Bug 91933 - JSC should have property butterflies
Summary: JSC should have property butterflies
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on: 91788 92316 92696 92923 93150 94205 94309 94448 95013 95630 96617
Blocks: 96596 96623
  Show dependency treegraph
 
Reported: 2012-07-21 14:52 PDT by Filip Pizlo
Modified: 2012-10-05 13:58 PDT (History)
12 users (show)

See Also:


Attachments
it begins (33.08 KB, patch)
2012-07-26 01:08 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more (55.75 KB, patch)
2012-07-26 13:36 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more (65.63 KB, patch)
2012-07-26 15:31 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
this isn't going to be a small change. (90.31 KB, patch)
2012-07-26 16:05 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more (114.83 KB, patch)
2012-07-27 13:50 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
even more (139.02 KB, patch)
2012-07-27 14:49 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
it's getting there! (157.54 KB, patch)
2012-07-27 16:16 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
a little more (166.42 KB, patch)
2012-07-27 21:10 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
JSObject appears to be done (186.17 KB, patch)
2012-07-28 13:32 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
rebased up to r123971 (186.04 KB, patch)
2012-07-28 13:41 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
a bit more (196.37 KB, patch)
2012-07-28 21:15 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
almost done with JSArray methods (211.56 KB, patch)
2012-07-29 10:17 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
JSObject and JSArray are done (239.34 KB, patch)
2012-07-29 13:38 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
some rebasing (249.66 KB, patch)
2012-08-23 15:43 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more rebasing (244.00 KB, patch)
2012-08-23 16:57 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
rebasing done (254.70 KB, patch)
2012-08-23 18:33 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more (272.25 KB, patch)
2012-08-24 13:45 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
a little more (277.93 KB, patch)
2012-08-24 23:00 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
rebased again (282.19 KB, patch)
2012-08-26 22:07 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
it's starting to sort of compile (303.71 KB, patch)
2012-08-27 21:40 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more (317.28 KB, patch)
2012-08-28 11:06 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more (354.43 KB, patch)
2012-08-28 14:23 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
it builds. (382.88 KB, patch)
2012-08-28 17:49 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
it runs things. (386.03 KB, patch)
2012-08-28 21:02 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
zero regression on SunSpider (387.28 KB, patch)
2012-08-28 23:21 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
getting close (396.26 KB, patch)
2012-08-30 00:48 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
passes run-javascriptcore-tests (400.87 KB, patch)
2012-08-30 17:09 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
making progress with LayoutTests/fast/js (397.55 KB, patch)
2012-08-31 17:23 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
almost there in fast/js (402.20 KB, patch)
2012-08-31 20:50 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
more progress on fast/js (421.41 KB, patch)
2012-09-04 17:17 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
fast/js gets as far as it's going to get (435.16 KB, patch)
2012-09-05 22:03 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
almost passing all tests (449.08 KB, patch)
2012-09-07 16:49 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
almost ready for review (451.23 KB, patch)
2012-09-07 19:21 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
the patch (505.13 KB, patch)
2012-09-09 15:29 PDT, Filip Pizlo
buildbot: commit-queue-
Details | Formatted Diff | Diff
the patch (505.80 KB, patch)
2012-09-09 16:11 PDT, Filip Pizlo
buildbot: commit-queue-
Details | Formatted Diff | Diff
the patch (509.82 KB, patch)
2012-09-09 17:39 PDT, Filip Pizlo
buildbot: commit-queue-
Details | Formatted Diff | Diff
the patch (511.50 KB, patch)
2012-09-09 18:32 PDT, Filip Pizlo
ggaren: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2012-07-21 14:52:00 PDT
In a butterfly object model, you point into the middle of an object, and one set of properties is offset to the left (negative address direction) of the pointer while another distinct set is offset to the right (positive).  JSC should use this approach for property storage, so that named (and private) properties grow to the left while indexed properties grow to the right.  This will immediately yield two benefits: (1) all objects will have fast indexed storage and (2) indexed storage access will not have to perform the array type check.
Comment 1 Filip Pizlo 2012-07-26 01:08:46 PDT
Created attachment 154570 [details]
it begins
Comment 2 Filip Pizlo 2012-07-26 13:36:47 PDT
Created attachment 154739 [details]
more

