From 6c89cd3fdecaf5709b8f7b9f4dd1afb6c6a5cab5 Mon Sep 17 00:00:00 2001
From: "fpizlo@apple.com"
 <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue, 26 Jun 2012 19:42:05 +0000
Subject: [PATCH] DFG::operationNewArray is unnecessarily slow, and may use the
 wrong array prototype when inlined
 https://bugs.webkit.org/show_bug.cgi?id=89821

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Fixes all array allocations to use the right structure, and hence the right prototype. Adds
inlining of new Array(...) with a non-zero number of arguments. Optimizes allocations of
empty arrays.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGCCallHelpers.h:
(JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
(CCallHelpers):
* dfg/DFGNodeType.h:
(DFG):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* runtime/JSArray.h:
(JSC):
(JSC::constructArray):
* runtime/JSGlobalObject.h:
(JSC):
(JSC::constructArray):

LayoutTests:

Rubber stamped by Geoffrey Garen.

* fast/js/dfg-cross-global-object-inline-new-array-expected.txt: Added.
* fast/js/dfg-cross-global-object-inline-new-array-literal-expected.txt: Added.
* fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables-expected.txt: Added.
* fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables.html: Added.
* fast/js/dfg-cross-global-object-inline-new-array-literal.html: Added.
* fast/js/dfg-cross-global-object-inline-new-array-with-elements-expected.txt: Added.
* fast/js/dfg-cross-global-object-inline-new-array-with-elements.html: Added.
* fast/js/dfg-cross-global-object-inline-new-array-with-size-expected.txt: Added.
* fast/js/dfg-cross-global-object-inline-new-array-with-size.html: Added.
* fast/js/dfg-cross-global-object-inline-new-array.html: Added.
* fast/js/script-tests/cross-global-object-inline-global-var.js:
(done):
* fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal-with-variables.js: Added.
(foo):
(done):
(doit):
* fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal.js: Added.
(foo):
(done):
(doit):
* fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-elements.js: Added.
(foo):
(done):
(doit):
* fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-size.js: Added.
(foo):
(done):
(doit):
* fast/js/script-tests/dfg-cross-global-object-inline-new-array.js: Added.
(foo):
(done):
(doit):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@121280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 LayoutTests/ChangeLog                              | 41 ++++++++++
 ...oss-global-object-inline-new-array-expected.txt | 10 +++
 ...al-object-inline-new-array-literal-expected.txt | 10 +++
 ...e-new-array-literal-with-variables-expected.txt | 10 +++
 ...ct-inline-new-array-literal-with-variables.html | 11 +++
 ...oss-global-object-inline-new-array-literal.html | 11 +++
 ...ect-inline-new-array-with-elements-expected.txt | 10 +++
 ...obal-object-inline-new-array-with-elements.html | 11 +++
 ...-object-inline-new-array-with-size-expected.txt | 10 +++
 ...s-global-object-inline-new-array-with-size.html | 11 +++
 .../dfg-cross-global-object-inline-new-array.html  | 11 +++
 .../cross-global-object-inline-global-var.js       |  2 +-
 ...ject-inline-new-array-literal-with-variables.js | 47 ++++++++++++
 ...cross-global-object-inline-new-array-literal.js | 47 ++++++++++++
 ...global-object-inline-new-array-with-elements.js | 47 ++++++++++++
 ...oss-global-object-inline-new-array-with-size.js | 47 ++++++++++++
 .../dfg-cross-global-object-inline-new-array.js    | 45 +++++++++++
 Source/JavaScriptCore/ChangeLog                    | 38 +++++++++
 Source/JavaScriptCore/dfg/DFGAbstractState.cpp     | 10 ++-
 Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp    | 12 ++-
 Source/JavaScriptCore/dfg/DFGCCallHelpers.h        | 25 ++++++
 Source/JavaScriptCore/dfg/DFGNodeType.h            |  1 +
 Source/JavaScriptCore/dfg/DFGOperations.cpp        | 14 +++-
 Source/JavaScriptCore/dfg/DFGOperations.h          |  7 +-
 .../dfg/DFGPredictionPropagationPhase.cpp          |  6 ++
 Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h      | 30 ++++++++
 .../JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp  | 89 +++++++++++++++++-----
 Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp  | 79 ++++++++++++++-----
 Source/JavaScriptCore/runtime/JSArray.h            | 37 ++++++++-
 Source/JavaScriptCore/runtime/JSGlobalObject.h     | 31 +-------
 30 files changed, 684 insertions(+), 76 deletions(-)
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-expected.txt
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-expected.txt
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables-expected.txt
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables.html
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal.html
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements-expected.txt
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements.html
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size-expected.txt
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size.html
 create mode 100644 LayoutTests/fast/js/dfg-cross-global-object-inline-new-array.html
 create mode 100644 LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal-with-variables.js
 create mode 100644 LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal.js
 create mode 100644 LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-elements.js
 create mode 100644 LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-size.js
 create mode 100644 LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array.js

