9: mov -0x18(%ebp), %ecx
          0x17d72ccc: mov -0x14(%ebp), %ebx
          0x17d72ccf: mov -0x20(%ebp), %eax
          0x17d72cd2: mov -0x1c(%ebp), %edx
          0x17d72cd5: cmp $0xfb, %edx
          0x17d72cd8: jnz 0x17d73883
          0x17d72cde: mov -0x20(%ebp), %eax
          0x17d72ce1: mov -0x1c(%ebp), %edx
          0x17d72ce4: mov -0x18(%ebp), %ecx
          0x17d72ce7: mov -0x14(%ebp), %ebx
          0x17d72cea: cmp $0x0, (%eax) // Another repatch point, this is likely were we exit to the stub, I have not confirmed that yet.
          0x17d72cf0: jnz 0x17d73883
          0x17d72cf6: mov 0x8(%eax), %edx
          0x17d72cf9: mov %ebx, 0x0(%edx)
          0x17d72cff: mov %ecx, 0x0(%edx)
 ----


 Next is the stub. It is a fast path generated dynamically based on the types we have seen.

 Generated JIT code for PutById transition stub (0x1224e640 -> 0x1224e5f0) for extend#BDOo8I:[0x1b7bfaf0->0x122147c0, BaselineFunctionCall, 464 (StrictMode)], return point 0x17d72d05:
    Code at [0x17d70f80, 0x17d71060):
          0x17d70f80: cmp $0x1224e640, (%eax) // Check if that's the value we are optimizing for.
          0x17d70f86: jnz 0x17d73883 // If not, go to slow path.
          0x17d70f8c: mov $0x12213200, %edx // ****** Now this looks very wrong. We are trashing EDX with a constant.
          0x17d70f91: cmp $0x1233b450, (%edx) // Another check, not sure what for yet.
          0x17d70f97: jz 0x17d70fa3 // If we fail that condition, go to slow path, but we have trashed the tag register already :(
          0x17d70f9d: mov $0x12c, %eax
          0x17d70fa2: int3 
          0x17d70fa3: mov $0x12213240, %edx
          0x17d70fa8: cmp $0x1232cd40, (%edx)
          0x17d70fae: jz 0x17d70fba
          0x17d70fb4: mov $0x12c, %eax
          0x17d70fb9: int3 
          0x17d70fba: mov $0x12057fe0, %edx
          0x17d70fbf: cmp $0x1203ecd0, (%edx)
          0x17d70fc5: jz 0x17d70fd1
          0x17d70fcb: mov $0x12c, %eax
          0x17d70fd0: int3 
          0x17d70fd1: mov $0x1224e5f0, (%eax)
          0x17d70fd7: mov %ecx, 0x10(%eax)
          0x17d70fda: mov %ebx, 0x14(%eax)
          0x17d70fdd: cmp $0x0, 0x7(%eax)
          0x17d70fe1: jnz 0x17d7103f
          0x17d70fe7: mov $0x1201d394, %edx
          0x17d70fec: mov (%edx), %edi
          0x17d70fee: cmp 0x4(%edx), %edi
          0x17d70ff1: jae 0x17d71007
          0x17d70ff7: inc %edi
          0x17d70ff9: mov %edi, (%edx)
          0x17d70ffb: mov 0x8(%edx), %edx
          0x17d70ffe: mov %eax, -0x4(%edx,%edi,4)
          0x17d71002: jmp 0x17d7103f
          0x17d71007: mov %eax, 0x1377d008
          0x17d7100c: mov %ecx, 0x1377d010
          0x17d71012: mov $0x1377d000, %edi
          0x17d71017: mov $0x10, (%edi)
          0x17d7101d: mov %ebp, (%esp)
          0x17d71020: mov %eax, 0x4(%esp)
          0x17d71024: call 0x32a5590
          0x17d71029: mov $0x1377d000, %edi
          0x17d7102e: mov $0x0, (%edi)
          0x17d71034: mov 0x1377d008, %eax
          0x17d71039: mov 0x1377d010, %ecx
          0x17d7103f: jmp 0x17d72d05
 ---

 The slow path, it is just a function call and some C++ code covers all the edge cases.

