Async iteration should only fetch the next method once and add feature flag
[WebKit-https.git] / Source / JavaScriptCore / bytecompiler / BytecodeGenerator.cpp
1 /*
2  * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
3  * Copyright (C) 2008 Cameron Zwarich <cwzwarich@uwaterloo.ca>
4  * Copyright (C) 2012 Igalia, S.L.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1.  Redistributions of source code must retain the above copyright
11  *     notice, this list of conditions and the following disclaimer.
12  * 2.  Redistributions in binary form must reproduce the above copyright
13  *     notice, this list of conditions and the following disclaimer in the
14  *     documentation and/or other materials provided with the distribution.
15  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
16  *     its contributors may be used to endorse or promote products derived
17  *     from this software without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
20  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
21  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
23  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
26  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29  */
30
31 #include "config.h"
32 #include "BytecodeGenerator.h"
33
34 #include "ArithProfile.h"
35 #include "BuiltinExecutables.h"
36 #include "BuiltinNames.h"
37 #include "BytecodeGeneratorification.h"
38 #include "BytecodeLivenessAnalysis.h"
39 #include "DefinePropertyAttributes.h"
40 #include "Interpreter.h"
41 #include "JSAsyncGeneratorFunction.h"
42 #include "JSCInlines.h"
43 #include "JSFunction.h"
44 #include "JSGeneratorFunction.h"
45 #include "JSLexicalEnvironment.h"
46 #include "JSTemplateRegistryKey.h"
47 #include "LowLevelInterpreter.h"
48 #include "Options.h"
49 #include "StackAlignment.h"
50 #include "StrongInlines.h"
51 #include "SuperSamplerBytecodeScope.h"
52 #include "UnlinkedCodeBlock.h"
53 #include "UnlinkedEvalCodeBlock.h"
54 #include "UnlinkedFunctionCodeBlock.h"
55 #include "UnlinkedInstructionStream.h"
56 #include "UnlinkedModuleProgramCodeBlock.h"
57 #include "UnlinkedProgramCodeBlock.h"
58 #include <wtf/BitVector.h>
59 #include <wtf/CommaPrinter.h>
60 #include <wtf/SmallPtrSet.h>
61 #include <wtf/StdLibExtras.h>
62 #include <wtf/text/WTFString.h>
63
64 using namespace std;
65
66 namespace JSC {
67
68 template<typename T>
69 static inline void shrinkToFit(T& segmentedVector)
70 {
71     while (segmentedVector.size() && !segmentedVector.last().refCount())
72         segmentedVector.removeLast();
73 }
74
75 void Label::setLocation(BytecodeGenerator& generator, unsigned location)
76 {
77     m_location = location;
78     
79     unsigned size = m_unresolvedJumps.size();
80     for (unsigned i = 0; i < size; ++i)
81         generator.instructions()[m_unresolvedJumps[i].second].u.operand = m_location - m_unresolvedJumps[i].first;
82 }
83
84 void Variable::dump(PrintStream& out) const
85 {
86     out.print(
87         "{ident = ", m_ident,
88         ", offset = ", m_offset,
89         ", local = ", RawPointer(m_local),
90         ", attributes = ", m_attributes,
91         ", kind = ", m_kind,
92         ", symbolTableConstantIndex = ", m_symbolTableConstantIndex,
93         ", isLexicallyScoped = ", m_isLexicallyScoped, "}");
94 }
95
96 ParserError BytecodeGenerator::generate()
97 {
98     m_codeBlock->setThisRegister(m_thisRegister.virtualRegister());
99
100     emitLogShadowChickenPrologueIfNecessary();
101     
102     // If we have declared a variable named "arguments" and we are using arguments then we should
103     // perform that assignment now.
104     if (m_needToInitializeArguments)
105         initializeVariable(variable(propertyNames().arguments), m_argumentsRegister);
106
107     if (m_restParameter)
108         m_restParameter->emit(*this);
109
110     {
111         RefPtr<RegisterID> temp = newTemporary();
112         RefPtr<RegisterID> tolLevelScope;
113         for (auto functionPair : m_functionsToInitialize) {
114             FunctionMetadataNode* metadata = functionPair.first;
115             FunctionVariableType functionType = functionPair.second;
116             emitNewFunction(temp.get(), metadata);
117             if (functionType == NormalFunctionVariable)
118                 initializeVariable(variable(metadata->ident()), temp.get());
119             else if (functionType == TopLevelFunctionVariable) {
120                 if (!tolLevelScope) {
121                     // We know this will resolve to the top level scope or global object because our parser/global initialization code 
122                     // doesn't allow let/const/class variables to have the same names as functions.
123                     // This is a top level function, and it's an error to ever create a top level function
124                     // name that would resolve to a lexical variable. E.g:
125                     // ```
126                     //     function f() {
127                     //         {
128                     //             let x;
129                     //             {
130                     //             //// error thrown here
131                     //                  eval("function x(){}");
132                     //             }
133                     //         }
134                     //     }
135                     // ```
136                     // Therefore, we're guaranteed to have this resolve to a top level variable.
137                     RefPtr<RegisterID> tolLevelObjectScope = emitResolveScope(nullptr, Variable(metadata->ident()));
138                     tolLevelScope = newBlockScopeVariable();
139                     emitMove(tolLevelScope.get(), tolLevelObjectScope.get());
140                 }
141                 emitPutToScope(tolLevelScope.get(), Variable(metadata->ident()), temp.get(), ThrowIfNotFound, InitializationMode::NotInitialization);
142             } else
143                 RELEASE_ASSERT_NOT_REACHED();
144         }
145     }
146     
147     bool callingClassConstructor = constructorKind() != ConstructorKind::None && !isConstructor();
148     if (!callingClassConstructor)
149         m_scopeNode->emitBytecode(*this);
150     else {
151         // At this point we would have emitted an unconditional throw followed by some nonsense that's
152         // just an artifact of how this generator is structured. That code never runs, but it confuses
153         // bytecode analyses because it constitutes an unterminated basic block. So, we terminate the
154         // basic block the strongest way possible.
155         emitUnreachable();
156     }
157
158     for (auto& tuple : m_catchesToEmit) {
159         Ref<Label> realCatchTarget = newEmittedLabel();
160         emitOpcode(op_catch);
161         instructions().append(std::get<1>(tuple));
162         instructions().append(std::get<2>(tuple));
163         instructions().append(0);
164
165         TryData* tryData = std::get<0>(tuple);
166         emitJump(tryData->target.get());
167         tryData->target = WTFMove(realCatchTarget);
168     }
169
170     m_staticPropertyAnalyzer.kill();
171
172     for (auto& range : m_tryRanges) {
173         int start = range.start->bind();
174         int end = range.end->bind();
175         
176         // This will happen for empty try blocks and for some cases of finally blocks:
177         //
178         // try {
179         //    try {
180         //    } finally {
181         //        return 42;
182         //        // *HERE*
183         //    }
184         // } finally {
185         //    print("things");
186         // }
187         //
188         // The return will pop scopes to execute the outer finally block. But this includes
189         // popping the try context for the inner try. The try context is live in the fall-through
190         // part of the finally block not because we will emit a handler that overlaps the finally,
191         // but because we haven't yet had a chance to plant the catch target. Then when we finish
192         // emitting code for the outer finally block, we repush the try contex, this time with a
193         // new start index. But that means that the start index for the try range corresponding
194         // to the inner-finally-following-the-return (marked as "*HERE*" above) will be greater
195         // than the end index of the try block. This is harmless since end < start handlers will
196         // never get matched in our logic, but we do the runtime a favor and choose to not emit
197         // such handlers at all.
198         if (end <= start)
199             continue;
200         
201         UnlinkedHandlerInfo info(static_cast<uint32_t>(start), static_cast<uint32_t>(end),
202             static_cast<uint32_t>(range.tryData->target->bind()), range.tryData->handlerType);
203         m_codeBlock->addExceptionHandler(info);
204     }
205     
206
207     if (isGeneratorOrAsyncFunctionBodyParseMode(m_codeBlock->parseMode()))
208         performGeneratorification(m_codeBlock.get(), m_instructions, m_generatorFrameSymbolTable.get(), m_generatorFrameSymbolTableIndex);
209
210     RELEASE_ASSERT(static_cast<unsigned>(m_codeBlock->numCalleeLocals()) < static_cast<unsigned>(FirstConstantRegisterIndex));
211     m_codeBlock->setInstructions(std::make_unique<UnlinkedInstructionStream>(m_instructions));
212
213     m_codeBlock->shrinkToFit();
214
215     if (m_expressionTooDeep)
216         return ParserError(ParserError::OutOfMemory);
217     return ParserError(ParserError::ErrorNone);
218 }
219
220 BytecodeGenerator::BytecodeGenerator(VM& vm, ProgramNode* programNode, UnlinkedProgramCodeBlock* codeBlock, DebuggerMode debuggerMode, const VariableEnvironment* parentScopeTDZVariables)
221     : m_shouldEmitDebugHooks(Options::forceDebuggerBytecodeGeneration() || debuggerMode == DebuggerOn)
222     , m_scopeNode(programNode)
223     , m_codeBlock(vm, codeBlock)
224     , m_thisRegister(CallFrame::thisArgumentOffset())
225     , m_codeType(GlobalCode)
226     , m_vm(&vm)
227     , m_needsToUpdateArrowFunctionContext(programNode->usesArrowFunction() || programNode->usesEval())
228 {
229     ASSERT_UNUSED(parentScopeTDZVariables, !parentScopeTDZVariables->size());
230
231     for (auto& constantRegister : m_linkTimeConstantRegisters)
232         constantRegister = nullptr;
233
234     allocateCalleeSaveSpace();
235
236     m_codeBlock->setNumParameters(1); // Allocate space for "this"
237
238     emitEnter();
239
240     allocateAndEmitScope();
241
242     emitCheckTraps();
243
244     const FunctionStack& functionStack = programNode->functionStack();
245
246     for (auto* function : functionStack)
247         m_functionsToInitialize.append(std::make_pair(function, TopLevelFunctionVariable));
248
249     if (Options::validateBytecode()) {
250         for (auto& entry : programNode->varDeclarations())
251             RELEASE_ASSERT(entry.value.isVar());
252     }
253     codeBlock->setVariableDeclarations(programNode->varDeclarations());
254     codeBlock->setLexicalDeclarations(programNode->lexicalVariables());
255     // Even though this program may have lexical variables that go under TDZ, when linking the get_from_scope/put_to_scope
256     // operations we emit we will have ResolveTypes that implictly do TDZ checks. Therefore, we don't need
257     // additional TDZ checks on top of those. This is why we can omit pushing programNode->lexicalVariables()
258     // to the TDZ stack.
259     
260     if (needsToUpdateArrowFunctionContext()) {
261         initializeArrowFunctionContextScopeIfNeeded();
262         emitPutThisToArrowFunctionContextScope();
263     }
264 }
265
266 BytecodeGenerator::BytecodeGenerator(VM& vm, FunctionNode* functionNode, UnlinkedFunctionCodeBlock* codeBlock, DebuggerMode debuggerMode, const VariableEnvironment* parentScopeTDZVariables)
267     : m_shouldEmitDebugHooks(Options::forceDebuggerBytecodeGeneration() || debuggerMode == DebuggerOn)
268     , m_scopeNode(functionNode)
269     , m_codeBlock(vm, codeBlock)
270     , m_codeType(FunctionCode)
271     , m_vm(&vm)
272     , m_isBuiltinFunction(codeBlock->isBuiltinFunction())
273     , m_usesNonStrictEval(codeBlock->usesEval() && !codeBlock->isStrictMode())
274     // FIXME: We should be able to have tail call elimination with the profiler
275     // enabled. This is currently not possible because the profiler expects
276     // op_will_call / op_did_call pairs before and after a call, which are not
277     // compatible with tail calls (we have no way of emitting op_did_call).
278     // https://bugs.webkit.org/show_bug.cgi?id=148819
279     , m_inTailPosition(Options::useTailCalls() && !isConstructor() && constructorKind() == ConstructorKind::None && isStrictMode())
280     , m_needsToUpdateArrowFunctionContext(functionNode->usesArrowFunction() || functionNode->usesEval())
281     , m_derivedContextType(codeBlock->derivedContextType())
282 {
283     for (auto& constantRegister : m_linkTimeConstantRegisters)
284         constantRegister = nullptr;
285
286     if (m_isBuiltinFunction)
287         m_shouldEmitDebugHooks = false;
288
289     allocateCalleeSaveSpace();
290     
291     SymbolTable* functionSymbolTable = SymbolTable::create(*m_vm);
292     functionSymbolTable->setUsesNonStrictEval(m_usesNonStrictEval);
293     int symbolTableConstantIndex = 0;
294
295     FunctionParameters& parameters = *functionNode->parameters(); 
296     // http://www.ecma-international.org/ecma-262/6.0/index.html#sec-functiondeclarationinstantiation
297     // This implements IsSimpleParameterList in the Ecma 2015 spec.
298     // If IsSimpleParameterList is false, we will create a strict-mode like arguments object.
299     // IsSimpleParameterList is false if the argument list contains any default parameter values,
300     // a rest parameter, or any destructuring patterns.
301     // If we do have default parameters, destructuring parameters, or a rest parameter, our parameters will be allocated in a different scope.
302     bool isSimpleParameterList = parameters.isSimpleParameterList();
303
304     SourceParseMode parseMode = codeBlock->parseMode();
305
306     bool containsArrowOrEvalButNotInArrowBlock = ((functionNode->usesArrowFunction() && functionNode->doAnyInnerArrowFunctionsUseAnyFeature()) || functionNode->usesEval()) && !m_codeBlock->isArrowFunction();
307     bool shouldCaptureSomeOfTheThings = m_shouldEmitDebugHooks || functionNode->needsActivation() || containsArrowOrEvalButNotInArrowBlock;
308
309     bool shouldCaptureAllOfTheThings = m_shouldEmitDebugHooks || codeBlock->usesEval();
310     bool needsArguments = ((functionNode->usesArguments() && !codeBlock->isArrowFunction()) || codeBlock->usesEval() || (functionNode->usesArrowFunction() && !codeBlock->isArrowFunction() && isArgumentsUsedInInnerArrowFunction()));
311
312     if (isGeneratorOrAsyncFunctionBodyParseMode(parseMode)) {
313         // Generator and AsyncFunction never provides "arguments". "arguments" reference will be resolved in an upper generator function scope.
314         needsArguments = false;
315
316         // Generator and AsyncFunction uses the var scope to save and resume its variables. So the lexical scope is always instantiated.
317         shouldCaptureSomeOfTheThings = true;
318     }
319
320     if (isGeneratorOrAsyncFunctionWrapperParseMode(parseMode) && needsArguments) {
321         // Generator does not provide "arguments". Instead, wrapping GeneratorFunction provides "arguments".
322         // This is because arguments of a generator should be evaluated before starting it.
323         // To workaround it, we evaluate these arguments as arguments of a wrapping generator function, and reference it from a generator.
324         //
325         //    function *gen(a, b = hello())
326         //    {
327         //        return {
328         //            @generatorNext: function (@generator, @generatorState, @generatorValue, @generatorResumeMode, @generatorFrame)
329         //            {
330         //                arguments;  // This `arguments` should reference to the gen's arguments.
331         //                ...
332         //            }
333         //        }
334         //    }
335         shouldCaptureSomeOfTheThings = true;
336     }
337
338     if (shouldCaptureAllOfTheThings)
339         functionNode->varDeclarations().markAllVariablesAsCaptured();
340     
341     auto captures = [&] (UniquedStringImpl* uid) -> bool {
342         if (!shouldCaptureSomeOfTheThings)
343             return false;
344         if (needsArguments && uid == propertyNames().arguments.impl()) {
345             // Actually, we only need to capture the arguments object when we "need full activation"
346             // because of name scopes. But historically we did it this way, so for now we just preserve
347             // the old behavior.