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a01cac9..e12d7b9 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,44 @@
+2012-06-26  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG::operationNewArray is unnecessarily slow, and may use the wrong array
+        prototype when inlined
+        https://bugs.webkit.org/show_bug.cgi?id=89821
+
+        Rubber stamped by Geoffrey Garen.
+
+        * fast/js/dfg-cross-global-object-inline-new-array-expected.txt: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-literal-expected.txt: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables-expected.txt: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables.html: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-literal.html: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-with-elements-expected.txt: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-with-elements.html: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-with-size-expected.txt: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array-with-size.html: Added.
+        * fast/js/dfg-cross-global-object-inline-new-array.html: Added.
+        * fast/js/script-tests/cross-global-object-inline-global-var.js:
+        (done):
+        * fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal-with-variables.js: Added.
+        (foo):
+        (done):
+        (doit):
+        * fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal.js: Added.
+        (foo):
+        (done):
+        (doit):
+        * fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-elements.js: Added.
+        (foo):
+        (done):
+        (doit):
+        * fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-size.js: Added.
+        (foo):
+        (done):
+        (doit):
+        * fast/js/script-tests/dfg-cross-global-object-inline-new-array.js: Added.
+        (foo):
+        (done):
+        (doit):
+
 2012-06-26  Adam Klein  <adamk@chromium.org>
 
         MutationObserver.observe should treat a null or undefined options argument as empty
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-expected.txt b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-expected.txt
new file mode 100644
index 0000000..5c3c32d
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-expected.txt
@@ -0,0 +1,10 @@
+This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS done() called with 4800
+
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-expected.txt b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-expected.txt
new file mode 100644
index 0000000..a821b43
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-expected.txt
@@ -0,0 +1,10 @@
+This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS done() called with 6600
+
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables-expected.txt b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables-expected.txt
new file mode 100644
index 0000000..ebfb059
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables-expected.txt
@@ -0,0 +1,10 @@
+This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS done() called with 85200
+
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables.html b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables.html
new file mode 100644
index 0000000..768c292
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal-with-variables.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="frameparent"></div>
+<script src="script-tests/dfg-cross-global-object-inline-new-array-literal-with-variables.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal.html b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal.html
new file mode 100644
index 0000000..da12ec0
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-literal.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="frameparent"></div>
+<script src="script-tests/dfg-cross-global-object-inline-new-array-literal.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements-expected.txt b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements-expected.txt
new file mode 100644
index 0000000..a821b43
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements-expected.txt
@@ -0,0 +1,10 @@
+This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS done() called with 6600
+
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements.html b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements.html
new file mode 100644
index 0000000..6ae416c
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-elements.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="frameparent"></div>
+<script src="script-tests/dfg-cross-global-object-inline-new-array-with-elements.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size-expected.txt b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size-expected.txt
new file mode 100644
index 0000000..9657740
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size-expected.txt
@@ -0,0 +1,10 @@
+This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS done() called with 204800
+
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size.html b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size.html
new file mode 100644
index 0000000..901f765
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array-with-size.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="frameparent"></div>
+<script src="script-tests/dfg-cross-global-object-inline-new-array-with-size.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array.html b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array.html
new file mode 100644
index 0000000..d07fb90
--- /dev/null
+++ b/LayoutTests/fast/js/dfg-cross-global-object-inline-new-array.html
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<div id="frameparent"></div>
+<script src="script-tests/dfg-cross-global-object-inline-new-array.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/cross-global-object-inline-global-var.js b/LayoutTests/fast/js/script-tests/cross-global-object-inline-global-var.js
index bedd549..23fefd1 100644
--- a/LayoutTests/fast/js/script-tests/cross-global-object-inline-global-var.js
+++ b/LayoutTests/fast/js/script-tests/cross-global-object-inline-global-var.js
@@ -18,7 +18,7 @@ function done(value) {
     if (value == expected)
         testPassed("done() called with " + expected);
     else
-        testFailed("done() is " + value + " and should be " + expected + ".");
+        testFailed("done() called with " + value + ", but expected " + expected);
     layoutTestController.notifyDone();
 }
 