 ----
 (S) [ 336] put_by_id_transition_normal loc3, constructor(@id12), loc2 llint(prev = 0x1224e640, next = 0x1224e5f0 (offset = 0), chain = 0x120a26e0: [struct = 0x1233b450 (offset = 0), struct = 0x1232cd40 (offset = 0), struct = 0x1203ecd0 (offset = 111)])
          0x17d73883: mov %ebp, (%esp)
          0x17d73886: mov $0x1beae140, 0x4(%esp)
          0x17d7388e: mov %ecx, 0x8(%esp)
          0x17d73892: mov %ebx, 0xc(%esp)
          0x17d73896: mov %eax, 0x10(%esp)
          0x17d7389a: mov %edx, 0x14(%esp)
          0x17d7389e: mov $0x13fdb5e0, 0x18(%esp)
          0x17d738a6: mov $0x1224978c, 0x1c(%ebp)
          0x17d738ad: mov %ebp, 0x1201d440
          0x17d738b3: call 0x329d150
          0x17d738b8: cmp $0xfa, 0x1201e36c
          0x17d738bf: jnz 0x17d73b70
          0x17d738c5: add $0x1, 0x1beb5d88
          0x17d738cc: jmp 0x17d72d05
	This is the fast part of put by val:
	---
	[ 336] put_by_id_transition_normal loc3, constructor(@id12), loc2 llint(prev = 0x1224e640, next = 0x1224e5f0 (offset = 0), chain = 0x120a26e0: [struct = 0x1233b450 (offset = 0), struct = 0x1232cd40 (offset = 0), struct = 0x1203ecd0 (offset = 111)])
	0x17d72c8a: mov -0x20(%ebp), %edx // Loading the value
	0x17d72c8d: mov -0x1c(%ebp), %eax // Loading the tag
	0x17d72c90: cmp $0xfb, %eax // Checking the tag
	0x17d72c93: jnz 0x17d72cc9 // Slow path if we don't have an object
	0x17d72c99: cmp $0x0, 0x7(%edx) // This is a repatch point based on structure check
	0x17d72c9d: jnz 0x17d72cc9
	0x17d72ca3: mov %ebp, (%esp)
	0x17d72ca6: mov %edx, 0x4(%esp)
	0x17d72caa: mov $0x1224978c, 0x1c(%ebp)
	0x17d72cb1: mov %ebp, 0x1201d440
	0x17d72cb7: call 0x32a5650
	0x17d72cbc: cmp $0xfa, 0x1201e36c
	0x17d72cc3: jnz 0x17d73b70

	--> Say we reach here without loss of generality. Note that the following code loads the tag in EDX, the value in EAX. The code after that exect those values to be in those registers.
	0x17d72cc9: mov -0x18(%ebp), %ecx
	0x17d72ccc: mov -0x14(%ebp), %ebx
	0x17d72ccf: mov -0x20(%ebp), %eax
	0x17d72cd2: mov -0x1c(%ebp), %edx
	0x17d72cd5: cmp $0xfb, %edx
	0x17d72cd8: jnz 0x17d73883
	0x17d72cde: mov -0x20(%ebp), %eax
	0x17d72ce1: mov -0x1c(%ebp), %edx
	0x17d72ce4: mov -0x18(%ebp), %ecx
	0x17d72ce7: mov -0x14(%ebp), %ebx
	0x17d72cea: cmp $0x0, (%eax) // Another repatch point, this is likely were we exit to the stub, I have not confirmed that yet.
	0x17d72cf0: jnz 0x17d73883
	0x17d72cf6: mov 0x8(%eax), %edx
	0x17d72cf9: mov %ebx, 0x0(%edx)
	0x17d72cff: mov %ecx, 0x0(%edx)
	----


	Next is the stub. It is a fast path generated dynamically based on the types we have seen.