348             // FIXME: https://bugs.webkit.org/show_bug.cgi?id=143072
349             return true;
350         }
351         return functionNode->captures(uid);
352     };
353     auto varKind = [&] (UniquedStringImpl* uid) -> VarKind {
354         return captures(uid) ? VarKind::Scope : VarKind::Stack;
355     };
356
357     m_calleeRegister.setIndex(CallFrameSlot::callee);
358
359     initializeParameters(parameters);
360     ASSERT(!(isSimpleParameterList && m_restParameter));
361
362     emitEnter();
363
364     if (isGeneratorOrAsyncFunctionBodyParseMode(parseMode))
365         m_generatorRegister = &m_parameters[1];
366
367     allocateAndEmitScope();
368
369     emitCheckTraps();
370     
371     if (functionNameIsInScope(functionNode->ident(), functionNode->functionMode())) {
372         ASSERT(parseMode != SourceParseMode::GeneratorBodyMode);
373         ASSERT(!isAsyncFunctionBodyParseMode(parseMode));
374         bool isDynamicScope = functionNameScopeIsDynamic(codeBlock->usesEval(), codeBlock->isStrictMode());
375         bool isFunctionNameCaptured = captures(functionNode->ident().impl());
376         bool markAsCaptured = isDynamicScope || isFunctionNameCaptured;
377         emitPushFunctionNameScope(functionNode->ident(), &m_calleeRegister, markAsCaptured);
378     }
379
380     if (shouldCaptureSomeOfTheThings)
381         m_lexicalEnvironmentRegister = addVar();
382
383     if (shouldCaptureSomeOfTheThings || vm.typeProfiler())
384         symbolTableConstantIndex = addConstantValue(functionSymbolTable)->index();
385
386     // We can allocate the "var" environment if we don't have default parameter expressions. If we have
387     // default parameter expressions, we have to hold off on allocating the "var" environment because
388     // the parent scope of the "var" environment is the parameter environment.
389     if (isSimpleParameterList)
390         initializeVarLexicalEnvironment(symbolTableConstantIndex, functionSymbolTable, shouldCaptureSomeOfTheThings);
391
392     // Figure out some interesting facts about our arguments.
393     bool capturesAnyArgumentByName = false;
394     if (functionNode->hasCapturedVariables()) {
395         FunctionParameters& parameters = *functionNode->parameters();
396         for (size_t i = 0; i < parameters.size(); ++i) {
397             auto pattern = parameters.at(i).first;
398             if (!pattern->isBindingNode())
399                 continue;
400             const Identifier& ident = static_cast<const BindingNode*>(pattern)->boundProperty();
401             capturesAnyArgumentByName |= captures(ident.impl());
402         }
403     }
404     
405     if (capturesAnyArgumentByName)
406         ASSERT(m_lexicalEnvironmentRegister);
407
408     // Need to know what our functions are called. Parameters have some goofy behaviors when it
409     // comes to functions of the same name.
410     for (FunctionMetadataNode* function : functionNode->functionStack())
411         m_functions.add(function->ident().impl());
412     
413     if (needsArguments) {
414         // Create the arguments object now. We may put the arguments object into the activation if
415         // it is captured. Either way, we create two arguments object variables: one is our
416         // private variable that is immutable, and another that is the user-visible variable. The
417         // immutable one is only used here, or during formal parameter resolutions if we opt for
418         // DirectArguments.
419         
420         m_argumentsRegister = addVar();
421         m_argumentsRegister->ref();
422     }
423     
424     if (needsArguments && !codeBlock->isStrictMode() && isSimpleParameterList) {
425         // If we captured any formal parameter by name, then we use ScopedArguments. Otherwise we
426         // use DirectArguments. With ScopedArguments, we lift all of our arguments into the
427         // activation.
428         
429         if (capturesAnyArgumentByName) {
430             functionSymbolTable->setArgumentsLength(vm, parameters.size());
431             
432             // For each parameter, we have two possibilities:
433             // Either it's a binding node with no function overlap, in which case it gets a name
434             // in the symbol table - or it just gets space reserved in the symbol table. Either
435             // way we lift the value into the scope.
436             for (unsigned i = 0; i < parameters.size(); ++i) {
437                 ScopeOffset offset = functionSymbolTable->takeNextScopeOffset(NoLockingNecessary);
438                 functionSymbolTable->setArgumentOffset(vm, i, offset);
439                 if (UniquedStringImpl* name = visibleNameForParameter(parameters.at(i).first)) {
440                     VarOffset varOffset(offset);
441                     SymbolTableEntry entry(varOffset);
442                     // Stores to these variables via the ScopedArguments object will not do
443                     // notifyWrite(), since that would be cumbersome. Also, watching formal
444                     // parameters when "arguments" is in play is unlikely to be super profitable.
445                     // So, we just disable it.
446                     entry.disableWatching(*m_vm);
447                     functionSymbolTable->set(NoLockingNecessary, name, entry);
448                 }
449                 emitOpcode(op_put_to_scope);
450                 instructions().append(m_lexicalEnvironmentRegister->index());
451                 instructions().append(UINT_MAX);
452                 instructions().append(virtualRegisterForArgument(1 + i).offset());
453                 instructions().append(GetPutInfo(ThrowIfNotFound, LocalClosureVar, InitializationMode::NotInitialization).operand());
454                 instructions().append(symbolTableConstantIndex);
455                 instructions().append(offset.offset());
456             }
457             
458             // This creates a scoped arguments object and copies the overflow arguments into the
459             // scope. It's the equivalent of calling ScopedArguments::createByCopying().
460             emitOpcode(op_create_scoped_arguments);
461             instructions().append(m_argumentsRegister->index());
462             instructions().append(m_lexicalEnvironmentRegister->index());
463         } else {
464             // We're going to put all parameters into the DirectArguments object. First ensure
465             // that the symbol table knows that this is happening.
466             for (unsigned i = 0; i < parameters.size(); ++i) {
467                 if (UniquedStringImpl* name = visibleNameForParameter(parameters.at(i).first))
468                     functionSymbolTable->set(NoLockingNecessary, name, SymbolTableEntry(VarOffset(DirectArgumentsOffset(i))));
469             }
470             
471             emitOpcode(op_create_direct_arguments);
472             instructions().append(m_argumentsRegister->index());
473         }
474     } else if (isSimpleParameterList) {
475         // Create the formal parameters the normal way. Any of them could be captured, or not. If
476         // captured, lift them into the scope. We cannot do this if we have default parameter expressions
477         // because when default parameter expressions exist, they belong in their own lexical environment
478         // separate from the "var" lexical environment.
479         for (unsigned i = 0; i < parameters.size(); ++i) {
480             UniquedStringImpl* name = visibleNameForParameter(parameters.at(i).first);
481             if (!name)
482                 continue;
483             
484             if (!captures(name)) {
485                 // This is the easy case - just tell the symbol table about the argument. It will
486                 // be accessed directly.
487                 functionSymbolTable->set(NoLockingNecessary, name, SymbolTableEntry(VarOffset(virtualRegisterForArgument(1 + i))));
488                 continue;
489             }
490             
491             ScopeOffset offset = functionSymbolTable->takeNextScopeOffset(NoLockingNecessary);
492             const Identifier& ident =
493                 static_cast<const BindingNode*>(parameters.at(i).first)->boundProperty();
494             functionSymbolTable->set(NoLockingNecessary, name, SymbolTableEntry(VarOffset(offset)));
495             
496             emitOpcode(op_put_to_scope);
497             instructions().append(m_lexicalEnvironmentRegister->index());
498             instructions().append(addConstant(ident));
499             instructions().append(virtualRegisterForArgument(1 + i).offset());
500             instructions().append(GetPutInfo(ThrowIfNotFound, LocalClosureVar, InitializationMode::NotInitialization).operand());
501             instructions().append(symbolTableConstantIndex);
502             instructions().append(offset.offset());
503         }
504     }
505     
506     if (needsArguments && (codeBlock->isStrictMode() || !isSimpleParameterList)) {
507         // Allocate a cloned arguments object.
508         emitOpcode(op_create_cloned_arguments);
509         instructions().append(m_argumentsRegister->index());
510     }
511     
512     // There are some variables that need to be preinitialized to something other than Undefined:
513     //
514     // - "arguments": unless it's used as a function or parameter, this should refer to the
515     //   arguments object.
516     //
517     // - functions: these always override everything else.
518     //
519     // The most logical way to do all of this is to initialize none of the variables until now,
520     // and then initialize them in BytecodeGenerator::generate() in such an order that the rules
521     // for how these things override each other end up holding. We would initialize "arguments" first, 
522     // then all arguments, then the functions.
523     //
524     // But some arguments are already initialized by default, since if they aren't captured and we
525     // don't have "arguments" then we just point the symbol table at the stack slot of those
526     // arguments. We end up initializing the rest of the arguments that have an uncomplicated
527     // binding (i.e. don't involve destructuring) above when figuring out how to lay them out,
528     // because that's just the simplest thing. This means that when we initialize them, we have to
529     // watch out for the things that override arguments (namely, functions).
530     
531     // This is our final act of weirdness. "arguments" is overridden by everything except the
532     // callee. We add it to the symbol table if it's not already there and it's not an argument.
533     bool shouldCreateArgumentsVariableInParameterScope = false;
534     if (needsArguments) {
535         // If "arguments" is overridden by a function or destructuring parameter name, then it's
536         // OK for us to call createVariable() because it won't change anything. It's also OK for
537         // us to them tell BytecodeGenerator::generate() to write to it because it will do so
538         // before it initializes functions and destructuring parameters. But if "arguments" is
539         // overridden by a "simple" function parameter, then we have to bail: createVariable()
540         // would assert and BytecodeGenerator::generate() would write the "arguments" after the
541         // argument value had already been properly initialized.
542         
543         bool haveParameterNamedArguments = false;
544         for (unsigned i = 0; i < parameters.size(); ++i) {
545             UniquedStringImpl* name = visibleNameForParameter(parameters.at(i).first);
546             if (name == propertyNames().arguments.impl()) {
547                 haveParameterNamedArguments = true;
548                 break;
549             }
550         }
551
552         bool shouldCreateArgumensVariable = !haveParameterNamedArguments
553             && !SourceParseModeSet(SourceParseMode::ArrowFunctionMode, SourceParseMode::AsyncArrowFunctionMode).contains(m_codeBlock->parseMode());
554         shouldCreateArgumentsVariableInParameterScope = shouldCreateArgumensVariable && !isSimpleParameterList;
555         // Do not create arguments variable in case of Arrow function. Value will be loaded from parent scope
556         if (shouldCreateArgumensVariable && !shouldCreateArgumentsVariableInParameterScope) {
557             createVariable(
558                 propertyNames().arguments, varKind(propertyNames().arguments.impl()), functionSymbolTable);
559
560             m_needToInitializeArguments = true;
561         }
562     }
563
564     for (FunctionMetadataNode* function : functionNode->functionStack()) {
565         const Identifier& ident = function->ident();
566         createVariable(ident, varKind(ident.impl()), functionSymbolTable);
567         m_functionsToInitialize.append(std::make_pair(function, NormalFunctionVariable));
568     }
569     for (auto& entry : functionNode->varDeclarations()) {
570         ASSERT(!entry.value.isLet() && !entry.value.isConst());
571         if (!entry.value.isVar()) // This is either a parameter or callee.
572             continue;
573         if (shouldCreateArgumentsVariableInParameterScope && entry.key.get() == propertyNames().arguments.impl())
574             continue;
575         createVariable(Identifier::fromUid(m_vm, entry.key.get()), varKind(entry.key.get()), functionSymbolTable, IgnoreExisting);
576     }
577
578
579     m_newTargetRegister = addVar();
580     switch (parseMode) {
581     case SourceParseMode::GeneratorWrapperFunctionMode:
582     case SourceParseMode::GeneratorWrapperMethodMode:
583     case SourceParseMode::AsyncGeneratorWrapperMethodMode:
584     case SourceParseMode::AsyncGeneratorWrapperFunctionMode: {
585         m_generatorRegister = addVar();
586
587         // FIXME: Emit to_this only when Generator uses it.
588         // https://bugs.webkit.org/show_bug.cgi?id=151586
589         m_codeBlock->addPropertyAccessInstruction(instructions().size());
590         emitOpcode(op_to_this);
591         instructions().append(kill(&m_thisRegister));
592         instructions().append(0);
593         instructions().append(0);
594
595         emitMove(m_generatorRegister, &m_calleeRegister);
596         emitCreateThis(m_generatorRegister);
597         break;
598     }
599
600     case SourceParseMode::AsyncArrowFunctionMode:
601     case SourceParseMode::AsyncMethodMode:
602     case SourceParseMode::AsyncFunctionMode: {
603         ASSERT(!isConstructor());
604         ASSERT(constructorKind() == ConstructorKind::None);
605         m_generatorRegister = addVar();
606         m_promiseCapabilityRegister = addVar();
607
608         if (parseMode != SourceParseMode::AsyncArrowFunctionMode) {
609             // FIXME: Emit to_this only when AsyncFunctionBody uses it.
610             // https://bugs.webkit.org/show_bug.cgi?id=151586
611             m_codeBlock->addPropertyAccessInstruction(instructions().size());
612             emitOpcode(op_to_this);
613             instructions().append(kill(&m_thisRegister));
614             instructions().append(0);
615             instructions().append(0);
616         }
617
618         emitNewObject(m_generatorRegister);
619
620         // let promiseCapability be @newPromiseCapability(@Promise)
621         auto varNewPromiseCapability = variable(propertyNames().builtinNames().newPromiseCapabilityPrivateName());
622         RefPtr<RegisterID> scope = newTemporary();
623         moveToDestinationIfNeeded(scope.get(), emitResolveScope(scope.get(), varNewPromiseCapability));
624         RefPtr<RegisterID> newPromiseCapability = emitGetFromScope(newTemporary(), scope.get(), varNewPromiseCapability, ThrowIfNotFound);
625
626         CallArguments args(*this, nullptr, 1);
627         emitLoad(args.thisRegister(), jsUndefined());
628
629         auto varPromiseConstructor = variable(propertyNames().builtinNames().PromisePrivateName());
630         moveToDestinationIfNeeded(scope.get(), emitResolveScope(scope.get(), varPromiseConstructor));
631         emitGetFromScope(args.argumentRegister(0), scope.get(), varPromiseConstructor, ThrowIfNotFound);
632
633         // JSTextPosition(int _line, int _offset, int _lineStartOffset)
634         JSTextPosition divot(m_scopeNode->firstLine(), m_scopeNode->startOffset(), m_scopeNode->lineStartOffset());
635         emitCall(promiseCapabilityRegister(), newPromiseCapability.get(), NoExpectedFunction, args, divot, divot, divot, DebuggableCall::No);
636         break;
637     }
638
639     case SourceParseMode::AsyncGeneratorBodyMode:
640     case SourceParseMode::AsyncFunctionBodyMode:
641     case SourceParseMode::AsyncArrowFunctionBodyMode:
642     case SourceParseMode::GeneratorBodyMode: {
643         // |this| is already filled correctly before here.
644         emitLoad(m_newTargetRegister, jsUndefined());
645         break;
646     }
647
648     default: {
649         if (SourceParseMode::ArrowFunctionMode != parseMode) {
650             if (isConstructor()) {
651                 emitMove(m_newTargetRegister, &m_thisRegister);
652                 if (constructorKind() == ConstructorKind::Extends) {
653                     emitMoveEmptyValue(&m_thisRegister);
654                 } else
655                     emitCreateThis(&m_thisRegister);
656             } else if (constructorKind() != ConstructorKind::None)
657                 emitThrowTypeError("Cannot call a class constructor without |new|");
658             else {
659                 bool shouldEmitToThis = false;
660                 if (functionNode->usesThis() || codeBlock->usesEval() || m_scopeNode->doAnyInnerArrowFunctionsUseThis() || m_scopeNode->doAnyInnerArrowFunctionsUseEval())
661                     shouldEmitToThis = true;
662                 else if ((functionNode->usesSuperProperty() || m_scopeNode->doAnyInnerArrowFunctionsUseSuperProperty()) && !codeBlock->isStrictMode()) {
663                     // We must emit to_this when we're not in strict mode because we
664                     // will convert |this| to an object, and that object may be passed
665                     // to a strict function as |this|. This is observable because that
666                     // strict function's to_this will just return the object.