diff --git a/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal-with-variables.js b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal-with-variables.js
new file mode 100644
index 0000000..09f135a
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal-with-variables.js
@@ -0,0 +1,47 @@
+description(
+"This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation."
+);
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+function foo(x) {
+    return [x, x + 1, x * 2];
+}
+
+Array.prototype.thingy = 24;
+
+function done(value) {
+    var expected = (24 + 3) * 200 + 19900 + 20100 + 39800;
+    if (value == expected)
+        testPassed("done() called with " + expected);
+    else
+        testFailed("done() called with " + value + ", but expected " + expected);
+    layoutTestController.notifyDone();
+}
+
+function doit() {
+    document.getElementById("frameparent").innerHTML = "";
+    document.getElementById("frameparent").innerHTML = "<iframe id='testframe'>";
+    var testFrame = document.getElementById("testframe");
+    testFrame.contentDocument.open();
+    
+    code  = "<!DOCTYPE html>\n<head></head><body><script type=\"text/javascript\">\n";
+    code += "Array.prototype.thingy = 42;\n";
+    code += "function bar(x) {\n";
+    code += "    return window.parent.foo(x);\n";
+    code += "}\n";
+    code += "var result = 0;\n";
+    code += "for (var i = 0; i < 200; ++i) {\n";
+    code += "    var theArray = bar(i);\n";
+    code += "    result += theArray.thingy + theArray.length + theArray[0] + theArray[1] + theArray[2];\n";
+    code += "}\n";
+    code += "window.parent.done(result);\n";
+    code += "</script></body></html>";
+    
+    testFrame.contentDocument.write(code);
+    testFrame.contentDocument.close();
+}
+
+window.setTimeout(doit, 10);
+
diff --git a/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal.js b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal.js
new file mode 100644
index 0000000..bd888c6
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-literal.js
@@ -0,0 +1,47 @@
+description(
+"This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation."
+);
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+function foo() {
+    return [1, 2, 3];
+}
+
+Array.prototype.thingy = 24;
+
+function done(value) {
+    var expected = (24 + 3 + 1 + 2 + 3) * 200;
+    if (value == expected)
+        testPassed("done() called with " + expected);
+    else
+        testFailed("done() called with " + value + ", but expected " + expected);
+    layoutTestController.notifyDone();
+}
+
+function doit() {
+    document.getElementById("frameparent").innerHTML = "";
+    document.getElementById("frameparent").innerHTML = "<iframe id='testframe'>";
+    var testFrame = document.getElementById("testframe");
+    testFrame.contentDocument.open();
+    
+    code  = "<!DOCTYPE html>\n<head></head><body><script type=\"text/javascript\">\n";
+    code += "Array.prototype.thingy = 42;\n";
+    code += "function bar() {\n";
+    code += "    return window.parent.foo();\n";
+    code += "}\n";
+    code += "var result = 0;\n";
+    code += "for (var i = 0; i < 200; ++i) {\n";
+    code += "    var theArray = bar();\n";
+    code += "    result += theArray.thingy + theArray.length + theArray[0] + theArray[1] + theArray[2];\n";
+    code += "}\n";
+    code += "window.parent.done(result);\n";
+    code += "</script></body></html>";
+    
+    testFrame.contentDocument.write(code);
+    testFrame.contentDocument.close();
+}
+
+window.setTimeout(doit, 10);
+
diff --git a/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-elements.js b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-elements.js
new file mode 100644
index 0000000..74bf420
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-elements.js
@@ -0,0 +1,47 @@
+description(
+"This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation."
+);
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+function foo() {
+    return new Array(1, 2, 3);
+}
+
+Array.prototype.thingy = 24;
+
+function done(value) {
+    var expected = (24 + 3 + 1 + 2 + 3) * 200;
+    if (value == expected)
+        testPassed("done() called with " + expected);
+    else
+        testFailed("done() called with " + value + ", but expected " + expected);
+    layoutTestController.notifyDone();
+}
+
+function doit() {
+    document.getElementById("frameparent").innerHTML = "";
+    document.getElementById("frameparent").innerHTML = "<iframe id='testframe'>";
+    var testFrame = document.getElementById("testframe");
+    testFrame.contentDocument.open();
+    
+    code  = "<!DOCTYPE html>\n<head></head><body><script type=\"text/javascript\">\n";
+    code += "Array.prototype.thingy = 42;\n";
+    code += "function bar() {\n";
+    code += "    return window.parent.foo();\n";
+    code += "}\n";
+    code += "var result = 0;\n";
+    code += "for (var i = 0; i < 200; ++i) {\n";
+    code += "    var theArray = bar();\n";
+    code += "    result += theArray.thingy + theArray.length + theArray[0] + theArray[1] + theArray[2];\n";
+    code += "}\n";
+    code += "window.parent.done(result);\n";
+    code += "</script></body></html>";
+    
+    testFrame.contentDocument.write(code);
+    testFrame.contentDocument.close();
+}
+
+window.setTimeout(doit, 10);
+
diff --git a/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-size.js b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-size.js
new file mode 100644
index 0000000..c3d96c7
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array-with-size.js
@@ -0,0 +1,47 @@
+description(
+"This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation."
+);
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+function foo() {
+    return new Array(1000);
+}
+
+Array.prototype.thingy = 24;
+
+function done(value) {
+    var expected = (24 + 1000) * 200;
+    if (value == expected)
+        testPassed("done() called with " + expected);
+    else
+        testFailed("done() called with " + value + ", but expected " + expected);
+    layoutTestController.notifyDone();
+}
+
+function doit() {
+    document.getElementById("frameparent").innerHTML = "";
+    document.getElementById("frameparent").innerHTML = "<iframe id='testframe'>";
+    var testFrame = document.getElementById("testframe");
+    testFrame.contentDocument.open();
+    
+    code  = "<!DOCTYPE html>\n<head></head><body><script type=\"text/javascript\">\n";
+    code += "Array.prototype.thingy = 42;\n";
+    code += "function bar() {\n";
+    code += "    return window.parent.foo();\n";
+    code += "}\n";
+    code += "var result = 0;\n";
+    code += "for (var i = 0; i < 200; ++i) {\n";
+    code += "    var theArray = bar();\n";
+    code += "    result += theArray.thingy + theArray.length;\n";
+    code += "}\n";
+    code += "window.parent.done(result);\n";
+    code += "</script></body></html>";
+    
+    testFrame.contentDocument.write(code);
+    testFrame.contentDocument.close();
+}
+
+window.setTimeout(doit, 10);
+
diff --git a/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array.js b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array.js
new file mode 100644
index 0000000..6d4bee8
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/dfg-cross-global-object-inline-new-array.js
@@ -0,0 +1,45 @@
+description(
+"This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation."
+);
+
+if (window.layoutTestController)
+    layoutTestController.waitUntilDone();
+
+function foo() {
+    return new Array();
+}
+
+Array.prototype.thingy = 24;
+
+function done(value) {
+    var expected = 24 * 200;
+    if (value == expected)
+        testPassed("done() called with " + expected);
+    else
+        testFailed("done() called with " + value + ", but expected " + expected);
+    layoutTestController.notifyDone();
+}
+
+function doit() {
+    document.getElementById("frameparent").innerHTML = "";
+    document.getElementById("frameparent").innerHTML = "<iframe id='testframe'>";
+    var testFrame = document.getElementById("testframe");
+    testFrame.contentDocument.open();
+    
+    code  = "<!DOCTYPE html>\n<head></head><body><script type=\"text/javascript\">\n";
+    code += "Array.prototype.thingy = 42;\n";
+    code += "function bar() {\n";
+    code += "    return window.parent.foo();\n";
+    code += "}\n";
+    code += "var result = 0;\n";
+    code += "for (var i = 0; i < 200; ++i)\n";
+    code += "    result += bar().thingy;\n";
+    code += "window.parent.done(result);\n";
+    code += "</script></body></html>";
+    
+    testFrame.contentDocument.write(code);
+    testFrame.contentDocument.close();
+}
+
+window.setTimeout(doit, 10);
+
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 72aa427..4225402 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,41 @@
+2012-06-25  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG::operationNewArray is unnecessarily slow, and may use the wrong array
+        prototype when inlined
+        https://bugs.webkit.org/show_bug.cgi?id=89821
+
+        Reviewed by Geoffrey Garen.
+        
+        Fixes all array allocations to use the right structure, and hence the right prototype. Adds
+        inlining of new Array(...) with a non-zero number of arguments. Optimizes allocations of
+        empty arrays.
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        * dfg/DFGCCallHelpers.h:
+        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+        (CCallHelpers):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * runtime/JSArray.h:
+        (JSC):
+        (JSC::constructArray):
+        * runtime/JSGlobalObject.h:
+        (JSC):
+        (JSC::constructArray):
+
 2012-06-26  Filip Pizlo  <fpizlo@apple.com>
 