And still a lot more left to do.
Comment 3 Filip Pizlo 2012-07-26 15:31:27 PDT
Created attachment 154770 [details]
more
Comment 4 Filip Pizlo 2012-07-26 16:05:35 PDT
Created attachment 154779 [details]
this isn't going to be a small change.
Comment 5 Filip Pizlo 2012-07-27 13:50:43 PDT
Created attachment 155041 [details]
more
Comment 6 Filip Pizlo 2012-07-27 14:49:59 PDT
Created attachment 155056 [details]
even more

Most of the JSArray functionality is now moved to JSObject.

This code does not compile, or work, or anything, for that matter.  Still a lot more to do.
Comment 7 Filip Pizlo 2012-07-27 16:16:21 PDT
Created attachment 155083 [details]
it's getting there!
Comment 8 Filip Pizlo 2012-07-27 21:10:53 PDT
Created attachment 155105 [details]
a little more

I think I'm getting close to having moved all of JSArray's indexed property handling into JSObject.
Comment 9 Filip Pizlo 2012-07-28 13:32:04 PDT
Created attachment 155138 [details]
JSObject appears to be done

Except of course for all of the JIT and LLInt code that needs to be rewritten.  And the hacks for property name iteration are probably not yet complete.
Comment 10 Filip Pizlo 2012-07-28 13:41:27 PDT
Created attachment 155139 [details]
rebased up to r123971
Comment 11 Filip Pizlo 2012-07-28 21:15:34 PDT
Created attachment 155156 [details]
a bit more
Comment 12 Filip Pizlo 2012-07-29 10:17:12 PDT
Created attachment 155176 [details]
almost done with JSArray methods
Comment 13 Filip Pizlo 2012-07-29 13:38:29 PDT
Created attachment 155180 [details]
JSObject and JSArray are done
Comment 14 Filip Pizlo 2012-08-23 15:43:49 PDT
Created attachment 160268 [details]
some rebasing

I'll have to rip out the type in IndexingHeader and replace it with an array mode in Structure.  Haven't done that yet.
Comment 15 Filip Pizlo 2012-08-23 16:57:04 PDT
Created attachment 160281 [details]
more rebasing

Changed more of the code to use Structure::indexingType() rather than IndexingHeader::type().
Comment 16 Filip Pizlo 2012-08-23 18:33:31 PDT
Created attachment 160305 [details]
rebasing done

The code should now be using Structure::indexingType(), and Structure now has the notion of cacheable indexing type transitions.
Comment 17 Filip Pizlo 2012-08-24 13:45:53 PDT
Created attachment 160496 [details]
more
Comment 18 Filip Pizlo 2012-08-24 23:00:37 PDT
Created attachment 160553 [details]
a little more
Comment 19 Filip Pizlo 2012-08-26 22:07:59 PDT
Created attachment 160629 [details]
rebased again
Comment 20 Filip Pizlo 2012-08-27 21:40:54 PDT
Created attachment 160894 [details]
it's starting to sort of compile

By which I mean I can compile the LLIntOffsetsExtractor.  Still a lot of work to do though.
Comment 21 Filip Pizlo 2012-08-28 11:06:26 PDT
Created attachment 161014 [details]
more
Comment 22 Filip Pizlo 2012-08-28 14:23:29 PDT
Created attachment 161059 [details]
more
Comment 23 Filip Pizlo 2012-08-28 17:49:05 PDT
Created attachment 161103 [details]
it builds.

And probably crashes on launch, though I wouldn't know.
Comment 24 Filip Pizlo 2012-08-28 21:02:05 PDT
Created attachment 161129 [details]
it runs things.

Most of the benchmarks run correctly.  I still smell bugs though.
Comment 25 Filip Pizlo 2012-08-28 23:21:37 PDT
Created attachment 161142 [details]
zero regression on SunSpider

Still testing more things.
Comment 26 Filip Pizlo 2012-08-28 23:51:32 PDT
(In reply to comment #25)
> Created an attachment (id=161142) [details]
> zero regression on SunSpider
> 
> Still testing more things.