667                     //
668                     // We don't need to emit this for strict-mode code because
669                     // strict-mode code may call another strict function, which will
670                     // to_this if it directly uses this; this is OK, because we defer
671                     // to_this until |this| is used directly. Strict-mode code might
672                     // also call a sloppy mode function, and that will to_this, which
673                     // will defer the conversion, again, until necessary.
674                     shouldEmitToThis = true;
675                 }
676
677                 if (shouldEmitToThis) {
678                     m_codeBlock->addPropertyAccessInstruction(instructions().size());
679                     emitOpcode(op_to_this);
680                     instructions().append(kill(&m_thisRegister));
681                     instructions().append(0);
682                     instructions().append(0);
683                 }
684             }
685         }
686         break;
687     }
688     }
689
690     // We need load |super| & |this| for arrow function before initializeDefaultParameterValuesAndSetupFunctionScopeStack
691     // if we have default parameter expression. Because |super| & |this| values can be used there
692     if ((SourceParseModeSet(SourceParseMode::ArrowFunctionMode, SourceParseMode::AsyncArrowFunctionMode).contains(parseMode) && !isSimpleParameterList) || parseMode == SourceParseMode::AsyncArrowFunctionBodyMode) {
693         if (functionNode->usesThis() || functionNode->usesSuperProperty())
694             emitLoadThisFromArrowFunctionLexicalEnvironment();
695
696         if (m_scopeNode->usesNewTarget() || m_scopeNode->usesSuperCall())
697             emitLoadNewTargetFromArrowFunctionLexicalEnvironment();
698     }
699
700     if (needsToUpdateArrowFunctionContext() && !codeBlock->isArrowFunction()) {
701         bool canReuseLexicalEnvironment = isSimpleParameterList;
702         initializeArrowFunctionContextScopeIfNeeded(functionSymbolTable, canReuseLexicalEnvironment);
703         emitPutThisToArrowFunctionContextScope();
704         emitPutNewTargetToArrowFunctionContextScope();
705         emitPutDerivedConstructorToArrowFunctionContextScope();
706     }
707
708     // All "addVar()"s needs to happen before "initializeDefaultParameterValuesAndSetupFunctionScopeStack()" is called
709     // because a function's default parameter ExpressionNodes will use temporary registers.
710     pushTDZVariables(*parentScopeTDZVariables, TDZCheckOptimization::DoNotOptimize, TDZRequirement::UnderTDZ);
711
712     Ref<Label> catchLabel = newLabel();
713     TryData* tryFormalParametersData = nullptr;
714     bool needTryCatch = isAsyncFunctionWrapperParseMode(parseMode) && !isSimpleParameterList;
715     if (needTryCatch) {
716         Ref<Label> tryFormalParametersStart = newEmittedLabel();
717         tryFormalParametersData = pushTry(tryFormalParametersStart.get(), catchLabel.get(), HandlerType::SynthesizedCatch);
718     }
719
720     initializeDefaultParameterValuesAndSetupFunctionScopeStack(parameters, isSimpleParameterList, functionNode, functionSymbolTable, symbolTableConstantIndex, captures, shouldCreateArgumentsVariableInParameterScope);
721
722     if (needTryCatch) {
723         Ref<Label> didNotThrow = newLabel();
724         emitJump(didNotThrow.get());
725         emitLabel(catchLabel.get());
726         popTry(tryFormalParametersData, catchLabel.get());
727
728         RefPtr<RegisterID> thrownValue = newTemporary();
729         RegisterID* unused = newTemporary();
730         emitCatch(unused, thrownValue.get(), tryFormalParametersData);
731
732         // return promiseCapability.@reject(thrownValue)
733         RefPtr<RegisterID> reject = emitGetById(newTemporary(), promiseCapabilityRegister(), m_vm->propertyNames->builtinNames().rejectPrivateName());
734
735         CallArguments args(*this, nullptr, 1);
736         emitLoad(args.thisRegister(), jsUndefined());
737         emitMove(args.argumentRegister(0), thrownValue.get());
738
739         JSTextPosition divot(functionNode->firstLine(), functionNode->startOffset(), functionNode->lineStartOffset());
740
741         RefPtr<RegisterID> result = emitCall(newTemporary(), reject.get(), NoExpectedFunction, args, divot, divot, divot, DebuggableCall::No);
742         emitReturn(emitGetById(newTemporary(), promiseCapabilityRegister(), m_vm->propertyNames->builtinNames().promisePrivateName()));
743
744         emitLabel(didNotThrow.get());
745     }
746
747     // If we don't have  default parameter expression, then loading |this| inside an arrow function must be done
748     // after initializeDefaultParameterValuesAndSetupFunctionScopeStack() because that function sets up the
749     // SymbolTable stack and emitLoadThisFromArrowFunctionLexicalEnvironment() consults the SymbolTable stack
750     if (SourceParseModeSet(SourceParseMode::ArrowFunctionMode, SourceParseMode::AsyncArrowFunctionMode).contains(parseMode) && isSimpleParameterList) {
751         if (functionNode->usesThis() || functionNode->usesSuperProperty())
752             emitLoadThisFromArrowFunctionLexicalEnvironment();
753     
754         if (m_scopeNode->usesNewTarget() || m_scopeNode->usesSuperCall())
755             emitLoadNewTargetFromArrowFunctionLexicalEnvironment();
756     }
757     
758     // Set up the lexical environment scope as the generator frame. We store the saved and resumed generator registers into this scope with the symbol keys.
759     // Since they are symbol keyed, these variables cannot be reached from the usual code.
760     if (isGeneratorOrAsyncFunctionBodyParseMode(parseMode)) {
761         ASSERT(m_lexicalEnvironmentRegister);
762         m_generatorFrameSymbolTable.set(*m_vm, functionSymbolTable);
763         m_generatorFrameSymbolTableIndex = symbolTableConstantIndex;
764         emitMove(generatorFrameRegister(), m_lexicalEnvironmentRegister);
765         emitPutById(generatorRegister(), propertyNames().builtinNames().generatorFramePrivateName(), generatorFrameRegister());
766     }
767
768     bool shouldInitializeBlockScopedFunctions = false; // We generate top-level function declarations in ::generate().
769     pushLexicalScope(m_scopeNode, TDZCheckOptimization::Optimize, NestedScopeType::IsNotNested, nullptr, shouldInitializeBlockScopedFunctions);
770 }
771
772 BytecodeGenerator::BytecodeGenerator(VM& vm, EvalNode* evalNode, UnlinkedEvalCodeBlock* codeBlock, DebuggerMode debuggerMode, const VariableEnvironment* parentScopeTDZVariables)
773     : m_shouldEmitDebugHooks(Options::forceDebuggerBytecodeGeneration() || debuggerMode == DebuggerOn)
774     , m_scopeNode(evalNode)
775     , m_codeBlock(vm, codeBlock)
776     , m_thisRegister(CallFrame::thisArgumentOffset())
777     , m_codeType(EvalCode)
778     , m_vm(&vm)
779     , m_usesNonStrictEval(codeBlock->usesEval() && !codeBlock->isStrictMode())
780     , m_needsToUpdateArrowFunctionContext(evalNode->usesArrowFunction() || evalNode->usesEval())
781     , m_derivedContextType(codeBlock->derivedContextType())
782 {
783     for (auto& constantRegister : m_linkTimeConstantRegisters)
784         constantRegister = nullptr;
785
786     allocateCalleeSaveSpace();
787
788     m_codeBlock->setNumParameters(1);
789
790     pushTDZVariables(*parentScopeTDZVariables, TDZCheckOptimization::DoNotOptimize, TDZRequirement::UnderTDZ);
791
792     emitEnter();
793
794     allocateAndEmitScope();
795
796     emitCheckTraps();
797     
798     for (FunctionMetadataNode* function : evalNode->functionStack()) {
799         m_codeBlock->addFunctionDecl(makeFunction(function));
800         m_functionsToInitialize.append(std::make_pair(function, TopLevelFunctionVariable));
801     }
802
803     const VariableEnvironment& varDeclarations = evalNode->varDeclarations();
804     Vector<Identifier, 0, UnsafeVectorOverflow> variables;
805     Vector<Identifier, 0, UnsafeVectorOverflow> hoistedFunctions;
806     for (auto& entry : varDeclarations) {
807         ASSERT(entry.value.isVar());
808         ASSERT(entry.key->isAtomic() || entry.key->isSymbol());
809         if (entry.value.isSloppyModeHoistingCandidate())
810             hoistedFunctions.append(Identifier::fromUid(m_vm, entry.key.get()));
811         else
812             variables.append(Identifier::fromUid(m_vm, entry.key.get()));
813     }
814     codeBlock->adoptVariables(variables);
815     codeBlock->adoptFunctionHoistingCandidates(WTFMove(hoistedFunctions));
816     
817     if (evalNode->usesSuperCall() || evalNode->usesNewTarget())
818         m_newTargetRegister = addVar();
819
820     if (codeBlock->isArrowFunctionContext() && (evalNode->usesThis() || evalNode->usesSuperProperty()))
821         emitLoadThisFromArrowFunctionLexicalEnvironment();
822
823     if (evalNode->usesSuperCall() || evalNode->usesNewTarget())
824         emitLoadNewTargetFromArrowFunctionLexicalEnvironment();
825
826     if (needsToUpdateArrowFunctionContext() && !codeBlock->isArrowFunctionContext() && !isDerivedConstructorContext()) {
827         initializeArrowFunctionContextScopeIfNeeded();
828         emitPutThisToArrowFunctionContextScope();
829     }
830     
831     bool shouldInitializeBlockScopedFunctions = false; // We generate top-level function declarations in ::generate().
832     pushLexicalScope(m_scopeNode, TDZCheckOptimization::Optimize, NestedScopeType::IsNotNested, nullptr, shouldInitializeBlockScopedFunctions);
833 }
834
835 BytecodeGenerator::BytecodeGenerator(VM& vm, ModuleProgramNode* moduleProgramNode, UnlinkedModuleProgramCodeBlock* codeBlock, DebuggerMode debuggerMode, const VariableEnvironment* parentScopeTDZVariables)
836     : m_shouldEmitDebugHooks(Options::forceDebuggerBytecodeGeneration() || debuggerMode == DebuggerOn)
837     , m_scopeNode(moduleProgramNode)
838     , m_codeBlock(vm, codeBlock)
839     , m_thisRegister(CallFrame::thisArgumentOffset())
840     , m_codeType(ModuleCode)
841     , m_vm(&vm)
842     , m_usesNonStrictEval(false)
843     , m_needsToUpdateArrowFunctionContext(moduleProgramNode->usesArrowFunction() || moduleProgramNode->usesEval())
844 {
845     ASSERT_UNUSED(parentScopeTDZVariables, !parentScopeTDZVariables->size());
846
847     for (auto& constantRegister : m_linkTimeConstantRegisters)
848         constantRegister = nullptr;
849
850     if (m_isBuiltinFunction)
851         m_shouldEmitDebugHooks = false;
852
853     allocateCalleeSaveSpace();
854
855     SymbolTable* moduleEnvironmentSymbolTable = SymbolTable::create(*m_vm);
856     moduleEnvironmentSymbolTable->setUsesNonStrictEval(m_usesNonStrictEval);
857     moduleEnvironmentSymbolTable->setScopeType(SymbolTable::ScopeType::LexicalScope);
858
859     bool shouldCaptureAllOfTheThings = m_shouldEmitDebugHooks || codeBlock->usesEval();
860     if (shouldCaptureAllOfTheThings)
861         moduleProgramNode->varDeclarations().markAllVariablesAsCaptured();
862
863     auto captures = [&] (UniquedStringImpl* uid) -> bool {
864         return moduleProgramNode->captures(uid);
865     };
866     auto lookUpVarKind = [&] (UniquedStringImpl* uid, const VariableEnvironmentEntry& entry) -> VarKind {
867         // Allocate the exported variables in the module environment.
868         if (entry.isExported())
869             return VarKind::Scope;
870
871         // Allocate the namespace variables in the module environment to instantiate
872         // it from the outside of the module code.
873         if (entry.isImportedNamespace())
874             return VarKind::Scope;
875
876         if (entry.isCaptured())
877             return VarKind::Scope;
878         return captures(uid) ? VarKind::Scope : VarKind::Stack;
879     };
880
881     emitEnter();
882
883     allocateAndEmitScope();
884
885     emitCheckTraps();
886     
887     m_calleeRegister.setIndex(CallFrameSlot::callee);
888
889     m_codeBlock->setNumParameters(1); // Allocate space for "this"
890
891     // Now declare all variables.
892
893     createVariable(m_vm->propertyNames->builtinNames().metaPrivateName(), VarKind::Scope, moduleEnvironmentSymbolTable, VerifyExisting);
894
895     for (auto& entry : moduleProgramNode->varDeclarations()) {
896         ASSERT(!entry.value.isLet() && !entry.value.isConst());
897         if (!entry.value.isVar()) // This is either a parameter or callee.
898             continue;
899         // Imported bindings are not allocated in the module environment as usual variables' way.
900         // These references remain the "Dynamic" in the unlinked code block. Later, when linking
901         // the code block, we resolve the reference to the "ModuleVar".
902         if (entry.value.isImported() && !entry.value.isImportedNamespace())
903             continue;
904         createVariable(Identifier::fromUid(m_vm, entry.key.get()), lookUpVarKind(entry.key.get(), entry.value), moduleEnvironmentSymbolTable, IgnoreExisting);
905     }
906
907     VariableEnvironment& lexicalVariables = moduleProgramNode->lexicalVariables();
908     instantiateLexicalVariables(lexicalVariables, moduleEnvironmentSymbolTable, ScopeRegisterType::Block, lookUpVarKind);
909
910     // We keep the symbol table in the constant pool.
911     RegisterID* constantSymbolTable = nullptr;
912     if (vm.typeProfiler())
913         constantSymbolTable = addConstantValue(moduleEnvironmentSymbolTable);
914     else
915         constantSymbolTable = addConstantValue(moduleEnvironmentSymbolTable->cloneScopePart(*m_vm));
916
917     pushTDZVariables(lexicalVariables, TDZCheckOptimization::Optimize, TDZRequirement::UnderTDZ);
918     bool isWithScope = false;
919     m_lexicalScopeStack.append({ moduleEnvironmentSymbolTable, m_topMostScope, isWithScope, constantSymbolTable->index() });
920     emitPrefillStackTDZVariables(lexicalVariables, moduleEnvironmentSymbolTable);
921
922     // makeFunction assumes that there's correct TDZ stack entries.
923     // So it should be called after putting our lexical environment to the TDZ stack correctly.
924
925     for (FunctionMetadataNode* function : moduleProgramNode->functionStack()) {
926         const auto& iterator = moduleProgramNode->varDeclarations().find(function->ident().impl());
927         RELEASE_ASSERT(iterator != moduleProgramNode->varDeclarations().end());
928         RELEASE_ASSERT(!iterator->value.isImported());
929
930         VarKind varKind = lookUpVarKind(iterator->key.get(), iterator->value);
931         if (varKind == VarKind::Scope) {
932             // http://www.ecma-international.org/ecma-262/6.0/#sec-moduledeclarationinstantiation
933             // Section 15.2.1.16.4, step 16-a-iv-1.