         New fast/js/dfg-store-unexpected-value-into-argument-and-osr-exit.html fails on 32 bit
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index b4205ef..c2d49f7 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
@@ -1141,13 +1141,19 @@ bool AbstractState::execute(unsigned indexInBlock)
     case NewArray:
     case NewArrayBuffer:
         node.setCanExit(false);
-        forNode(nodeIndex).set(m_codeBlock->globalObject()->arrayStructure());
+        forNode(nodeIndex).set(m_graph.globalObjectFor(node.codeOrigin)->arrayStructure());
+        m_haveStructures = true;
+        break;
+        
+    case NewArrayWithSize:
+        speculateInt32Unary(node);
+        forNode(nodeIndex).set(m_graph.globalObjectFor(node.codeOrigin)->arrayStructure());
         m_haveStructures = true;
         break;
             
     case NewRegexp:
         node.setCanExit(false);
-        forNode(nodeIndex).set(m_codeBlock->globalObject()->regExpStructure());
+        forNode(nodeIndex).set(m_graph.globalObjectFor(node.codeOrigin)->regExpStructure());
         m_haveStructures = true;
         break;
             
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index 7561197..cdb0b63 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -1606,15 +1606,19 @@ bool ByteCodeParser::handleConstantInternalFunction(
     // we know about is small enough, that having just a linear cascade of if statements
     // is good enough.
     
-    UNUSED_PARAM(registerOffset); // Remove this once we do more things to the arguments.
     UNUSED_PARAM(prediction); // Remove this once we do more things.
     UNUSED_PARAM(kind); // Remove this once we do more things.
     
     if (function->classInfo() == &ArrayConstructor::s_info) {
-        // We could handle this but don't for now.
-        if (argumentCountIncludingThis != 1)
-            return false;
+        if (argumentCountIncludingThis == 2) {
+            setIntrinsicResult(
+                usesResult, resultOperand,
+                addToGraph(NewArrayWithSize, get(registerOffset + argumentToOperand(1))));
+            return true;
+        }
         
+        for (int i = 1; i < argumentCountIncludingThis; ++i)
+            addVarArgChild(get(registerOffset + argumentToOperand(i)));
         setIntrinsicResult(
             usesResult, resultOperand,
             addToGraph(Node::VarArg, NewArray, OpInfo(0), OpInfo(0)));
diff --git a/Source/JavaScriptCore/dfg/DFGCCallHelpers.h b/Source/JavaScriptCore/dfg/DFGCCallHelpers.h
index 4cacd45..b602908 100644
--- a/Source/JavaScriptCore/dfg/DFGCCallHelpers.h
+++ b/Source/JavaScriptCore/dfg/DFGCCallHelpers.h
@@ -160,6 +160,14 @@ public:
         addCallArgument(arg2);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImmPtr arg1, GPRReg arg2)
+    {
+        resetCallArguments();
+        addCallArgument(GPRInfo::callFrameRegister);
+        addCallArgument(arg1);
+        addCallArgument(arg2);
+    }
+
     ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, TrustedImm32 arg2)
     {
         resetCallArguments();
@@ -203,6 +211,15 @@ public:
         addCallArgument(arg3);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImmPtr arg1, TrustedImmPtr arg2, TrustedImmPtr arg3)
+    {
+        resetCallArguments();
+        addCallArgument(GPRInfo::callFrameRegister);
+        addCallArgument(arg1);
+        addCallArgument(arg2);
+        addCallArgument(arg3);
+    }
+
     ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, TrustedImmPtr arg2, TrustedImmPtr arg3)
     {
         resetCallArguments();
@@ -597,6 +614,14 @@ public:
         move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
     }
 