Zero regression on SunSpider, V8, or Kraken.  Possible speed-up on V8, but it's slight.
Comment 27 Filip Pizlo 2012-08-30 00:48:16 PDT
Created attachment 161416 [details]
getting close

Tests are starting to pass.
Comment 28 Filip Pizlo 2012-08-30 17:09:54 PDT
Created attachment 161593 [details]
passes run-javascriptcore-tests
Comment 29 Filip Pizlo 2012-08-31 17:23:27 PDT
Created attachment 161795 [details]
making progress with LayoutTests/fast/js

Still not passing though.
Comment 30 Filip Pizlo 2012-08-31 20:50:38 PDT
Created attachment 161814 [details]
almost there in fast/js
Comment 31 Filip Pizlo 2012-09-04 17:17:55 PDT
Created attachment 162135 [details]
more progress on fast/js
Comment 32 Filip Pizlo 2012-09-05 22:03:34 PDT
Created attachment 162417 [details]
fast/js gets as far as it's going to get

We fail corner cases of numeric setters.  But we pass everything else.  That's as good as it's going to get, for now.
Comment 33 Filip Pizlo 2012-09-07 16:49:56 PDT
Created attachment 162906 [details]
almost passing all tests
Comment 34 Filip Pizlo 2012-09-07 19:21:13 PDT
Created attachment 162933 [details]
almost ready for review

Still need to write some 32-bit support code, and need to add files to the other build systems.
Comment 35 Filip Pizlo 2012-09-09 15:29:24 PDT
Created attachment 163018 [details]
the patch

It works.
Comment 36 WebKit Review Bot 2012-09-09 15:31:58 PDT
Attachment 163018 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1
Source/JavaScriptCore/runtime/JSArray.h:125:  The parameter name "globalData" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1088:  Missing space before {  [whitespace/braces] [5]
Source/JavaScriptCore/runtime/ArrayPrototype.cpp:1165:  Missing space before {  [whitespace/braces] [5]
Source/JavaScriptCore/runtime/JSObject.cpp:51:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
Source/JavaScriptCore/runtime/ArrayPrototype.h:36:  The parameter name "exec" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/ArrayPrototype.h:36:  The parameter name "globalObject" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/ArrayPrototype.h:36:  The parameter name "structure" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/IndexingHeaderInlineMethods.h:29:  Alphabetical sorting problem.  [build/include_order] [4]
Source/JavaScriptCore/runtime/Butterfly.h:66:  The parameter name "structure" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/Butterfly.h:85:  The parameter name "structure" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/Butterfly.h:96:  The parameter name "structure" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/Butterfly.h:98:  The parameter name "structure" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/Butterfly.h:99:  The parameter name "structure" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/Butterfly.h:100:  The parameter name "structure" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/StringPrototype.cpp:26:  Alphabetical sorting problem.  [build/include_order] [4]
Source/JavaScriptCore/runtime/SparseArrayValueMap.h:42:  Missing space inside { }.  [whitespace/braces] [5]
Source/JavaScriptCore/runtime/SparseArrayValueMap.h:65:  The parameter name "globalData" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/SparseArrayValueMap.h:68:  The parameter name "globalData" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/SparseArrayValueMap.h:79:  The parameter name "globalData" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/JSArray.cpp:587:  More than one command on the same line  [whitespace/newline] [4]
Source/JavaScriptCore/runtime/ArrayConventions.h:45:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
Source/JavaScriptCore/runtime/JSObject.h:187:  The parameter name "exec" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/JSObject.h:613:  The parameter name "offset" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/runtime/ArrayStorage.h:39:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
Source/JavaScriptCore/runtime/ArrayStorage.h:40:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
Source/JavaScriptCore/runtime/ArrayStorage.h:41:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
Source/JavaScriptCore/runtime/ArrayStorage.h:42:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
Source/JavaScriptCore/runtime/SparseArrayValueMapInlineMethods.h:30:  Alphabetical sorting problem.  [build/include_order] [4]
Total errors found: 28 in 114 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 37 Build Bot 2012-09-09 15:54:04 PDT
Comment on attachment 163018 [details]
the patch