934             // All heap allocated function declarations should be instantiated when the module environment
935             // is created. They include the exported function declarations and not-exported-but-heap-allocated
936             // function declarations. This is required because exported function should be instantiated before
937             // executing the any module in the dependency graph. This enables the modules to link the imported
938             // bindings before executing the any module code.
939             //
940             // And since function declarations are instantiated before executing the module body code, the spec
941             // allows the functions inside the module to be executed before its module body is executed under
942             // the circular dependencies. The following is the example.
943             //
944             // Module A (executed first):
945             //    import { b } from "B";
946             //    // Here, the module "B" is not executed yet, but the function declaration is already instantiated.
947             //    // So we can call the function exported from "B".
948             //    b();
949             //
950             //    export function a() {
951             //    }
952             //
953             // Module B (executed second):
954             //    import { a } from "A";
955             //
956             //    export function b() {
957             //        c();
958             //    }
959             //
960             //    // c is not exported, but since it is referenced from the b, we should instantiate it before
961             //    // executing the "B" module code.
962             //    function c() {
963             //        a();
964             //    }
965             //
966             // Module EntryPoint (executed last):
967             //    import "B";
968             //    import "A";
969             //
970             m_codeBlock->addFunctionDecl(makeFunction(function));
971         } else {
972             // Stack allocated functions can be allocated when executing the module's body.
973             m_functionsToInitialize.append(std::make_pair(function, NormalFunctionVariable));
974         }
975     }
976
977     // Remember the constant register offset to the top-most symbol table. This symbol table will be
978     // cloned in the code block linking. After that, to create the module environment, we retrieve
979     // the cloned symbol table from the linked code block by using this offset.
980     codeBlock->setModuleEnvironmentSymbolTableConstantRegisterOffset(constantSymbolTable->index());
981 }
982
983 BytecodeGenerator::~BytecodeGenerator()
984 {
985 }
986
987 void BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack(
988     FunctionParameters& parameters, bool isSimpleParameterList, FunctionNode* functionNode, SymbolTable* functionSymbolTable, 
989     int symbolTableConstantIndex, const std::function<bool (UniquedStringImpl*)>& captures, bool shouldCreateArgumentsVariableInParameterScope)
990 {
991     Vector<std::pair<Identifier, RefPtr<RegisterID>>> valuesToMoveIntoVars;
992     ASSERT(!(isSimpleParameterList && shouldCreateArgumentsVariableInParameterScope));
993     if (!isSimpleParameterList) {
994         // Refer to the ES6 spec section 9.2.12: http://www.ecma-international.org/ecma-262/6.0/index.html#sec-functiondeclarationinstantiation
995         // This implements step 21.
996         VariableEnvironment environment;
997         Vector<Identifier> allParameterNames; 
998         for (unsigned i = 0; i < parameters.size(); i++)
999             parameters.at(i).first->collectBoundIdentifiers(allParameterNames);
1000         if (shouldCreateArgumentsVariableInParameterScope)
1001             allParameterNames.append(propertyNames().arguments);
1002         IdentifierSet parameterSet;
1003         for (auto& ident : allParameterNames) {
1004             parameterSet.add(ident.impl());
1005             auto addResult = environment.add(ident);
1006             addResult.iterator->value.setIsLet(); // When we have default parameter expressions, parameters act like "let" variables.
1007             if (captures(ident.impl()))
1008                 addResult.iterator->value.setIsCaptured();
1009         }
1010         // This implements step 25 of section 9.2.12.
1011         pushLexicalScopeInternal(environment, TDZCheckOptimization::Optimize, NestedScopeType::IsNotNested, nullptr, TDZRequirement::UnderTDZ, ScopeType::LetConstScope, ScopeRegisterType::Block);
1012
1013         if (shouldCreateArgumentsVariableInParameterScope) {
1014             Variable argumentsVariable = variable(propertyNames().arguments); 
1015             initializeVariable(argumentsVariable, m_argumentsRegister);
1016             liftTDZCheckIfPossible(argumentsVariable);
1017         }
1018
1019         RefPtr<RegisterID> temp = newTemporary();
1020         for (unsigned i = 0; i < parameters.size(); i++) {
1021             std::pair<DestructuringPatternNode*, ExpressionNode*> parameter = parameters.at(i);
1022             if (parameter.first->isRestParameter())
1023                 continue;
1024             if ((i + 1) < m_parameters.size())
1025                 emitMove(temp.get(), &m_parameters[i + 1]);
1026             else
1027                 emitGetArgument(temp.get(), i);
1028             if (parameter.second) {
1029                 RefPtr<RegisterID> condition = emitIsUndefined(newTemporary(), temp.get());
1030                 Ref<Label> skipDefaultParameterBecauseNotUndefined = newLabel();
1031                 emitJumpIfFalse(condition.get(), skipDefaultParameterBecauseNotUndefined.get());
1032                 emitNode(temp.get(), parameter.second);
1033                 emitLabel(skipDefaultParameterBecauseNotUndefined.get());
1034             }
1035
1036             parameter.first->bindValue(*this, temp.get());
1037         }
1038
1039         // Final act of weirdness for default parameters. If a "var" also
1040         // has the same name as a parameter, it should start out as the
1041         // value of that parameter. Note, though, that they will be distinct
1042         // bindings.
1043         // This is step 28 of section 9.2.12. 
1044         for (auto& entry : functionNode->varDeclarations()) {
1045             if (!entry.value.isVar()) // This is either a parameter or callee.
1046                 continue;
1047
1048             if (parameterSet.contains(entry.key)) {
1049                 Identifier ident = Identifier::fromUid(m_vm, entry.key.get());
1050                 Variable var = variable(ident);
1051                 RegisterID* scope = emitResolveScope(nullptr, var);
1052                 RefPtr<RegisterID> value = emitGetFromScope(newTemporary(), scope, var, DoNotThrowIfNotFound);
1053                 valuesToMoveIntoVars.append(std::make_pair(ident, value));
1054             }
1055         }
1056
1057         // Functions with default parameter expressions must have a separate environment
1058         // record for parameters and "var"s. The "var" environment record must have the
1059         // parameter environment record as its parent.
1060         // See step 28 of section 9.2.12.
1061         bool hasCapturedVariables = !!m_lexicalEnvironmentRegister; 
1062         initializeVarLexicalEnvironment(symbolTableConstantIndex, functionSymbolTable, hasCapturedVariables);
1063     }
1064
1065     // This completes step 28 of section 9.2.12.
1066     for (unsigned i = 0; i < valuesToMoveIntoVars.size(); i++) {
1067         ASSERT(!isSimpleParameterList);
1068         Variable var = variable(valuesToMoveIntoVars[i].first);
1069         RegisterID* scope = emitResolveScope(nullptr, var);
1070         emitPutToScope(scope, var, valuesToMoveIntoVars[i].second.get(), DoNotThrowIfNotFound, InitializationMode::NotInitialization);
1071     }
1072 }
1073
1074 bool BytecodeGenerator::needsDerivedConstructorInArrowFunctionLexicalEnvironment()
1075 {
1076     ASSERT(m_codeBlock->isClassContext() || !(isConstructor() && constructorKind() == ConstructorKind::Extends));
1077     return m_codeBlock->isClassContext() && isSuperUsedInInnerArrowFunction();
1078 }
1079
1080 void BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded(SymbolTable* functionSymbolTable, bool canReuseLexicalEnvironment)
1081 {
1082     ASSERT(!m_arrowFunctionContextLexicalEnvironmentRegister);
1083
1084     if (canReuseLexicalEnvironment && m_lexicalEnvironmentRegister) {
1085         RELEASE_ASSERT(!m_codeBlock->isArrowFunction());
1086         RELEASE_ASSERT(functionSymbolTable);
1087
1088         m_arrowFunctionContextLexicalEnvironmentRegister = m_lexicalEnvironmentRegister;
1089         
1090         ScopeOffset offset;
1091         
1092         if (isThisUsedInInnerArrowFunction()) {
1093             offset = functionSymbolTable->takeNextScopeOffset(NoLockingNecessary);
1094             functionSymbolTable->set(NoLockingNecessary, propertyNames().thisIdentifier.impl(), SymbolTableEntry(VarOffset(offset)));
1095         }
1096
1097         if (m_codeType == FunctionCode && isNewTargetUsedInInnerArrowFunction()) {
1098             offset = functionSymbolTable->takeNextScopeOffset();
1099             functionSymbolTable->set(NoLockingNecessary, propertyNames().builtinNames().newTargetLocalPrivateName().impl(), SymbolTableEntry(VarOffset(offset)));
1100         }
1101         
1102         if (needsDerivedConstructorInArrowFunctionLexicalEnvironment()) {
1103             offset = functionSymbolTable->takeNextScopeOffset(NoLockingNecessary);
1104             functionSymbolTable->set(NoLockingNecessary, propertyNames().builtinNames().derivedConstructorPrivateName().impl(), SymbolTableEntry(VarOffset(offset)));
1105         }
1106
1107         return;
1108     }
1109
1110     VariableEnvironment environment;
1111
1112     if (isThisUsedInInnerArrowFunction()) {
1113         auto addResult = environment.add(propertyNames().thisIdentifier);
1114         addResult.iterator->value.setIsCaptured();
1115         addResult.iterator->value.setIsLet();
1116     }
1117     
1118     if (m_codeType == FunctionCode && isNewTargetUsedInInnerArrowFunction()) {
1119         auto addTarget = environment.add(propertyNames().builtinNames().newTargetLocalPrivateName());
1120         addTarget.iterator->value.setIsCaptured();
1121         addTarget.iterator->value.setIsLet();
1122     }
1123
1124     if (needsDerivedConstructorInArrowFunctionLexicalEnvironment()) {
1125         auto derivedConstructor = environment.add(propertyNames().builtinNames().derivedConstructorPrivateName());
1126         derivedConstructor.iterator->value.setIsCaptured();
1127         derivedConstructor.iterator->value.setIsLet();
1128     }
1129
1130     if (environment.size() > 0) {
1131         size_t size = m_lexicalScopeStack.size();
1132         pushLexicalScopeInternal(environment, TDZCheckOptimization::Optimize, NestedScopeType::IsNotNested, nullptr, TDZRequirement::UnderTDZ, ScopeType::LetConstScope, ScopeRegisterType::Block);
1133
1134         ASSERT_UNUSED(size, m_lexicalScopeStack.size() == size + 1);
1135
1136         m_arrowFunctionContextLexicalEnvironmentRegister = m_lexicalScopeStack.last().m_scope;
1137     }
1138 }
1139
1140 RegisterID* BytecodeGenerator::initializeNextParameter()
1141 {
1142     VirtualRegister reg = virtualRegisterForArgument(m_codeBlock->numParameters());
1143     m_parameters.grow(m_parameters.size() + 1);
1144     auto& parameter = registerFor(reg);
1145     parameter.setIndex(reg.offset());
1146     m_codeBlock->addParameter();
1147     return &parameter;
1148 }
1149
1150 void BytecodeGenerator::initializeParameters(FunctionParameters& parameters)
1151 {
1152     // Make sure the code block knows about all of our parameters, and make sure that parameters
1153     // needing destructuring are noted.
1154     m_thisRegister.setIndex(initializeNextParameter()->index()); // this
1155
1156     bool nonSimpleArguments = false;
1157     for (unsigned i = 0; i < parameters.size(); ++i) {
1158         auto parameter = parameters.at(i);
1159         auto pattern = parameter.first;
1160         if (pattern->isRestParameter()) {
1161             RELEASE_ASSERT(!m_restParameter);
1162             m_restParameter = static_cast<RestParameterNode*>(pattern);
1163             nonSimpleArguments = true;
1164             continue;
1165         }
1166         if (parameter.second) {
1167             nonSimpleArguments = true;
1168             continue;
1169         }
1170         if (!nonSimpleArguments)
1171             initializeNextParameter();
1172     }
1173 }
1174
1175 void BytecodeGenerator::initializeVarLexicalEnvironment(int symbolTableConstantIndex, SymbolTable* functionSymbolTable, bool hasCapturedVariables)
1176 {
1177     if (hasCapturedVariables) {
1178         RELEASE_ASSERT(m_lexicalEnvironmentRegister);
1179         emitOpcode(op_create_lexical_environment);
1180         instructions().append(m_lexicalEnvironmentRegister->index());
1181         instructions().append(scopeRegister()->index());
1182         instructions().append(symbolTableConstantIndex);
1183         instructions().append(addConstantValue(jsUndefined())->index());
1184
1185         emitOpcode(op_mov);
1186         instructions().append(scopeRegister()->index());
1187         instructions().append(m_lexicalEnvironmentRegister->index());
1188
1189         pushLocalControlFlowScope();
1190     }
1191     bool isWithScope = false;
1192     m_lexicalScopeStack.append({ functionSymbolTable, m_lexicalEnvironmentRegister, isWithScope, symbolTableConstantIndex });
1193     m_varScopeLexicalScopeStackIndex = m_lexicalScopeStack.size() - 1;
1194 }
1195
1196 UniquedStringImpl* BytecodeGenerator::visibleNameForParameter(DestructuringPatternNode* pattern)
1197 {
1198     if (pattern->isBindingNode()) {
1199         const Identifier& ident = static_cast<const BindingNode*>(pattern)->boundProperty();
1200         if (!m_functions.contains(ident.impl()))
1201             return ident.impl();
1202     }
1203     return nullptr;
1204 }
1205
1206 RegisterID* BytecodeGenerator::newRegister()
1207 {
1208     m_calleeLocals.append(virtualRegisterForLocal(m_calleeLocals.size()));
1209     int numCalleeLocals = max<int>(m_codeBlock->m_numCalleeLocals, m_calleeLocals.size());
1210     numCalleeLocals = WTF::roundUpToMultipleOf(stackAlignmentRegisters(), numCalleeLocals);
1211     m_codeBlock->m_numCalleeLocals = numCalleeLocals;
1212     return &m_calleeLocals.last();
1213 }
1214
1215 void BytecodeGenerator::reclaimFreeRegisters()
1216 {
1217     shrinkToFit(m_calleeLocals);
1218 }
1219
1220 RegisterID* BytecodeGenerator::newBlockScopeVariable()
1221 {
1222     reclaimFreeRegisters();
1223
1224     return newRegister();
1225 }
1226
1227 RegisterID* BytecodeGenerator::newTemporary()
1228 {
1229     reclaimFreeRegisters();
1230
1231     RegisterID* result = newRegister();
1232     result->setTemporary();
1233     return result;
1234 }
1235
1236 Ref<LabelScope> BytecodeGenerator::newLabelScope(LabelScope::Type type, const Identifier* name)
1237 {
1238     shrinkToFit(m_labelScopes);
1239
1240     // Allocate new label scope.
1241     m_labelScopes.append(type, name, labelScopeDepth(), newLabel(), type == LabelScope::Loop ? RefPtr<Label>(newLabel()) : RefPtr<Label>()); // Only loops have continue targets.
1242     return m_labelScopes.last();
1243 }
1244
1245 Ref<Label> BytecodeGenerator::newLabel()
1246 {
1247     shrinkToFit(m_labels);
1248
1249     // Allocate new label ID.
