Dynamically specialising code for hot builtin functions should be a win.
Created attachment 22741 [details] initial specialisation patch Here's an initial version of this patch. Current problems: * I'm fairly sure it's not gc-safe (it stores the JSFunction* for functions it specialises in the opcode stream, which could be gc'd, then that address could be reallocated with a different object which could in certain circumstances result in badness) * It's not 64bit safe -- it stores the JSFunction* in a single operand in te intstruction stream. * Some of the code is heonously ugly, especially the bits where functions specialise themselves.
This code will trigger a failure in commandline jsc: g=Math.sqrt; function f(){return g(4);}; Math.sqrt=null; f(); f(); f(); gc(); for (var i = 0; i < 10000; i++) { g=new Function("", "return 3;"); if (f() == 2) { throw "Failed"; } }
Created attachment 22743 [details] quality test case
We do lots of function & type specialization now; this bug is archaic.