+    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImmPtr arg1, TrustedImmPtr arg2, TrustedImmPtr arg3)
+    {
+        move(arg1, GPRInfo::argumentGPR1);
+        move(arg2, GPRInfo::argumentGPR2);
+        move(arg3, GPRInfo::argumentGPR3);
+        move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+    }
+
     ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, TrustedImm32 arg2, TrustedImm32 arg3)
     {
         move(arg1, GPRInfo::argumentGPR1);
diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
index 4671f6b..db798d0 100644
--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
@@ -184,6 +184,7 @@ namespace JSC { namespace DFG {
     /* Allocations. */\
     macro(NewObject, NodeResultJS) \
     macro(NewArray, NodeResultJS | NodeHasVarArgs) \
+    macro(NewArrayWithSize, NodeResultJS) \
     macro(NewArrayBuffer, NodeResultJS) \
     macro(NewRegexp, NodeResultJS) \
     \
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index 3ece917..11362f4 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -1005,12 +1005,22 @@ EncodedJSValue DFG_OPERATION operationStrCat(ExecState* exec, void* buffer, size
     return JSValue::encode(jsString(exec, static_cast<Register*>(buffer), size));
 }
 
-EncodedJSValue DFG_OPERATION operationNewArray(ExecState* exec, void* buffer, size_t size)
+EncodedJSValue DFG_OPERATION operationNewArray(ExecState* exec, Structure* arrayStructure, void* buffer, size_t size)
 {
     JSGlobalData* globalData = &exec->globalData();
     NativeCallFrameTracer tracer(globalData, exec);
 
-    return JSValue::encode(constructArray(exec, static_cast<JSValue*>(buffer), size));
+    return JSValue::encode(constructArray(exec, arrayStructure, static_cast<JSValue*>(buffer), size));
+}
+
+EncodedJSValue DFG_OPERATION operationNewEmptyArray(ExecState* exec, Structure* arrayStructure)
+{
+    return JSValue::encode(JSArray::create(exec->globalData(), arrayStructure));
+}
+
+EncodedJSValue DFG_OPERATION operationNewArrayWithSize(ExecState* exec, Structure* arrayStructure, int32_t size)
+{
+    return JSValue::encode(JSArray::create(exec->globalData(), arrayStructure, size));
 }
 
 EncodedJSValue DFG_OPERATION operationNewArrayBuffer(ExecState* exec, size_t start, size_t size)
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.h b/Source/JavaScriptCore/dfg/DFGOperations.h
index 7477ab2..3c85ee7 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.h
+++ b/Source/JavaScriptCore/dfg/DFGOperations.h
@@ -76,6 +76,9 @@ typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EP)(ExecState*, void*);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EPP)(ExecState*, void*, void*);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EPS)(ExecState*, void*, size_t);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_ESS)(ExecState*, size_t, size_t);
+typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_ESt)(ExecState*, Structure*);
+typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EStI)(ExecState*, Structure*, int32_t);
+typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EStPS)(ExecState*, Structure*, void*, size_t);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EZ)(ExecState*, int32_t);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EZIcfZ)(ExecState*, int32_t, InlineCallFrame*, int32_t);
 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EZZ)(ExecState*, int32_t, int32_t);
@@ -124,8 +127,10 @@ EncodedJSValue DFG_OPERATION operationResolveBaseStrictPut(ExecState*, Identifie
 EncodedJSValue DFG_OPERATION operationResolveGlobal(ExecState*, GlobalResolveInfo*, JSGlobalObject*, Identifier*) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationToPrimitive(ExecState*, EncodedJSValue) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationStrCat(ExecState*, void*, size_t) WTF_INTERNAL;
-EncodedJSValue DFG_OPERATION operationNewArray(ExecState*, void*, size_t) WTF_INTERNAL;
+EncodedJSValue DFG_OPERATION operationNewArray(ExecState*, Structure*, void*, size_t) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationNewArrayBuffer(ExecState*, size_t, size_t) WTF_INTERNAL;
+EncodedJSValue DFG_OPERATION operationNewEmptyArray(ExecState*, Structure*) WTF_INTERNAL;
+EncodedJSValue DFG_OPERATION operationNewArrayWithSize(ExecState*, Structure*, int32_t) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationNewRegexp(ExecState*, void*) WTF_INTERNAL;
 void DFG_OPERATION operationPutByValStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue) WTF_INTERNAL;
 void DFG_OPERATION operationPutByValNonStrict(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty, EncodedJSValue encodedValue) WTF_INTERNAL;
diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
index bcb79a9..0bd81ec 100644
--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
@@ -535,6 +535,12 @@ private:
             break;
         }
             