1250     m_labels.append();
1251     return m_labels.last();
1252 }
1253
1254 Ref<Label> BytecodeGenerator::newEmittedLabel()
1255 {
1256     Ref<Label> label = newLabel();
1257     emitLabel(label.get());
1258     return label;
1259 }
1260
1261 void BytecodeGenerator::emitLabel(Label& l0)
1262 {
1263     unsigned newLabelIndex = instructions().size();
1264     l0.setLocation(*this, newLabelIndex);
1265
1266     if (m_codeBlock->numberOfJumpTargets()) {
1267         unsigned lastLabelIndex = m_codeBlock->lastJumpTarget();
1268         ASSERT(lastLabelIndex <= newLabelIndex);
1269         if (newLabelIndex == lastLabelIndex) {
1270             // Peephole optimizations have already been disabled by emitting the last label
1271             return;
1272         }
1273     }
1274
1275     m_codeBlock->addJumpTarget(newLabelIndex);
1276
1277     // This disables peephole optimizations when an instruction is a jump target
1278     m_lastOpcodeID = op_end;
1279 }
1280
1281 void BytecodeGenerator::emitOpcode(OpcodeID opcodeID)
1282 {
1283 #ifndef NDEBUG
1284     size_t opcodePosition = instructions().size();
1285     ASSERT(opcodePosition - m_lastOpcodePosition == opcodeLength(m_lastOpcodeID) || m_lastOpcodeID == op_end);
1286     m_lastOpcodePosition = opcodePosition;
1287 #endif
1288     instructions().append(opcodeID);
1289     m_lastOpcodeID = opcodeID;
1290 }
1291
1292 UnlinkedArrayProfile BytecodeGenerator::newArrayProfile()
1293 {
1294     return m_codeBlock->addArrayProfile();
1295 }
1296
1297 UnlinkedArrayAllocationProfile BytecodeGenerator::newArrayAllocationProfile()
1298 {
1299     return m_codeBlock->addArrayAllocationProfile();
1300 }
1301
1302 UnlinkedObjectAllocationProfile BytecodeGenerator::newObjectAllocationProfile()
1303 {
1304     return m_codeBlock->addObjectAllocationProfile();
1305 }
1306
1307 UnlinkedValueProfile BytecodeGenerator::emitProfiledOpcode(OpcodeID opcodeID)
1308 {
1309     UnlinkedValueProfile result = m_codeBlock->addValueProfile();
1310     emitOpcode(opcodeID);
1311     return result;
1312 }
1313
1314 void BytecodeGenerator::emitEnter()
1315 {
1316     emitOpcode(op_enter);
1317
1318     // We must add the end of op_enter as a potential jump target, because the bytecode parser may decide to split its basic block
1319     // to have somewhere to jump to if there is a recursive tail-call that points to this function.
1320     m_codeBlock->addJumpTarget(instructions().size());
1321     // This disables peephole optimizations when an instruction is a jump target
1322     m_lastOpcodeID = op_end;
1323 }
1324
1325 void BytecodeGenerator::emitLoopHint()
1326 {
1327     emitOpcode(op_loop_hint);
1328     emitCheckTraps();
1329 }
1330
1331 void BytecodeGenerator::emitCheckTraps()
1332 {
1333     emitOpcode(op_check_traps);
1334 }
1335
1336 void BytecodeGenerator::retrieveLastBinaryOp(int& dstIndex, int& src1Index, int& src2Index)
1337 {
1338     ASSERT(instructions().size() >= 4);
1339     size_t size = instructions().size();
1340     dstIndex = instructions().at(size - 3).u.operand;
1341     src1Index = instructions().at(size - 2).u.operand;
1342     src2Index = instructions().at(size - 1).u.operand;
1343 }
1344
1345 void BytecodeGenerator::retrieveLastUnaryOp(int& dstIndex, int& srcIndex)
1346 {
1347     ASSERT(instructions().size() >= 3);
1348     size_t size = instructions().size();
1349     dstIndex = instructions().at(size - 2).u.operand;
1350     srcIndex = instructions().at(size - 1).u.operand;
1351 }
1352
1353 void ALWAYS_INLINE BytecodeGenerator::rewindBinaryOp()
1354 {
1355     ASSERT(instructions().size() >= 4);
1356     instructions().shrink(instructions().size() - 4);
1357     m_lastOpcodeID = op_end;
1358 }
1359
1360 void ALWAYS_INLINE BytecodeGenerator::rewindUnaryOp()
1361 {
1362     ASSERT(instructions().size() >= 3);
1363     instructions().shrink(instructions().size() - 3);
1364     m_lastOpcodeID = op_end;
1365 }
1366
1367 void BytecodeGenerator::emitJump(Label& target)
1368 {
1369     size_t begin = instructions().size();
1370     emitOpcode(op_jmp);
1371     instructions().append(target.bind(begin, instructions().size()));
1372 }
1373
1374 void BytecodeGenerator::emitJumpIfTrue(RegisterID* cond, Label& target)
1375 {
1376     auto fuseCompareAndJump = [&] (OpcodeID jumpID) {
1377         int dstIndex;
1378         int src1Index;
1379         int src2Index;
1380
1381         retrieveLastBinaryOp(dstIndex, src1Index, src2Index);
1382
1383         if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
1384             rewindBinaryOp();
1385
1386             size_t begin = instructions().size();
1387             emitOpcode(jumpID);
1388             instructions().append(src1Index);
1389             instructions().append(src2Index);
1390             instructions().append(target.bind(begin, instructions().size()));
1391             return true;
1392         }
1393         return false;
1394     };
1395
1396     if (m_lastOpcodeID == op_less) {
1397         if (fuseCompareAndJump(op_jless))
1398             return;
1399     } else if (m_lastOpcodeID == op_lesseq) {
1400         if (fuseCompareAndJump(op_jlesseq))
1401             return;
1402     } else if (m_lastOpcodeID == op_greater) {
1403         if (fuseCompareAndJump(op_jgreater))
1404             return;
1405     } else if (m_lastOpcodeID == op_greatereq) {
1406         if (fuseCompareAndJump(op_jgreatereq))
1407             return;
1408     } else if (m_lastOpcodeID == op_below) {
1409         if (fuseCompareAndJump(op_jbelow))
1410             return;
1411     } else if (m_lastOpcodeID == op_beloweq) {
1412         if (fuseCompareAndJump(op_jbeloweq))
1413             return;
1414     } else if (m_lastOpcodeID == op_eq_null && target.isForward()) {
1415         int dstIndex;
1416         int srcIndex;
1417
1418         retrieveLastUnaryOp(dstIndex, srcIndex);
1419
1420         if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
1421             rewindUnaryOp();
1422
1423             size_t begin = instructions().size();
1424             emitOpcode(op_jeq_null);
1425             instructions().append(srcIndex);
1426             instructions().append(target.bind(begin, instructions().size()));
1427             return;
1428         }
1429     } else if (m_lastOpcodeID == op_neq_null && target.isForward()) {
1430         int dstIndex;
1431         int srcIndex;
1432
1433         retrieveLastUnaryOp(dstIndex, srcIndex);
1434
1435         if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
1436             rewindUnaryOp();
1437
1438             size_t begin = instructions().size();
1439             emitOpcode(op_jneq_null);
1440             instructions().append(srcIndex);
1441             instructions().append(target.bind(begin, instructions().size()));
1442             return;
1443         }
1444     }
1445
1446     size_t begin = instructions().size();
1447
1448     emitOpcode(op_jtrue);
1449     instructions().append(cond->index());
1450     instructions().append(target.bind(begin, instructions().size()));
1451 }
1452
1453 void BytecodeGenerator::emitJumpIfFalse(RegisterID* cond, Label& target)
1454 {
1455     auto fuseCompareAndJump = [&] (OpcodeID jumpID, bool replaceOperands) {
1456         int dstIndex;
1457         int src1Index;
1458         int src2Index;
1459
1460         retrieveLastBinaryOp(dstIndex, src1Index, src2Index);
1461
1462         if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
1463             rewindBinaryOp();
1464
1465             size_t begin = instructions().size();
1466             emitOpcode(jumpID);
1467             // Since op_below and op_beloweq only accepts Int32, replacing operands is not observable to users.
1468             if (replaceOperands)
1469                 std::swap(src1Index, src2Index);
1470             instructions().append(src1Index);
1471             instructions().append(src2Index);
1472             instructions().append(target.bind(begin, instructions().size()));
1473             return true;
1474         }
1475         return false;
1476     };
1477
1478     if (m_lastOpcodeID == op_less && target.isForward()) {
1479         if (fuseCompareAndJump(op_jnless, false))
1480             return;
1481     } else if (m_lastOpcodeID == op_lesseq && target.isForward()) {
1482         if (fuseCompareAndJump(op_jnlesseq, false))
1483             return;
1484     } else if (m_lastOpcodeID == op_greater && target.isForward()) {
1485         if (fuseCompareAndJump(op_jngreater, false))
1486             return;
1487     } else if (m_lastOpcodeID == op_greatereq && target.isForward()) {
1488         if (fuseCompareAndJump(op_jngreatereq, false))
1489             return;
1490     } else if (m_lastOpcodeID == op_below && target.isForward()) {
1491         if (fuseCompareAndJump(op_jbeloweq, true))
1492             return;
1493     } else if (m_lastOpcodeID == op_beloweq && target.isForward()) {
1494         if (fuseCompareAndJump(op_jbelow, true))
1495             return;
1496     } else if (m_lastOpcodeID == op_not) {
1497         int dstIndex;
1498         int srcIndex;
1499
1500         retrieveLastUnaryOp(dstIndex, srcIndex);
1501
1502         if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
1503             rewindUnaryOp();
1504
1505             size_t begin = instructions().size();
1506             emitOpcode(op_jtrue);
1507             instructions().append(srcIndex);
1508             instructions().append(target.bind(begin, instructions().size()));
1509             return;
1510         }
1511     } else if (m_lastOpcodeID == op_eq_null && target.isForward()) {
1512         int dstIndex;
1513         int srcIndex;
1514
1515         retrieveLastUnaryOp(dstIndex, srcIndex);
1516
1517         if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
1518             rewindUnaryOp();
1519
1520             size_t begin = instructions().size();
1521             emitOpcode(op_jneq_null);
1522             instructions().append(srcIndex);
1523             instructions().append(target.bind(begin, instructions().size()));
1524             return;
1525         }
1526     } else if (m_lastOpcodeID == op_neq_null && target.isForward()) {
1527         int dstIndex;
1528         int srcIndex;
1529
1530         retrieveLastUnaryOp(dstIndex, srcIndex);
1531
1532         if (cond->index() == dstIndex && cond->isTemporary() && !cond->refCount()) {
1533             rewindUnaryOp();
1534
1535             size_t begin = instructions().size();
1536             emitOpcode(op_jeq_null);
1537             instructions().append(srcIndex);
1538             instructions().append(target.bind(begin, instructions().size()));
1539             return;
1540         }
1541     }
1542
1543     size_t begin = instructions().size();
1544     emitOpcode(op_jfalse);
1545     instructions().append(cond->index());
1546     instructions().append(target.bind(begin, instructions().size()));
1547 }
1548
1549 void BytecodeGenerator::emitJumpIfNotFunctionCall(RegisterID* cond, Label& target)
1550 {
1551     size_t begin = instructions().size();
1552
1553     emitOpcode(op_jneq_ptr);
1554     instructions().append(cond->index());
1555     instructions().append(Special::CallFunction);
1556     instructions().append(target.bind(begin, instructions().size()));
1557     instructions().append(0);
1558 }
1559
1560 void BytecodeGenerator::emitJumpIfNotFunctionApply(RegisterID* cond, Label& target)
1561 {
1562     size_t begin = instructions().size();
1563
1564     emitOpcode(op_jneq_ptr);
1565     instructions().append(cond->index());
1566     instructions().append(Special::ApplyFunction);
1567     instructions().append(target.bind(begin, instructions().size()));
1568     instructions().append(0);
1569 }
1570
1571 bool BytecodeGenerator::hasConstant(const Identifier& ident) const
1572 {
1573     UniquedStringImpl* rep = ident.impl();
1574     return m_identifierMap.contains(rep);
1575 }
1576
1577 unsigned BytecodeGenerator::addConstant(const Identifier& ident)
1578 {
1579     UniquedStringImpl* rep = ident.impl();
1580     IdentifierMap::AddResult result = m_identifierMap.add(rep, m_codeBlock->numberOfIdentifiers());
1581     if (result.isNewEntry)
1582         m_codeBlock->addIdentifier(ident);
1583
1584     return result.iterator->value;
1585 }
1586
1587 // We can't hash JSValue(), so we use a dedicated data member to cache it.