Attachment 163018 [details] did not pass win-ews (win):
Output: http://queues.webkit.org/results/13794693
Comment 38 Early Warning System Bot 2012-09-09 15:57:29 PDT
Comment on attachment 163018 [details]
the patch

Attachment 163018 [details] did not pass qt-ews (qt):
Output: http://queues.webkit.org/results/13793683
Comment 39 Early Warning System Bot 2012-09-09 16:03:18 PDT
Comment on attachment 163018 [details]
the patch

Attachment 163018 [details] did not pass qt-wk2-ews (qt):
Output: http://queues.webkit.org/results/13796660
Comment 40 Filip Pizlo 2012-09-09 16:11:08 PDT
Created attachment 163019 [details]
the patch

Style fixes, and build fixes for Win and Qt.
Comment 41 WebKit Review Bot 2012-09-09 16:14:58 PDT
Attachment 163019 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1
Source/JavaScriptCore/runtime/ArrayConventions.h:45:  Should have only a single space after a punctuation in a comment.  [whitespace/comments] [5]
Total errors found: 1 in 114 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 42 Build Bot 2012-09-09 16:38:28 PDT
Comment on attachment 163019 [details]
the patch

Attachment 163019 [details] did not pass win-ews (win):
Output: http://queues.webkit.org/results/13795652
Comment 43 Filip Pizlo 2012-09-09 17:39:24 PDT
Created attachment 163020 [details]
the patch

Another style fix.  Also trying to fix Win.
Comment 44 Build Bot 2012-09-09 18:13:07 PDT
Comment on attachment 163020 [details]
the patch

Attachment 163020 [details] did not pass win-ews (win):
Output: http://queues.webkit.org/results/13799592
Comment 45 Filip Pizlo 2012-09-09 18:32:17 PDT
Created attachment 163022 [details]
the patch

Fix Windows, for real this time!
Comment 46 Geoffrey Garen 2012-09-11 18:01:48 PDT
Comment on attachment 163022 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=163022&action=review

> Source/JavaScriptCore/llint/LowLevelInterpreter.asm:67
> +# Constant for reasoning about butterflies.
> +const IsArray = 1
> +const HasArrayStorage = 8
> +const AllArrayTypes = 15

The magical constants in the LLInt have been giving me fits lately. Would be nice to generate them through a .cpp file, so they auto-update.

> Source/JavaScriptCore/runtime/ArrayStorage.h:39
> +// This struct holds the actual data values of an array. A JSArray object points to it's contained ArrayStorage

Typo: "it's" => "its".

> Source/JavaScriptCore/runtime/JSObject.cpp:279
> +    // Try indexed put first.

Would be nice for this comment to explain that this is required for correctness, and not just optimization.

> Source/JavaScriptCore/runtime/JSObject.cpp:281
> +    if (i != PropertyName::NotAnIndex) {

Since we think the "not an index" case is probably common, it would be nice to refactor toUInt32FromCharacters() to have an inline fast path for the first character being non-digit, and move all the other code out-of-line.

> Source/JavaScriptCore/runtime/JSObject.h:542
> +        ArrayStorage* arrayStorageOrZero()

Let's call this "arrayStorageOrNull", since (ArrayStorage*)0 is better known as null.

> Source/JavaScriptCore/runtime/JSObject.h:773
> +inline void JSObject::setButterfly(JSGlobalData& globalData, Butterfly* butterfly, Structure* structure)

When 'butterfly' points to out-of-line storage, this function is a reference store between GC objects. Does it need to perform a write barrier?

> Source/JavaScriptCore/runtime/JSObject.h:781
> +inline void JSObject::setButterflyWithoutChangingStructure(Butterfly* butterfly)

Ditto.

> Source/JavaScriptCore/runtime/SparseArrayValueMapInlineMethods.h:104
> +        entry.set(exec->globalData(), array, value);

Since 'this' is a GC object now, it should be the owner in this set, not 'array'.

> Source/JavaScriptCore/runtime/SparseArrayValueMapInlineMethods.h:139
> +    entry.set(exec->globalData(), array, value);

Ditto.