+        case NewArrayWithSize: {
+            changed |= setPrediction(SpecArray);
+            changed |= m_graph[node.child1()].mergeFlags(NodeUsedAsNumber | NodeUsedAsInt);
+            break;
+        }
+            
         case NewArrayBuffer: {
             changed |= setPrediction(SpecArray);
             break;
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
index 6c6948b..67a22b7 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -1244,6 +1244,21 @@ public:
         m_jit.setupArgumentsWithExecState(arg1);
         return appendCallWithExceptionCheckSetResult(operation, result);
     }
+    JITCompiler::Call callOperation(J_DFGOperation_ESt operation, GPRReg result, Structure* structure)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(J_DFGOperation_EStI operation, GPRReg result, Structure* structure, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), arg2);
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(J_DFGOperation_EStPS operation, GPRReg result, Structure* structure, void* pointer, size_t size)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), TrustedImmPtr(pointer), TrustedImmPtr(size));
+        return appendCallWithExceptionCheckSetResult(operation, result);
+    }
     JITCompiler::Call callOperation(J_DFGOperation_EPS operation, GPRReg result, void* pointer, size_t size)
     {
         m_jit.setupArgumentsWithExecState(TrustedImmPtr(pointer), TrustedImmPtr(size));
@@ -1502,6 +1517,21 @@ public:
         m_jit.setupArgumentsWithExecState(arg1);
         return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
     }
+    JITCompiler::Call callOperation(J_DFGOperation_ESt operation, GPRReg resultTag, GPRReg resultPayload, Structure* structure)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure));
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
+    JITCompiler::Call callOperation(J_DFGOperation_EStI operation, GPRReg resultTag, GPRReg resultPayload, Structure* structure, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), arg2);
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
+    JITCompiler::Call callOperation(J_DFGOperation_EStPS operation, GPRReg resultTag, GPRReg resultPayload, Structure* structure, void* pointer, size_t size)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr(structure), TrustedImmPtr(pointer), TrustedImmPtr(size));
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
     JITCompiler::Call callOperation(J_DFGOperation_EPS operation, GPRReg resultTag, GPRReg resultPayload, void* pointer, size_t size)
     {
         m_jit.setupArgumentsWithExecState(TrustedImmPtr(pointer), TrustedImmPtr(size));
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index e007a6e..05609ba 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -2975,25 +2975,60 @@ void SpeculativeJIT::compile(Node& node)
         break;
     }
         
-    case StrCat:
-    case NewArray: {
-        // We really don't want to grow the register file just to do a StrCat or NewArray.
-        // Say we have 50 functions on the stack that all have a StrCat in them that has
-        // upwards of 10 operands. In the DFG this would mean that each one gets
-        // some random virtual register, and then to do the StrCat we'd need a second
-        // span of 10 operands just to have somewhere to copy the 10 operands to, where
-        // they'd be contiguous and we could easily tell the C code how to find them.
-        // Ugly! So instead we use the scratchBuffer infrastructure in JSGlobalData. That
-        // way, those 50 functions will share the same scratchBuffer for offloading their
-        // StrCat operands. It's about as good as we can do, unless we start doing
-        // virtual register coalescing to ensure that operands to StrCat get spilled
-        // in exactly the place where StrCat wants them, or else have the StrCat
-        // refer to those operands' SetLocal instructions to force them to spill in
-        // the right place. Basically, any way you cut it, the current approach
-        // probably has the best balance of performance and sensibility in the sense
-        // that it does not increase the complexity of the DFG JIT just to make StrCat
-        // fast and pretty.
+    case StrCat: {
+        size_t scratchSize = sizeof(EncodedJSValue) * node.numChildren();
+        ScratchBuffer* scratchBuffer = m_jit.globalData()->scratchBufferForSize(scratchSize);
+        EncodedJSValue* buffer = scratchBuffer ? static_cast<EncodedJSValue*>(scratchBuffer->dataBuffer()) : 0;
+        
+        for (unsigned operandIdx = 0; operandIdx < node.numChildren(); ++operandIdx) {
+            JSValueOperand operand(this, m_jit.graph().m_varArgChildren[node.firstChild() + operandIdx]);
+            GPRReg opTagGPR = operand.tagGPR();
+            GPRReg opPayloadGPR = operand.payloadGPR();
+            operand.use();
+            
+            m_jit.store32(opTagGPR, reinterpret_cast<char*>(buffer + operandIdx) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag));
+            m_jit.store32(opPayloadGPR, reinterpret_cast<char*>(buffer + operandIdx) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload));
+        }
+        
+        flushRegisters();
 
+        if (scratchSize) {
+            GPRTemporary scratch(this);
+
+            // Tell GC mark phase how much of the scratch buffer is active during call.
+            m_jit.move(TrustedImmPtr(scratchBuffer->activeLengthPtr()), scratch.gpr());
+            m_jit.storePtr(TrustedImmPtr(scratchSize), scratch.gpr());
+        }
+
+        GPRResult resultPayload(this);
+        GPRResult2 resultTag(this);
+        
+        callOperation(operationStrCat, resultTag.gpr(), resultPayload.gpr(), static_cast<void *>(buffer), node.numChildren());
+
+        if (scratchSize) {
+            GPRTemporary scratch(this);
+
+            m_jit.move(TrustedImmPtr(scratchBuffer->activeLengthPtr()), scratch.gpr());
+            m_jit.storePtr(TrustedImmPtr(0), scratch.gpr());
+        }
+
+        // FIXME: make the callOperation above explicitly return a cell result, or jitAssert the tag is a cell tag.
+        cellResult(resultPayload.gpr(), m_compileIndex, UseChildrenCalledExplicitly);
+        break;
+    }
+
+    case NewArray: {
+        if (!node.numChildren()) {
+            flushRegisters();
+            GPRResult result(this);
+            GPRResult2 resultTagIgnored(this);
+            callOperation(
+                operationNewEmptyArray, resultTagIgnored.gpr(), result.gpr(),
+                m_jit.graph().globalObjectFor(node.codeOrigin)->arrayStructure());
+            cellResult(result.gpr(), m_compileIndex);
+            break;
+        }
+        
         size_t scratchSize = sizeof(EncodedJSValue) * node.numChildren();
         ScratchBuffer* scratchBuffer = m_jit.globalData()->scratchBufferForSize(scratchSize);
         EncodedJSValue* buffer = scratchBuffer ? static_cast<EncodedJSValue*>(scratchBuffer->dataBuffer()) : 0;
@@ -3021,7 +3056,10 @@ void SpeculativeJIT::compile(Node& node)
         GPRResult resultPayload(this);
         GPRResult2 resultTag(this);
         