1588 RegisterID* BytecodeGenerator::addConstantEmptyValue()
1589 {
1590     if (!m_emptyValueRegister) {
1591         int index = addConstantIndex();
1592         m_codeBlock->addConstant(JSValue());
1593         m_emptyValueRegister = &m_constantPoolRegisters[index];
1594     }
1595
1596     return m_emptyValueRegister;
1597 }
1598
1599 RegisterID* BytecodeGenerator::addConstantValue(JSValue v, SourceCodeRepresentation sourceCodeRepresentation)
1600 {
1601     if (!v)
1602         return addConstantEmptyValue();
1603
1604     int index = m_nextConstantOffset;
1605
1606     if (sourceCodeRepresentation == SourceCodeRepresentation::Double && v.isInt32())
1607         v = jsDoubleNumber(v.asNumber());
1608     EncodedJSValueWithRepresentation valueMapKey { JSValue::encode(v), sourceCodeRepresentation };
1609     JSValueMap::AddResult result = m_jsValueMap.add(valueMapKey, m_nextConstantOffset);
1610     if (result.isNewEntry) {
1611         addConstantIndex();
1612         m_codeBlock->addConstant(v, sourceCodeRepresentation);
1613     } else
1614         index = result.iterator->value;
1615     return &m_constantPoolRegisters[index];
1616 }
1617
1618 RegisterID* BytecodeGenerator::emitMoveLinkTimeConstant(RegisterID* dst, LinkTimeConstant type)
1619 {
1620     unsigned constantIndex = static_cast<unsigned>(type);
1621     if (!m_linkTimeConstantRegisters[constantIndex]) {
1622         int index = addConstantIndex();
1623         m_codeBlock->addConstant(type);
1624         m_linkTimeConstantRegisters[constantIndex] = &m_constantPoolRegisters[index];
1625     }
1626
1627     if (!dst)
1628         return m_linkTimeConstantRegisters[constantIndex];
1629
1630     emitOpcode(op_mov);
1631     instructions().append(dst->index());
1632     instructions().append(m_linkTimeConstantRegisters[constantIndex]->index());
1633
1634     return dst;
1635 }
1636
1637 unsigned BytecodeGenerator::addRegExp(RegExp* r)
1638 {
1639     return m_codeBlock->addRegExp(r);
1640 }
1641
1642 RegisterID* BytecodeGenerator::emitMoveEmptyValue(RegisterID* dst)
1643 {
1644     RefPtr<RegisterID> emptyValue = addConstantEmptyValue();
1645
1646     emitOpcode(op_mov);
1647     instructions().append(dst->index());
1648     instructions().append(emptyValue->index());
1649     return dst;
1650 }
1651
1652 RegisterID* BytecodeGenerator::emitMove(RegisterID* dst, RegisterID* src)
1653 {
1654     ASSERT(src != m_emptyValueRegister);
1655
1656     m_staticPropertyAnalyzer.mov(dst->index(), src->index());
1657     emitOpcode(op_mov);
1658     instructions().append(dst->index());
1659     instructions().append(src->index());
1660
1661     return dst;
1662 }
1663
1664 RegisterID* BytecodeGenerator::emitUnaryOp(OpcodeID opcodeID, RegisterID* dst, RegisterID* src)
1665 {
1666     ASSERT_WITH_MESSAGE(op_to_number != opcodeID, "op_to_number has a Value Profile.");
1667     ASSERT_WITH_MESSAGE(op_negate != opcodeID, "op_negate has an Arith Profile.");
1668     emitOpcode(opcodeID);
1669     instructions().append(dst->index());
1670     instructions().append(src->index());
1671
1672     return dst;
1673 }
1674
1675 RegisterID* BytecodeGenerator::emitUnaryOp(OpcodeID opcodeID, RegisterID* dst, RegisterID* src, OperandTypes types)
1676 {
1677     ASSERT_WITH_MESSAGE(op_to_number != opcodeID, "op_to_number has a Value Profile.");
1678     emitOpcode(opcodeID);
1679     instructions().append(dst->index());
1680     instructions().append(src->index());
1681
1682     if (opcodeID == op_negate)
1683         instructions().append(ArithProfile(types.first()).bits());
1684     return dst;
1685 }
1686
1687 RegisterID* BytecodeGenerator::emitUnaryOpProfiled(OpcodeID opcodeID, RegisterID* dst, RegisterID* src)
1688 {
1689     UnlinkedValueProfile profile = emitProfiledOpcode(opcodeID);
1690     instructions().append(dst->index());
1691     instructions().append(src->index());
1692     instructions().append(profile);
1693     return dst;
1694 }
1695
1696 RegisterID* BytecodeGenerator::emitToObject(RegisterID* dst, RegisterID* src, const Identifier& message)
1697 {
1698     UnlinkedValueProfile profile = emitProfiledOpcode(op_to_object);
1699     instructions().append(dst->index());
1700     instructions().append(src->index());
1701     instructions().append(addConstant(message));
1702     instructions().append(profile);
1703     return dst;
1704 }
1705
1706 RegisterID* BytecodeGenerator::emitInc(RegisterID* srcDst)
1707 {
1708     emitOpcode(op_inc);
1709     instructions().append(srcDst->index());
1710     return srcDst;
1711 }
1712
1713 RegisterID* BytecodeGenerator::emitDec(RegisterID* srcDst)
1714 {
1715     emitOpcode(op_dec);
1716     instructions().append(srcDst->index());
1717     return srcDst;
1718 }
1719
1720 RegisterID* BytecodeGenerator::emitBinaryOp(OpcodeID opcodeID, RegisterID* dst, RegisterID* src1, RegisterID* src2, OperandTypes types)
1721 {
1722     emitOpcode(opcodeID);
1723     instructions().append(dst->index());
1724     instructions().append(src1->index());
1725     instructions().append(src2->index());
1726
1727     if (opcodeID == op_bitor || opcodeID == op_bitand || opcodeID == op_bitxor ||
1728         opcodeID == op_add || opcodeID == op_mul || opcodeID == op_sub || opcodeID == op_div)
1729         instructions().append(ArithProfile(types.first(), types.second()).bits());
1730
1731     return dst;
1732 }
1733
1734 RegisterID* BytecodeGenerator::emitEqualityOp(OpcodeID opcodeID, RegisterID* dst, RegisterID* src1, RegisterID* src2)
1735 {
1736     if (m_lastOpcodeID == op_typeof) {
1737         int dstIndex;
1738         int srcIndex;
1739
1740         retrieveLastUnaryOp(dstIndex, srcIndex);
1741
1742         if (src1->index() == dstIndex
1743             && src1->isTemporary()
1744             && m_codeBlock->isConstantRegisterIndex(src2->index())
1745             && m_codeBlock->constantRegister(src2->index()).get().isString()) {
1746             const String& value = asString(m_codeBlock->constantRegister(src2->index()).get())->tryGetValue();
1747             if (value == "undefined") {
1748                 rewindUnaryOp();
1749                 emitOpcode(op_is_undefined);
1750                 instructions().append(dst->index());
1751                 instructions().append(srcIndex);
1752                 return dst;
1753             }
1754             if (value == "boolean") {
1755                 rewindUnaryOp();
1756                 emitOpcode(op_is_boolean);
1757                 instructions().append(dst->index());
1758                 instructions().append(srcIndex);
1759                 return dst;
1760             }
1761             if (value == "number") {
1762                 rewindUnaryOp();
1763                 emitOpcode(op_is_number);
1764                 instructions().append(dst->index());
1765                 instructions().append(srcIndex);
1766                 return dst;
1767             }
1768             if (value == "string") {
1769                 rewindUnaryOp();
1770                 emitOpcode(op_is_cell_with_type);
1771                 instructions().append(dst->index());
1772                 instructions().append(srcIndex);
1773                 instructions().append(StringType);
1774                 return dst;
1775             }
1776             if (value == "symbol") {
1777                 rewindUnaryOp();
1778                 emitOpcode(op_is_cell_with_type);
1779                 instructions().append(dst->index());
1780                 instructions().append(srcIndex);
1781                 instructions().append(SymbolType);
1782                 return dst;
1783             }
1784             if (value == "object") {
1785                 rewindUnaryOp();
1786                 emitOpcode(op_is_object_or_null);
1787                 instructions().append(dst->index());
1788                 instructions().append(srcIndex);
1789                 return dst;
1790             }
1791             if (value == "function") {
1792                 rewindUnaryOp();
1793                 emitOpcode(op_is_function);
1794                 instructions().append(dst->index());
1795                 instructions().append(srcIndex);
1796                 return dst;
1797             }
1798         }
1799     }
1800
1801     emitOpcode(opcodeID);
1802     instructions().append(dst->index());
1803     instructions().append(src1->index());
1804     instructions().append(src2->index());
1805     return dst;
1806 }
1807
1808 void BytecodeGenerator::emitTypeProfilerExpressionInfo(const JSTextPosition& startDivot, const JSTextPosition& endDivot)
1809 {
1810     ASSERT(vm()->typeProfiler());
1811
1812     unsigned start = startDivot.offset; // Ranges are inclusive of their endpoints, AND 0 indexed.
1813     unsigned end = endDivot.offset - 1; // End Ranges already go one past the inclusive range, so subtract 1.
1814     unsigned instructionOffset = instructions().size() - 1;
1815     m_codeBlock->addTypeProfilerExpressionInfo(instructionOffset, start, end);
1816 }
1817
1818 void BytecodeGenerator::emitProfileType(RegisterID* registerToProfile, ProfileTypeBytecodeFlag flag)
1819 {
1820     if (!vm()->typeProfiler())
1821         return;
1822
1823     if (!registerToProfile)
1824         return;
1825
1826     emitOpcode(op_profile_type);
1827     instructions().append(registerToProfile->index());
1828     instructions().append(0);
1829     instructions().append(flag);
1830     instructions().append(0);
1831     instructions().append(resolveType());
1832
1833     // Don't emit expression info for this version of profile type. This generally means
1834     // we're profiling information for something that isn't in the actual text of a JavaScript
1835     // program. For example, implicit return undefined from a function call.
1836 }
1837
1838 void BytecodeGenerator::emitProfileType(RegisterID* registerToProfile, const JSTextPosition& startDivot, const JSTextPosition& endDivot)
1839 {
1840     emitProfileType(registerToProfile, ProfileTypeBytecodeDoesNotHaveGlobalID, startDivot, endDivot);
1841 }
1842
1843 void BytecodeGenerator::emitProfileType(RegisterID* registerToProfile, ProfileTypeBytecodeFlag flag, const JSTextPosition& startDivot, const JSTextPosition& endDivot)
1844 {
1845     if (!vm()->typeProfiler())
1846         return;
1847
1848     if (!registerToProfile)
1849         return;
1850
1851     // The format of this instruction is: op_profile_type regToProfile, TypeLocation*, flag, identifier?, resolveType?
1852     emitOpcode(op_profile_type);
1853     instructions().append(registerToProfile->index());
1854     instructions().append(0);
1855     instructions().append(flag);
1856     instructions().append(0);
1857     instructions().append(resolveType());
1858
1859     emitTypeProfilerExpressionInfo(startDivot, endDivot);
1860 }
1861
1862 void BytecodeGenerator::emitProfileType(RegisterID* registerToProfile, const Variable& var, const JSTextPosition& startDivot, const JSTextPosition& endDivot)
1863 {
1864     if (!vm()->typeProfiler())
1865         return;
1866
1867     if (!registerToProfile)
1868         return;
1869
1870     ProfileTypeBytecodeFlag flag;
1871     int symbolTableOrScopeDepth;
1872     if (var.local() || var.offset().isScope()) {
1873         flag = ProfileTypeBytecodeLocallyResolved;
1874         ASSERT(var.symbolTableConstantIndex());
1875         symbolTableOrScopeDepth = var.symbolTableConstantIndex();
1876     } else {
1877         flag = ProfileTypeBytecodeClosureVar;
1878         symbolTableOrScopeDepth = localScopeDepth();
1879     }
1880
1881     // The format of this instruction is: op_profile_type regToProfile, TypeLocation*, flag, identifier?, resolveType?
1882     emitOpcode(op_profile_type);
1883     instructions().append(registerToProfile->index());
1884     instructions().append(symbolTableOrScopeDepth);
1885     instructions().append(flag);
1886     instructions().append(addConstant(var.ident()));
1887     instructions().append(resolveType());
1888
1889     emitTypeProfilerExpressionInfo(startDivot, endDivot);
1890 }
1891
1892 void BytecodeGenerator::emitProfileControlFlow(int textOffset)
1893 {
1894     if (vm()->controlFlowProfiler()) {
1895         RELEASE_ASSERT(textOffset >= 0);
1896         size_t bytecodeOffset = instructions().size();
1897         m_codeBlock->addOpProfileControlFlowBytecodeOffset(bytecodeOffset);
1898
1899         emitOpcode(op_profile_control_flow);
1900         instructions().append(textOffset);
1901     }
1902 }
1903
1904 unsigned BytecodeGenerator::addConstantIndex()
1905 {
1906     unsigned index = m_nextConstantOffset;
1907     m_constantPoolRegisters.append(FirstConstantRegisterIndex + m_nextConstantOffset);
1908     ++m_nextConstantOffset;
1909     return index;
1910 }
1911
1912 RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, bool b)
1913 {
1914     return emitLoad(dst, jsBoolean(b));
1915 }
1916
1917 RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, const Identifier& identifier)
1918 {
1919     ASSERT(!identifier.isSymbol());
1920     JSString*& stringInMap = m_stringMap.add(identifier.impl(), nullptr).iterator->value;
1921     if (!stringInMap)
1922         stringInMap = jsOwnedString(vm(), identifier.string());
1923
1924     return emitLoad(dst, JSValue(stringInMap));
1925 }
1926
1927 RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, JSValue v, SourceCodeRepresentation sourceCodeRepresentation)
1928 {
1929     RegisterID* constantID = addConstantValue(v, sourceCodeRepresentation);
1930     if (dst)
1931         return emitMove(dst, constantID);
1932     return constantID;
1933 }
1934
1935 RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, IdentifierSet& set)
1936 {
1937     for (const auto& entry : m_codeBlock->constantIdentifierSets()) {
1938         if (entry.first != set)
1939             continue;
1940         
1941         return &m_constantPoolRegisters[entry.second];
1942     }
1943     
1944     unsigned index = addConstantIndex();
1945     m_codeBlock->addSetConstant(set);
1946     RegisterID* m_setRegister = &m_constantPoolRegisters[index];
1947     
1948     if (dst)
1949         return emitMove(dst, m_setRegister);
1950     
1951     return m_setRegister;
1952 }
1953
1954 RegisterID* BytecodeGenerator::emitLoadGlobalObject(RegisterID* dst)
1955 {
1956     if (!m_globalObjectRegister) {
1957         int index = addConstantIndex();
1958         m_codeBlock->addConstant(JSValue());
1959         m_globalObjectRegister = &m_constantPoolRegisters[index];
1960         m_codeBlock->setGlobalObjectRegister(VirtualRegister(index));
1961     }
1962     if (dst)
1963         emitMove(dst, m_globalObjectRegister);
1964     return m_globalObjectRegister;
1965 }
1966
1967 template<typename LookUpVarKindFunctor>
1968 bool BytecodeGenerator::instantiateLexicalVariables(const VariableEnvironment& lexicalVariables, SymbolTable* symbolTable, ScopeRegisterType scopeRegisterType, LookUpVarKindFunctor lookUpVarKind)
1969 {
1970     bool hasCapturedVariables = false;
1971     {
1972         for (auto& entry : lexicalVariables) {
1973             ASSERT(entry.value.isLet() || entry.value.isConst() || entry.value.isFunction());
1974             ASSERT(!entry.value.isVar());
1975             SymbolTableEntry symbolTableEntry = symbolTable->get(NoLockingNecessary, entry.key.get());
1976             ASSERT(symbolTableEntry.isNull());
1977
1978             // Imported bindings which are not the namespace bindings are not allocated
1979             // in the module environment as usual variables' way.
1980             // And since these types of the variables only seen in the module environment,
1981             // other lexical environment need not to take care this.
1982             if (entry.value.isImported() && !entry.value.isImportedNamespace())
1983                 continue;
1984
1985             VarKind varKind = lookUpVarKind(entry.key.get(), entry.value);
1986             VarOffset varOffset;
1987             if (varKind == VarKind::Scope) {
1988                 varOffset = VarOffset(symbolTable->takeNextScopeOffset(NoLockingNecessary));
1989                 hasCapturedVariables = true;
1990             } else {
1991                 ASSERT(varKind == VarKind::Stack);
1992                 RegisterID* local;
1993                 if (scopeRegisterType == ScopeRegisterType::Block) {
1994                     local = newBlockScopeVariable();
1995                     local->ref();
1996                 } else
1997                     local = addVar();
1998                 varOffset = VarOffset(local->virtualRegister());
1999             }
2000
2001             SymbolTableEntry newEntry(varOffset, static_cast<unsigned>(entry.value.isConst() ? PropertyAttribute::ReadOnly : PropertyAttribute::None));
2002             symbolTable->add(NoLockingNecessary, entry.key.get(), newEntry);
2003         }
2004     }
2005     return hasCapturedVariables;
2006 }
2007
2008 void BytecodeGenerator::emitPrefillStackTDZVariables(const VariableEnvironment& lexicalVariables, SymbolTable* symbolTable)
2009 {
2010     // Prefill stack variables with the TDZ empty value.
2011     // Scope variables will be initialized to the TDZ empty value when JSLexicalEnvironment is allocated.
2012     for (auto& entry : lexicalVariables) {
2013         // Imported bindings which are not the namespace bindings are not allocated
2014         // in the module environment as usual variables' way.
2015         // And since these types of the variables only seen in the module environment,
2016         // other lexical environment need not to take care this.