> Source/JavaScriptCore/runtime/SparseArrayValueMapInlineMethods.h:190
> +inline void SparseArrayValueMap::visitChildren(JSCell* thisObject, SlotVisitor& visitor)

Since this is a GC object now, it needs to call through to Base::visitChildren().
Comment 47 Geoffrey Garen 2012-09-11 18:04:23 PDT
Comment on attachment 163022 [details]
the patch

r=me
Comment 48 Filip Pizlo 2012-09-12 18:24:03 PDT
(In reply to comment #46)
> (From update of attachment 163022 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=163022&action=review
> 
> > Source/JavaScriptCore/llint/LowLevelInterpreter.asm:67
> > +# Constant for reasoning about butterflies.
> > +const IsArray = 1
> > +const HasArrayStorage = 8
> > +const AllArrayTypes = 15
> 
> The magical constants in the LLInt have been giving me fits lately. Would be nice to generate them through a .cpp file, so they auto-update.

Yes!  I have been thinking about how to do that.  We should definitely do this.  https://bugs.webkit.org/show_bug.cgi?id=96587

> 
> > Source/JavaScriptCore/runtime/ArrayStorage.h:39
> > +// This struct holds the actual data values of an array. A JSArray object points to it's contained ArrayStorage
> 
> Typo: "it's" => "its".

Done.

> 
> > Source/JavaScriptCore/runtime/JSObject.cpp:279
> > +    // Try indexed put first.
> 
> Would be nice for this comment to explain that this is required for correctness, and not just optimization.

Done.

> 
> > Source/JavaScriptCore/runtime/JSObject.cpp:281
> > +    if (i != PropertyName::NotAnIndex) {
> 
> Since we think the "not an index" case is probably common, it would be nice to refactor toUInt32FromCharacters() to have an inline fast path for the first character being non-digit, and move all the other code out-of-line.

The whole method is ALWAYS_INLINE, and the second thing it checks is for the first character not being a digit.  (The first thing it checks is for the string being zero-length.)

> 
> > Source/JavaScriptCore/runtime/JSObject.h:542
> > +        ArrayStorage* arrayStorageOrZero()
> 
> Let's call this "arrayStorageOrNull", since (ArrayStorage*)0 is better known as null.

Done.

> 
> > Source/JavaScriptCore/runtime/JSObject.h:773
> > +inline void JSObject::setButterfly(JSGlobalData& globalData, Butterfly* butterfly, Structure* structure)
> 
> When 'butterfly' points to out-of-line storage, this function is a reference store between GC objects. Does it need to perform a write barrier?

As per our discussions, I'm leaving it as is.  None of the copying GC styles we can envision doing in the near future would require a barrier on accesses to m_butterfly.

> 
> > Source/JavaScriptCore/runtime/JSObject.h:781
> > +inline void JSObject::setButterflyWithoutChangingStructure(Butterfly* butterfly)
> 
> Ditto.
> 
> > Source/JavaScriptCore/runtime/SparseArrayValueMapInlineMethods.h:104
> > +        entry.set(exec->globalData(), array, value);
> 
> Since 'this' is a GC object now, it should be the owner in this set, not 'array'.

Ah!  Good catch.  Fixed.

> 
> > Source/JavaScriptCore/runtime/SparseArrayValueMapInlineMethods.h:139
> > +    entry.set(exec->globalData(), array, value);
> 
> Ditto.

Fixed.

> 
> > Source/JavaScriptCore/runtime/SparseArrayValueMapInlineMethods.h:190
> > +inline void SparseArrayValueMap::visitChildren(JSCell* thisObject, SlotVisitor& visitor)
> 
> Since this is a GC object now, it needs to call through to Base::visitChildren().

Fixed!
Comment 49 Filip Pizlo 2012-09-12 21:19:01 PDT
Landed in http://trac.webkit.org/changeset/128400
Comment 50 Ryosuke Niwa 2012-10-05 13:58:36 PDT
It appears that this patch caused some perf. regression: https://bugs.webkit.org/show_bug.cgi?id=93744