-        callOperation(op == StrCat ? operationStrCat : operationNewArray, resultTag.gpr(), resultPayload.gpr(), static_cast<void *>(buffer), node.numChildren());
+        callOperation(
+            operationNewArray, resultTag.gpr(), resultPayload.gpr(),
+            m_jit.graph().globalObjectFor(node.codeOrigin)->arrayStructure(),
+            static_cast<void *>(buffer), node.numChildren());
 
         if (scratchSize) {
             GPRTemporary scratch(this);
@@ -3035,6 +3073,19 @@ void SpeculativeJIT::compile(Node& node)
         break;
     }
 
+    case NewArrayWithSize: {
+        SpeculateStrictInt32Operand size(this, node.child1());
+        GPRReg sizeGPR = size.gpr();
+        flushRegisters();
+        GPRResult result(this);
+        GPRResult2 resultTagIgnored(this);
+        callOperation(
+            operationNewArrayWithSize, resultTagIgnored.gpr(), result.gpr(),
+            m_jit.graph().globalObjectFor(node.codeOrigin)->arrayStructure(), sizeGPR);
+        cellResult(result.gpr(), m_compileIndex);
+        break;
+    }
+        
     case NewArrayBuffer: {
         flushRegisters();
         GPRResult resultPayload(this);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index a6c2835..215f801 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -3035,25 +3035,68 @@ void SpeculativeJIT::compile(Node& node)
         break;
     }
         
-    case StrCat:
     case NewArray: {
-        // We really don't want to grow the register file just to do a StrCat or NewArray.
-        // Say we have 50 functions on the stack that all have a StrCat in them that has
-        // upwards of 10 operands. In the DFG this would mean that each one gets
-        // some random virtual register, and then to do the StrCat we'd need a second
-        // span of 10 operands just to have somewhere to copy the 10 operands to, where
-        // they'd be contiguous and we could easily tell the C code how to find them.
-        // Ugly! So instead we use the scratchBuffer infrastructure in JSGlobalData. That
-        // way, those 50 functions will share the same scratchBuffer for offloading their
-        // StrCat operands. It's about as good as we can do, unless we start doing
-        // virtual register coalescing to ensure that operands to StrCat get spilled
-        // in exactly the place where StrCat wants them, or else have the StrCat
-        // refer to those operands' SetLocal instructions to force them to spill in
-        // the right place. Basically, any way you cut it, the current approach
-        // probably has the best balance of performance and sensibility in the sense
-        // that it does not increase the complexity of the DFG JIT just to make StrCat
-        // fast and pretty.
+        if (!node.numChildren()) {
+            flushRegisters();
+            GPRResult result(this);
+            callOperation(
+                operationNewEmptyArray, result.gpr(),
+                m_jit.graph().globalObjectFor(node.codeOrigin)->arrayStructure());
+            cellResult(result.gpr(), m_compileIndex);
+            break;
+        }
+        
+        size_t scratchSize = sizeof(EncodedJSValue) * node.numChildren();
+        ScratchBuffer* scratchBuffer = m_jit.globalData()->scratchBufferForSize(scratchSize);
+        EncodedJSValue* buffer = scratchBuffer ? static_cast<EncodedJSValue*>(scratchBuffer->dataBuffer()) : 0;
+        
+        for (unsigned operandIdx = 0; operandIdx < node.numChildren(); ++operandIdx) {
+            JSValueOperand operand(this, m_jit.graph().m_varArgChildren[node.firstChild() + operandIdx]);
+            GPRReg opGPR = operand.gpr();
+            operand.use();
+            
+            m_jit.storePtr(opGPR, buffer + operandIdx);
+        }
+        
+        flushRegisters();
+
+        if (scratchSize) {
+            GPRTemporary scratch(this);
 