2017         if (entry.value.isImported() && !entry.value.isImportedNamespace())
2018             continue;
2019
2020         if (entry.value.isFunction())
2021             continue;
2022
2023         SymbolTableEntry symbolTableEntry = symbolTable->get(NoLockingNecessary, entry.key.get());
2024         ASSERT(!symbolTableEntry.isNull());
2025         VarOffset offset = symbolTableEntry.varOffset();
2026         if (offset.isScope())
2027             continue;
2028
2029         ASSERT(offset.isStack());
2030         emitMoveEmptyValue(&registerFor(offset.stackOffset()));
2031     }
2032 }
2033
2034 void BytecodeGenerator::pushLexicalScope(VariableEnvironmentNode* node, TDZCheckOptimization tdzCheckOptimization, NestedScopeType nestedScopeType, RegisterID** constantSymbolTableResult, bool shouldInitializeBlockScopedFunctions)
2035 {
2036     VariableEnvironment& environment = node->lexicalVariables();
2037     RegisterID* constantSymbolTableResultTemp = nullptr;
2038     pushLexicalScopeInternal(environment, tdzCheckOptimization, nestedScopeType, &constantSymbolTableResultTemp, TDZRequirement::UnderTDZ, ScopeType::LetConstScope, ScopeRegisterType::Block);
2039
2040     if (shouldInitializeBlockScopedFunctions)
2041         initializeBlockScopedFunctions(environment, node->functionStack(), constantSymbolTableResultTemp);
2042
2043     if (constantSymbolTableResult && constantSymbolTableResultTemp)
2044         *constantSymbolTableResult = constantSymbolTableResultTemp;
2045 }
2046
2047 void BytecodeGenerator::pushLexicalScopeInternal(VariableEnvironment& environment, TDZCheckOptimization tdzCheckOptimization, NestedScopeType nestedScopeType,
2048     RegisterID** constantSymbolTableResult, TDZRequirement tdzRequirement, ScopeType scopeType, ScopeRegisterType scopeRegisterType)
2049 {
2050     if (!environment.size())
2051         return;
2052
2053     if (m_shouldEmitDebugHooks)
2054         environment.markAllVariablesAsCaptured();
2055
2056     SymbolTable* symbolTable = SymbolTable::create(*m_vm);
2057     switch (scopeType) {
2058     case ScopeType::CatchScope:
2059         symbolTable->setScopeType(SymbolTable::ScopeType::CatchScope);
2060         break;
2061     case ScopeType::LetConstScope:
2062         symbolTable->setScopeType(SymbolTable::ScopeType::LexicalScope);
2063         break;
2064     case ScopeType::FunctionNameScope:
2065         symbolTable->setScopeType(SymbolTable::ScopeType::FunctionNameScope);
2066         break;
2067     }
2068
2069     if (nestedScopeType == NestedScopeType::IsNested)
2070         symbolTable->markIsNestedLexicalScope();
2071
2072     auto lookUpVarKind = [] (UniquedStringImpl*, const VariableEnvironmentEntry& entry) -> VarKind {
2073         return entry.isCaptured() ? VarKind::Scope : VarKind::Stack;
2074     };
2075
2076     bool hasCapturedVariables = instantiateLexicalVariables(environment, symbolTable, scopeRegisterType, lookUpVarKind);
2077
2078     RegisterID* newScope = nullptr;
2079     RegisterID* constantSymbolTable = nullptr;
2080     int symbolTableConstantIndex = 0;
2081     if (vm()->typeProfiler()) {
2082         constantSymbolTable = addConstantValue(symbolTable);
2083         symbolTableConstantIndex = constantSymbolTable->index();
2084     }
2085     if (hasCapturedVariables) {
2086         if (scopeRegisterType == ScopeRegisterType::Block) {
2087             newScope = newBlockScopeVariable();
2088             newScope->ref();
2089         } else
2090             newScope = addVar();
2091         if (!constantSymbolTable) {
2092             ASSERT(!vm()->typeProfiler());
2093             constantSymbolTable = addConstantValue(symbolTable->cloneScopePart(*m_vm));
2094             symbolTableConstantIndex = constantSymbolTable->index();
2095         }
2096         if (constantSymbolTableResult)
2097             *constantSymbolTableResult = constantSymbolTable;
2098
2099         emitOpcode(op_create_lexical_environment);
2100         instructions().append(newScope->index());
2101         instructions().append(scopeRegister()->index());
2102         instructions().append(constantSymbolTable->index());
2103         instructions().append(addConstantValue(tdzRequirement == TDZRequirement::UnderTDZ ? jsTDZValue() : jsUndefined())->index());
2104
2105         emitMove(scopeRegister(), newScope);
2106
2107         pushLocalControlFlowScope();
2108     }
2109
2110     bool isWithScope = false;
2111     m_lexicalScopeStack.append({ symbolTable, newScope, isWithScope, symbolTableConstantIndex });
2112     pushTDZVariables(environment, tdzCheckOptimization, tdzRequirement);
2113
2114     if (tdzRequirement == TDZRequirement::UnderTDZ)
2115         emitPrefillStackTDZVariables(environment, symbolTable);
2116 }
2117
2118 void BytecodeGenerator::initializeBlockScopedFunctions(VariableEnvironment& environment, FunctionStack& functionStack, RegisterID* constantSymbolTable)
2119 {
2120     /*
2121      * We must transform block scoped function declarations in strict mode like so:
2122      *
2123      * function foo() {
2124      *     if (c) {
2125      *           function foo() { ... }
2126      *           if (bar) { ... }
2127      *           else { ... }
2128      *           function baz() { ... }
2129      *     }
2130      * }
2131      *
2132      * to:
2133      *
2134      * function foo() {
2135      *     if (c) {
2136      *         let foo = function foo() { ... }
2137      *         let baz = function baz() { ... }
2138      *         if (bar) { ... }
2139      *         else { ... }
2140      *     }
2141      * }
2142      * 
2143      * But without the TDZ checks.
2144     */
2145
2146     if (!environment.size()) {
2147         RELEASE_ASSERT(!functionStack.size());
2148         return;
2149     }
2150
2151     if (!functionStack.size())
2152         return;
2153
2154     SymbolTable* symbolTable = m_lexicalScopeStack.last().m_symbolTable;
2155     RegisterID* scope = m_lexicalScopeStack.last().m_scope;
2156     RefPtr<RegisterID> temp = newTemporary();
2157     int symbolTableIndex = constantSymbolTable ? constantSymbolTable->index() : 0;
2158     for (FunctionMetadataNode* function : functionStack) {
2159         const Identifier& name = function->ident();
2160         auto iter = environment.find(name.impl());
2161         RELEASE_ASSERT(iter != environment.end());
2162         RELEASE_ASSERT(iter->value.isFunction());
2163         // We purposefully don't hold the symbol table lock around this loop because emitNewFunctionExpressionCommon may GC.
2164         SymbolTableEntry entry = symbolTable->get(NoLockingNecessary, name.impl()); 
2165         RELEASE_ASSERT(!entry.isNull());
2166         emitNewFunctionExpressionCommon(temp.get(), function);
2167         bool isLexicallyScoped = true;
2168         emitPutToScope(scope, variableForLocalEntry(name, entry, symbolTableIndex, isLexicallyScoped), temp.get(), DoNotThrowIfNotFound, InitializationMode::Initialization);
2169     }
2170 }
2171
2172 void BytecodeGenerator::hoistSloppyModeFunctionIfNecessary(const Identifier& functionName)
2173 {
2174     if (m_scopeNode->hasSloppyModeHoistedFunction(functionName.impl())) {
2175         if (codeType() != EvalCode) {
2176             Variable currentFunctionVariable = variable(functionName);
2177             RefPtr<RegisterID> currentValue;
2178             if (RegisterID* local = currentFunctionVariable.local())
2179                 currentValue = local;
2180             else {
2181                 RefPtr<RegisterID> scope = emitResolveScope(nullptr, currentFunctionVariable);
2182                 currentValue = emitGetFromScope(newTemporary(), scope.get(), currentFunctionVariable, DoNotThrowIfNotFound);
2183             }
2184
2185             ASSERT(m_varScopeLexicalScopeStackIndex);
2186             ASSERT(*m_varScopeLexicalScopeStackIndex < m_lexicalScopeStack.size());
2187             LexicalScopeStackEntry varScope = m_lexicalScopeStack[*m_varScopeLexicalScopeStackIndex];
2188             SymbolTable* varSymbolTable = varScope.m_symbolTable;
2189             ASSERT(varSymbolTable->scopeType() == SymbolTable::ScopeType::VarScope);
2190             SymbolTableEntry entry = varSymbolTable->get(NoLockingNecessary, functionName.impl());
2191             if (functionName == propertyNames().arguments && entry.isNull()) {
2192                 // "arguments" might be put in the parameter scope when we have a non-simple
2193                 // parameter list since "arguments" is visible to expressions inside the
2194                 // parameter evaluation list.
2195                 // e.g:
2196                 // function foo(x = arguments) { { function arguments() { } } }
2197                 RELEASE_ASSERT(*m_varScopeLexicalScopeStackIndex > 0);
2198                 varScope = m_lexicalScopeStack[*m_varScopeLexicalScopeStackIndex - 1];
2199                 SymbolTable* parameterSymbolTable = varScope.m_symbolTable;
2200                 entry = parameterSymbolTable->get(NoLockingNecessary, functionName.impl());
2201             }
2202             RELEASE_ASSERT(!entry.isNull());
2203             bool isLexicallyScoped = false;
2204             emitPutToScope(varScope.m_scope, variableForLocalEntry(functionName, entry, varScope.m_symbolTableConstantIndex, isLexicallyScoped), currentValue.get(), DoNotThrowIfNotFound, InitializationMode::NotInitialization);
2205         } else {
2206             Variable currentFunctionVariable = variable(functionName);
2207             RefPtr<RegisterID> currentValue;
2208             if (RegisterID* local = currentFunctionVariable.local())
2209                 currentValue = local;
2210             else {
2211                 RefPtr<RegisterID> scope = emitResolveScope(nullptr, currentFunctionVariable);
2212                 currentValue = emitGetFromScope(newTemporary(), scope.get(), currentFunctionVariable, DoNotThrowIfNotFound);
2213             }
2214
2215             RefPtr<RegisterID> scopeId = emitResolveScopeForHoistingFuncDeclInEval(nullptr, functionName);
2216             RefPtr<RegisterID> checkResult = emitIsUndefined(newTemporary(), scopeId.get());
2217             
2218             Ref<Label> isNotVarScopeLabel = newLabel();
2219             emitJumpIfTrue(checkResult.get(), isNotVarScopeLabel.get());
2220
2221             // Put to outer scope
2222             emitPutToScope(scopeId.get(), functionName, currentValue.get(), DoNotThrowIfNotFound, InitializationMode::NotInitialization);
2223             emitLabel(isNotVarScopeLabel.get());
2224
2225         }
2226     }
2227 }
2228
2229 RegisterID* BytecodeGenerator::emitResolveScopeForHoistingFuncDeclInEval(RegisterID* dst, const Identifier& property)
2230 {
2231     ASSERT(m_codeType == EvalCode);
2232
2233     dst = finalDestination(dst);
2234     emitOpcode(op_resolve_scope_for_hoisting_func_decl_in_eval);
2235     instructions().append(kill(dst));
2236     instructions().append(m_topMostScope->index());
2237     instructions().append(addConstant(property));
2238     return dst;
2239 }
2240
2241 void BytecodeGenerator::popLexicalScope(VariableEnvironmentNode* node)
2242 {
2243     VariableEnvironment& environment = node->lexicalVariables();
2244     popLexicalScopeInternal(environment);
2245 }
2246
2247 void BytecodeGenerator::popLexicalScopeInternal(VariableEnvironment& environment)
2248 {
2249     // NOTE: This function only makes sense for scopes that aren't ScopeRegisterType::Var (only function name scope right now is ScopeRegisterType::Var).
2250     // This doesn't make sense for ScopeRegisterType::Var because we deref RegisterIDs here.
2251     if (!environment.size())
2252         return;
2253
2254     if (m_shouldEmitDebugHooks)
2255         environment.markAllVariablesAsCaptured();
2256
2257     auto stackEntry = m_lexicalScopeStack.takeLast();
2258     SymbolTable* symbolTable = stackEntry.m_symbolTable;
2259     bool hasCapturedVariables = false;
2260     for (auto& entry : environment) {
2261         if (entry.value.isCaptured()) {
2262             hasCapturedVariables = true;
2263             continue;
2264         }
2265         SymbolTableEntry symbolTableEntry = symbolTable->get(NoLockingNecessary, entry.key.get());
2266         ASSERT(!symbolTableEntry.isNull());
2267         VarOffset offset = symbolTableEntry.varOffset();
2268         ASSERT(offset.isStack());
2269         RegisterID* local = &registerFor(offset.stackOffset());
2270         local->deref();
2271     }
2272
2273     if (hasCapturedVariables) {
2274         RELEASE_ASSERT(stackEntry.m_scope);
2275         emitPopScope(scopeRegister(), stackEntry.m_scope);
2276         popLocalControlFlowScope();
2277         stackEntry.m_scope->deref();
2278     }
2279
2280     m_TDZStack.removeLast();
2281 }
2282
2283 void BytecodeGenerator::prepareLexicalScopeForNextForLoopIteration(VariableEnvironmentNode* node, RegisterID* loopSymbolTable)
2284 {
2285     VariableEnvironment& environment = node->lexicalVariables();
2286     if (!environment.size())
2287         return;
2288     if (m_shouldEmitDebugHooks)
2289         environment.markAllVariablesAsCaptured();
2290     if (!environment.hasCapturedVariables())
2291         return;
2292
2293     RELEASE_ASSERT(loopSymbolTable);
2294
2295     // This function needs to do setup for a for loop's activation if any of
2296     // the for loop's lexically declared variables are captured (that is, variables
2297     // declared in the loop header, not the loop body). This function needs to
2298     // make a copy of the current activation and copy the values from the previous
2299     // activation into the new activation because each iteration of a for loop
2300     // gets a new activation.
2301
2302     auto stackEntry = m_lexicalScopeStack.last();
2303     SymbolTable* symbolTable = stackEntry.m_symbolTable;
2304     RegisterID* loopScope = stackEntry.m_scope;
2305     ASSERT(symbolTable->scopeSize());
2306     ASSERT(loopScope);
2307     Vector<std::pair<RegisterID*, Identifier>> activationValuesToCopyOver;
2308
2309     {
2310         activationValuesToCopyOver.reserveInitialCapacity(symbolTable->scopeSize());
2311
2312         for (auto end = symbolTable->end(NoLockingNecessary), ptr = symbolTable->begin(NoLockingNecessary); ptr != end; ++ptr) {
2313             if (!ptr->value.varOffset().isScope())
2314                 continue;
2315
2316             RefPtr<UniquedStringImpl> ident = ptr->key;
2317             Identifier identifier = Identifier::fromUid(m_vm, ident.get());
2318
2319             RegisterID* transitionValue = newBlockScopeVariable();
2320             transitionValue->ref();
2321             emitGetFromScope(transitionValue, loopScope, variableForLocalEntry(identifier, ptr->value, loopSymbolTable->index(), true), DoNotThrowIfNotFound);
2322             activationValuesToCopyOver.uncheckedAppend(std::make_pair(transitionValue, identifier));
2323         }
2324     }
2325
2326     // We need this dynamic behavior of the executing code to ensure
2327     // each loop iteration has a new activation object. (It's pretty ugly).
2328     // Also, this new activation needs to be assigned to the same register
2329     // as the previous scope because the loop body is compiled under
2330     // the assumption that the scope's register index is constant even
2331     // though the value in that register will change on each loop iteration.
2332     RefPtr<RegisterID> parentScope = emitGetParentScope(newTemporary(), loopScope);
2333     emitMove(scopeRegister(), parentScope.get());
2334
2335     emitOpcode(op_create_lexical_environment);
2336     instructions().append(loopScope->index());
2337     instructions().append(scopeRegister()->index());
2338     instructions().append(loopSymbolTable->index());
2339     instructions().append(addConstantValue(jsTDZValue())->index());
2340
2341     emitMove(scopeRegister(), loopScope);
2342
2343     {
2344         for (auto pair : activationValuesToCopyOver) {
2345             const Identifier& identifier = pair.second;
2346             SymbolTableEntry entry = symbolTable->get(NoLockingNecessary, identifier.impl());
2347             RELEASE_ASSERT(!entry.isNull());
2348             RegisterID* transitionValue = pair.first;
2349             emitPutToScope(loopScope, variableForLocalEntry(identifier, entry, loopSymbolTable->index(), true), transitionValue, DoNotThrowIfNotFound, InitializationMode::NotInitialization);
2350             transitionValue->deref();
2351         }
2352     }
2353 }
2354
2355 Variable BytecodeGenerator::variable(const Identifier& property, ThisResolutionType thisResolutionType)
2356 {
2357     if (property == propertyNames().thisIdentifier && thisResolutionType == ThisResolutionType::Local)
2358         return Variable(property, VarOffset(thisRegister()->virtualRegister()), thisRegister(), static_cast<unsigned>(PropertyAttribute::ReadOnly), Variable::SpecialVariable, 0, false);
2359     
2360     // We can optimize lookups if the lexical variable is found before a "with" or "catch"
2361     // scope because we're guaranteed static resolution. If we have to pass through
2362     // a "with" or "catch" scope we loose this guarantee.
2363     // We can't optimize cases like this:
2364     // {
2365     //     let x = ...;
2366     //     with (o) {
2367     //         doSomethingWith(x);
2368     //     }
2369     // }
2370     // Because we can't gaurantee static resolution on x.