	Generated JIT code for PutById transition stub (0x1224e640 -> 0x1224e5f0) for extend#BDOo8I:[0x1b7bfaf0->0x122147c0, BaselineFunctionCall, 464 (StrictMode)], return point 0x17d72d05:
	Code at [0x17d70f80, 0x17d71060):
	0x17d70f80: cmp $0x1224e640, (%eax) // Check if that's the value we are optimizing for.
	0x17d70f86: jnz 0x17d73883 // If not, go to slow path.
	0x17d70f8c: mov $0x12213200, %edx // ****** Now this looks very wrong. We are trashing EDX with a constant.
	0x17d70f91: cmp $0x1233b450, (%edx) // Another check, not sure what for yet.
	0x17d70f97: jz 0x17d70fa3 // If we fail that condition, go to slow path, but we have trashed the tag register already :(
	0x17d70f9d: mov $0x12c, %eax
	0x17d70fa2: int3
	0x17d70fa3: mov $0x12213240, %edx
	0x17d70fa8: cmp $0x1232cd40, (%edx)
	0x17d70fae: jz 0x17d70fba
	0x17d70fb4: mov $0x12c, %eax
	0x17d70fb9: int3
	0x17d70fba: mov $0x12057fe0, %edx
	0x17d70fbf: cmp $0x1203ecd0, (%edx)
	0x17d70fc5: jz 0x17d70fd1
	0x17d70fcb: mov $0x12c, %eax
	0x17d70fd0: int3
	0x17d70fd1: mov $0x1224e5f0, (%eax)
	0x17d70fd7: mov %ecx, 0x10(%eax)
	0x17d70fda: mov %ebx, 0x14(%eax)
	0x17d70fdd: cmp $0x0, 0x7(%eax)
	0x17d70fe1: jnz 0x17d7103f
	0x17d70fe7: mov $0x1201d394, %edx
	0x17d70fec: mov (%edx), %edi
	0x17d70fee: cmp 0x4(%edx), %edi
	0x17d70ff1: jae 0x17d71007
	0x17d70ff7: inc %edi
	0x17d70ff9: mov %edi, (%edx)
	0x17d70ffb: mov 0x8(%edx), %edx
	0x17d70ffe: mov %eax, -0x4(%edx,%edi,4)
	0x17d71002: jmp 0x17d7103f
	0x17d71007: mov %eax, 0x1377d008
	0x17d7100c: mov %ecx, 0x1377d010
	0x17d71012: mov $0x1377d000, %edi
	0x17d71017: mov $0x10, (%edi)
	0x17d7101d: mov %ebp, (%esp)
	0x17d71020: mov %eax, 0x4(%esp)
	0x17d71024: call 0x32a5590
	0x17d71029: mov $0x1377d000, %edi
	0x17d7102e: mov $0x0, (%edi)
	0x17d71034: mov 0x1377d008, %eax
	0x17d71039: mov 0x1377d010, %ecx
	0x17d7103f: jmp 0x17d72d05
	---

	The slow path, it is just a function call and some C++ code covers all the edge cases.

	----
	(S) [ 336] put_by_id_transition_normal loc3, constructor(@id12), loc2 llint(prev = 0x1224e640, next = 0x1224e5f0 (offset = 0), chain = 0x120a26e0: [struct = 0x1233b450 (offset = 0), struct = 0x1232cd40 (offset = 0), struct = 0x1203ecd0 (offset = 111)])
	0x17d73883: mov %ebp, (%esp)
	0x17d73886: mov $0x1beae140, 0x4(%esp)
	0x17d7388e: mov %ecx, 0x8(%esp)
	0x17d73892: mov %ebx, 0xc(%esp)
	0x17d73896: mov %eax, 0x10(%esp)
	0x17d7389a: mov %edx, 0x14(%esp)
	0x17d7389e: mov $0x13fdb5e0, 0x18(%esp)
	0x17d738a6: mov $0x1224978c, 0x1c(%ebp)
	0x17d738ad: mov %ebp, 0x1201d440
	0x17d738b3: call 0x329d150
	0x17d738b8: cmp $0xfa, 0x1201e36c
	0x17d738bf: jnz 0x17d73b70
	0x17d738c5: add $0x1, 0x1beb5d88
	0x17d738cc: jmp 0x17d72d05