+            // Tell GC mark phase how much of the scratch buffer is active during call.
+            m_jit.move(TrustedImmPtr(scratchBuffer->activeLengthPtr()), scratch.gpr());
+            m_jit.storePtr(TrustedImmPtr(scratchSize), scratch.gpr());
+        }
+
+        GPRResult result(this);
+        
+        callOperation(
+            operationNewArray, result.gpr(),
+            m_jit.graph().globalObjectFor(node.codeOrigin)->arrayStructure(),
+            static_cast<void*>(buffer), node.numChildren());
+
+        if (scratchSize) {
+            GPRTemporary scratch(this);
+
+            m_jit.move(TrustedImmPtr(scratchBuffer->activeLengthPtr()), scratch.gpr());
+            m_jit.storePtr(TrustedImmPtr(0), scratch.gpr());
+        }
+
+        cellResult(result.gpr(), m_compileIndex, UseChildrenCalledExplicitly);
+        break;
+    }
+        
+    case NewArrayWithSize: {
+        SpeculateStrictInt32Operand size(this, node.child1());
+        GPRReg sizeGPR = size.gpr();
+        flushRegisters();
+        GPRResult result(this);
+        callOperation(operationNewArrayWithSize, result.gpr(), m_jit.graph().globalObjectFor(node.codeOrigin)->arrayStructure(), sizeGPR);
+        cellResult(result.gpr(), m_compileIndex);
+        break;
+    }
+        
+    case StrCat: {
         size_t scratchSize = sizeof(EncodedJSValue) * node.numChildren();
         ScratchBuffer* scratchBuffer = m_jit.globalData()->scratchBufferForSize(scratchSize);
         EncodedJSValue* buffer = scratchBuffer ? static_cast<EncodedJSValue*>(scratchBuffer->dataBuffer()) : 0;
@@ -3078,7 +3121,7 @@ void SpeculativeJIT::compile(Node& node)
 
         GPRResult result(this);
         
-        callOperation(op == StrCat ? operationStrCat : operationNewArray, result.gpr(), static_cast<void *>(buffer), node.numChildren());
+        callOperation(operationStrCat, result.gpr(), static_cast<void *>(buffer), node.numChildren());
 
         if (scratchSize) {
             GPRTemporary scratch(this);
diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h
index c1a3a63..52c5913 100644
--- a/Source/JavaScriptCore/runtime/JSArray.h
+++ b/Source/JavaScriptCore/runtime/JSArray.h
@@ -380,7 +380,42 @@ namespace JSC {
     
         return size;
     }
+
+    inline JSArray* constructArray(ExecState* exec, Structure* arrayStructure, const ArgList& values)
+    {
+        JSGlobalData& globalData = exec->globalData();
+        unsigned length = values.size();
+        JSArray* array = JSArray::tryCreateUninitialized(globalData, arrayStructure, length);
+
+        // FIXME: we should probably throw an out of memory error here, but
+        // when making this change we should check that all clients of this
+        // function will correctly handle an exception being thrown from here.
+        if (!array)
+            CRASH();
+
+        for (unsigned i = 0; i < length; ++i)
+            array->initializeIndex(globalData, i, values.at(i));
+        array->completeInitialization(length);
+        return array;
+    }
     
-    } // namespace JSC
+    inline JSArray* constructArray(ExecState* exec, Structure* arrayStructure, const JSValue* values, unsigned length)
+    {
+        JSGlobalData& globalData = exec->globalData();
+        JSArray* array = JSArray::tryCreateUninitialized(globalData, arrayStructure, length);
+
+        // FIXME: we should probably throw an out of memory error here, but
+        // when making this change we should check that all clients of this
+        // function will correctly handle an exception being thrown from here.
+        if (!array)
+            CRASH();
+
+        for (unsigned i = 0; i < length; ++i)
+            array->initializeIndex(globalData, i, values[i]);
+        array->completeInitialization(length);
+        return array;
+    }
+
+} // namespace JSC
 
 #endif // JSArray_h
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.h b/Source/JavaScriptCore/runtime/JSGlobalObject.h
index 8fec633..1dcfc63 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObject.h
+++ b/Source/JavaScriptCore/runtime/JSGlobalObject.h
@@ -445,23 +445,10 @@ namespace JSC {
     {
         return constructEmptyArray(exec, exec->lexicalGlobalObject(), initialLength);
     }
-
+ 
     inline JSArray* constructArray(ExecState* exec, JSGlobalObject* globalObject, const ArgList& values)
     {
-        JSGlobalData& globalData = exec->globalData();
-        unsigned length = values.size();
-        JSArray* array = JSArray::tryCreateUninitialized(globalData, globalObject->arrayStructure(), length);
-
-        // FIXME: we should probably throw an out of memory error here, but
-        // when making this change we should check that all clients of this
-        // function will correctly handle an exception being thrown from here.
-        if (!array)
-            CRASH();
-
-        for (unsigned i = 0; i < length; ++i)
-            array->initializeIndex(globalData, i, values.at(i));
-        array->completeInitialization(length);
-        return array;
+        return constructArray(exec, globalObject->arrayStructure(), values);
     }
 
     inline JSArray* constructArray(ExecState* exec, const ArgList& values)
@@ -471,19 +458,7 @@ namespace JSC {
 
     inline JSArray* constructArray(ExecState* exec, JSGlobalObject* globalObject, const JSValue* values, unsigned length)
     {
-        JSGlobalData& globalData = exec->globalData();
-        JSArray* array = JSArray::tryCreateUninitialized(globalData, globalObject->arrayStructure(), length);
-
-        // FIXME: we should probably throw an out of memory error here, but
-        // when making this change we should check that all clients of this
-        // function will correctly handle an exception being thrown from here.
-        if (!array)
-            CRASH();
-
-        for (unsigned i = 0; i < length; ++i)
-            array->initializeIndex(globalData, i, values[i]);
-        array->completeInitialization(length);
-        return array;
+        return constructArray(exec, globalObject->arrayStructure(), values, length);
     }
 
     inline JSArray* constructArray(ExecState* exec, const JSValue* values, unsigned length)
-- 
2.7.4