2371     // But, in this case, we are guaranteed static resolution:
2372     // {
2373     //     let x = ...;
2374     //     with (o) {
2375     //         let x = ...;
2376     //         doSomethingWith(x);
2377     //     }
2378     // }
2379     for (unsigned i = m_lexicalScopeStack.size(); i--; ) {
2380         auto& stackEntry = m_lexicalScopeStack[i];
2381         if (stackEntry.m_isWithScope)
2382             return Variable(property);
2383         SymbolTable* symbolTable = stackEntry.m_symbolTable;
2384         SymbolTableEntry symbolTableEntry = symbolTable->get(NoLockingNecessary, property.impl());
2385         if (symbolTableEntry.isNull())
2386             continue;
2387         bool resultIsCallee = false;
2388         if (symbolTable->scopeType() == SymbolTable::ScopeType::FunctionNameScope) {
2389             if (m_usesNonStrictEval) {
2390                 // We don't know if an eval has introduced a "var" named the same thing as the function name scope variable name.
2391                 // We resort to dynamic lookup to answer this question.
2392                 Variable result = Variable(property);
2393                 return result;
2394             }
2395             resultIsCallee = true;
2396         }
2397         Variable result = variableForLocalEntry(property, symbolTableEntry, stackEntry.m_symbolTableConstantIndex, symbolTable->scopeType() == SymbolTable::ScopeType::LexicalScope);
2398         if (resultIsCallee)
2399             result.setIsReadOnly();
2400         return result;
2401     }
2402     
2403     return Variable(property);
2404 }
2405
2406 Variable BytecodeGenerator::variableForLocalEntry(
2407     const Identifier& property, const SymbolTableEntry& entry, int symbolTableConstantIndex, bool isLexicallyScoped)
2408 {
2409     VarOffset offset = entry.varOffset();
2410     
2411     RegisterID* local;
2412     if (offset.isStack())
2413         local = &registerFor(offset.stackOffset());
2414     else
2415         local = nullptr;
2416     
2417     return Variable(property, offset, local, entry.getAttributes(), Variable::NormalVariable, symbolTableConstantIndex, isLexicallyScoped);
2418 }
2419
2420 void BytecodeGenerator::createVariable(
2421     const Identifier& property, VarKind varKind, SymbolTable* symbolTable, ExistingVariableMode existingVariableMode)
2422 {
2423     ASSERT(property != propertyNames().thisIdentifier);
2424     SymbolTableEntry entry = symbolTable->get(NoLockingNecessary, property.impl());
2425     
2426     if (!entry.isNull()) {
2427         if (existingVariableMode == IgnoreExisting)
2428             return;
2429         
2430         // Do some checks to ensure that the variable we're being asked to create is sufficiently
2431         // compatible with the one we have already created.
2432
2433         VarOffset offset = entry.varOffset();
2434         
2435         // We can't change our minds about whether it's captured.
2436         if (offset.kind() != varKind) {
2437             dataLog(
2438                 "Trying to add variable called ", property, " as ", varKind,
2439                 " but it was already added as ", offset, ".\n");
2440             RELEASE_ASSERT_NOT_REACHED();
2441         }
2442
2443         return;
2444     }
2445     
2446     VarOffset varOffset;
2447     if (varKind == VarKind::Scope)
2448         varOffset = VarOffset(symbolTable->takeNextScopeOffset(NoLockingNecessary));
2449     else {
2450         ASSERT(varKind == VarKind::Stack);
2451         varOffset = VarOffset(virtualRegisterForLocal(m_calleeLocals.size()));
2452     }
2453     SymbolTableEntry newEntry(varOffset, 0);
2454     symbolTable->add(NoLockingNecessary, property.impl(), newEntry);
2455     
2456     if (varKind == VarKind::Stack) {
2457         RegisterID* local = addVar();
2458         RELEASE_ASSERT(local->index() == varOffset.stackOffset().offset());
2459     }
2460 }
2461
2462 RegisterID* BytecodeGenerator::emitOverridesHasInstance(RegisterID* dst, RegisterID* constructor, RegisterID* hasInstanceValue)
2463 {
2464     emitOpcode(op_overrides_has_instance);
2465     instructions().append(dst->index());
2466     instructions().append(constructor->index());
2467     instructions().append(hasInstanceValue->index());
2468     return dst;
2469 }
2470
2471 // Indicates the least upper bound of resolve type based on local scope. The bytecode linker
2472 // will start with this ResolveType and compute the least upper bound including intercepting scopes.
2473 ResolveType BytecodeGenerator::resolveType()
2474 {
2475     for (unsigned i = m_lexicalScopeStack.size(); i--; ) {
2476         if (m_lexicalScopeStack[i].m_isWithScope)
2477             return Dynamic;
2478         if (m_usesNonStrictEval && m_lexicalScopeStack[i].m_symbolTable->scopeType() == SymbolTable::ScopeType::FunctionNameScope) {
2479             // We never want to assign to a FunctionNameScope. Returning Dynamic here achieves this goal.
2480             // If we aren't in non-strict eval mode, then NodesCodeGen needs to take care not to emit
2481             // a put_to_scope with the destination being the function name scope variable.
2482             return Dynamic;
2483         }
2484     }
2485
2486     if (m_usesNonStrictEval)
2487         return GlobalPropertyWithVarInjectionChecks;
2488     return GlobalProperty;
2489 }
2490
2491 RegisterID* BytecodeGenerator::emitResolveScope(RegisterID* dst, const Variable& variable)
2492 {
2493     switch (variable.offset().kind()) {
2494     case VarKind::Stack:
2495         return nullptr;
2496         
2497     case VarKind::DirectArgument:
2498         return argumentsRegister();
2499         
2500     case VarKind::Scope: {
2501         // This always refers to the activation that *we* allocated, and not the current scope that code
2502         // lives in. Note that this will change once we have proper support for block scoping. Once that
2503         // changes, it will be correct for this code to return scopeRegister(). The only reason why we
2504         // don't do that already is that m_lexicalEnvironment is required by ConstDeclNode. ConstDeclNode
2505         // requires weird things because it is a shameful pile of nonsense, but block scoping would make
2506         // that code sensible and obviate the need for us to do bad things.
2507         for (unsigned i = m_lexicalScopeStack.size(); i--; ) {
2508             auto& stackEntry = m_lexicalScopeStack[i];
2509             // We should not resolve a variable to VarKind::Scope if a "with" scope lies in between the current
2510             // scope and the resolved scope.
2511             RELEASE_ASSERT(!stackEntry.m_isWithScope);
2512
2513             if (stackEntry.m_symbolTable->get(NoLockingNecessary, variable.ident().impl()).isNull())
2514                 continue;
2515             
2516             RegisterID* scope = stackEntry.m_scope;
2517             RELEASE_ASSERT(scope);
2518             return scope;
2519         }
2520
2521         RELEASE_ASSERT_NOT_REACHED();
2522         return nullptr;
2523         
2524     }
2525     case VarKind::Invalid:
2526         // Indicates non-local resolution.
2527         
2528         m_codeBlock->addPropertyAccessInstruction(instructions().size());
2529         
2530         // resolve_scope dst, id, ResolveType, depth
2531         dst = tempDestination(dst);
2532         emitOpcode(op_resolve_scope);
2533         instructions().append(kill(dst));
2534         instructions().append(scopeRegister()->index());
2535         instructions().append(addConstant(variable.ident()));
2536         instructions().append(resolveType());
2537         instructions().append(localScopeDepth());
2538         instructions().append(0);
2539         return dst;
2540     }
2541     
2542     RELEASE_ASSERT_NOT_REACHED();
2543     return nullptr;
2544 }
2545
2546 RegisterID* BytecodeGenerator::emitGetFromScope(RegisterID* dst, RegisterID* scope, const Variable& variable, ResolveMode resolveMode)
2547 {
2548     switch (variable.offset().kind()) {
2549     case VarKind::Stack:
2550         return emitMove(dst, variable.local());
2551         
2552     case VarKind::DirectArgument: {
2553         UnlinkedValueProfile profile = emitProfiledOpcode(op_get_from_arguments);
2554         instructions().append(kill(dst));
2555         instructions().append(scope->index());
2556         instructions().append(variable.offset().capturedArgumentsOffset().offset());
2557         instructions().append(profile);
2558         return dst;
2559     }
2560         
2561     case VarKind::Scope:
2562     case VarKind::Invalid: {
2563         m_codeBlock->addPropertyAccessInstruction(instructions().size());
2564         
2565         // get_from_scope dst, scope, id, GetPutInfo, Structure, Operand
2566         UnlinkedValueProfile profile = emitProfiledOpcode(op_get_from_scope);
2567         instructions().append(kill(dst));
2568         instructions().append(scope->index());
2569         instructions().append(addConstant(variable.ident()));
2570         instructions().append(GetPutInfo(resolveMode, variable.offset().isScope() ? LocalClosureVar : resolveType(), InitializationMode::NotInitialization).operand());
2571         instructions().append(localScopeDepth());
2572         instructions().append(variable.offset().isScope() ? variable.offset().scopeOffset().offset() : 0);
2573         instructions().append(profile);
2574         return dst;
2575     } }
2576     
2577     RELEASE_ASSERT_NOT_REACHED();
2578 }
2579
2580 RegisterID* BytecodeGenerator::emitPutToScope(RegisterID* scope, const Variable& variable, RegisterID* value, ResolveMode resolveMode, InitializationMode initializationMode)
2581 {
2582     switch (variable.offset().kind()) {
2583     case VarKind::Stack:
2584         emitMove(variable.local(), value);
2585         return value;
2586         
2587     case VarKind::DirectArgument:
2588         emitOpcode(op_put_to_arguments);
2589         instructions().append(scope->index());
2590         instructions().append(variable.offset().capturedArgumentsOffset().offset());
2591         instructions().append(value->index());
2592         return value;
2593         
2594     case VarKind::Scope:
2595     case VarKind::Invalid: {
2596         m_codeBlock->addPropertyAccessInstruction(instructions().size());
2597         
2598         // put_to_scope scope, id, value, GetPutInfo, Structure, Operand
2599         emitOpcode(op_put_to_scope);
2600         instructions().append(scope->index());
2601         instructions().append(addConstant(variable.ident()));
2602         instructions().append(value->index());
2603         ScopeOffset offset;
2604         if (variable.offset().isScope()) {
2605             offset = variable.offset().scopeOffset();
2606             instructions().append(GetPutInfo(resolveMode, LocalClosureVar, initializationMode).operand());
2607             instructions().append(variable.symbolTableConstantIndex());
2608         } else {
2609             ASSERT(resolveType() != LocalClosureVar);
2610             instructions().append(GetPutInfo(resolveMode, resolveType(), initializationMode).operand());
2611             instructions().append(localScopeDepth());
2612         }
2613         instructions().append(!!offset ? offset.offset() : 0);
2614         return value;
2615     } }
2616     
2617     RELEASE_ASSERT_NOT_REACHED();
2618 }
2619
2620 RegisterID* BytecodeGenerator::initializeVariable(const Variable& variable, RegisterID* value)
2621 {
2622     RELEASE_ASSERT(variable.offset().kind() != VarKind::Invalid);
2623     RegisterID* scope = emitResolveScope(nullptr, variable);
2624     return emitPutToScope(scope, variable, value, ThrowIfNotFound, InitializationMode::NotInitialization);
2625 }
2626
2627 RegisterID* BytecodeGenerator::emitInstanceOf(RegisterID* dst, RegisterID* value, RegisterID* basePrototype)
2628 {
2629     emitOpcode(op_instanceof);
2630     instructions().append(dst->index());
2631     instructions().append(value->index());
2632     instructions().append(basePrototype->index());
2633     return dst;
2634 }
2635
2636 RegisterID* BytecodeGenerator::emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue)
2637 {
2638     emitOpcode(op_instanceof_custom);
2639     instructions().append(dst->index());
2640     instructions().append(value->index());
2641     instructions().append(constructor->index());
2642     instructions().append(hasInstanceValue->index());
2643     return dst;
2644 }
2645
2646 RegisterID* BytecodeGenerator::emitIn(RegisterID* dst, RegisterID* property, RegisterID* base)
2647 {
2648     UnlinkedArrayProfile arrayProfile = newArrayProfile();
2649     emitOpcode(op_in);
2650     instructions().append(dst->index());
2651     instructions().append(base->index());
2652     instructions().append(property->index());
2653     instructions().append(arrayProfile);
2654     return dst;
2655 }
2656
2657 RegisterID* BytecodeGenerator::emitTryGetById(RegisterID* dst, RegisterID* base, const Identifier& property)
2658 {
2659     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties are not supported with tryGetById.");
2660
2661     UnlinkedValueProfile profile = emitProfiledOpcode(op_try_get_by_id);
2662     instructions().append(kill(dst));
2663     instructions().append(base->index());
2664     instructions().append(addConstant(property));
2665     instructions().append(profile);
2666     return dst;
2667 }
2668
2669 RegisterID* BytecodeGenerator::emitGetById(RegisterID* dst, RegisterID* base, const Identifier& property)
2670 {
2671     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties should be handled with get_by_val.");
2672
2673     m_codeBlock->addPropertyAccessInstruction(instructions().size());
2674
2675     UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_id);
2676     instructions().append(kill(dst));
2677     instructions().append(base->index());
2678     instructions().append(addConstant(property));
2679     instructions().append(0);
2680     instructions().append(0);
2681     instructions().append(0);
2682     instructions().append(Options::prototypeHitCountForLLIntCaching());
2683     instructions().append(profile);
2684     return dst;
2685 }
2686
2687 RegisterID* BytecodeGenerator::emitGetById(RegisterID* dst, RegisterID* base, RegisterID* thisVal, const Identifier& property)
2688 {
2689     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties should be handled with get_by_val.");
2690
2691     UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_id_with_this);
2692     instructions().append(kill(dst));
2693     instructions().append(base->index());
2694     instructions().append(thisVal->index());
2695     instructions().append(addConstant(property));
2696     instructions().append(profile);
2697     return dst;
2698 }
2699
2700 RegisterID* BytecodeGenerator::emitPutById(RegisterID* base, const Identifier& property, RegisterID* value)
2701 {
2702     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties should be handled with put_by_val.");
2703
2704     unsigned propertyIndex = addConstant(property);
2705
2706     m_staticPropertyAnalyzer.putById(base->index(), propertyIndex);
2707
2708     m_codeBlock->addPropertyAccessInstruction(instructions().size());
2709
2710     emitOpcode(op_put_by_id);
2711     instructions().append(base->index());
2712     instructions().append(propertyIndex);
2713     instructions().append(value->index());
2714     instructions().append(0); // old structure
2715     instructions().append(0); // offset
2716     instructions().append(0); // new structure
2717     instructions().append(0); // structure chain
2718     instructions().append(static_cast<int>(PutByIdNone)); // is not direct
2719
2720     return value;
2721 }
2722
2723 RegisterID* BytecodeGenerator::emitPutById(RegisterID* base, RegisterID* thisValue, const Identifier& property, RegisterID* value)
2724 {
2725     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties should be handled with put_by_val.");
2726
2727     unsigned propertyIndex = addConstant(property);
2728
2729     emitOpcode(op_put_by_id_with_this);
2730     instructions().append(base->index());
2731     instructions().append(thisValue->index());
2732     instructions().append(propertyIndex);
2733     instructions().append(value->index());
2734
2735     return value;
2736 }
2737
2738 RegisterID* BytecodeGenerator::emitDirectPutById(RegisterID* base, const Identifier& property, RegisterID* value, PropertyNode::PutType putType)
2739 {
2740     ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties should be handled with put_by_val(direct).");
2741
2742     unsigned propertyIndex = addConstant(property);
2743
2744     m_staticPropertyAnalyzer.putById(base->index(), propertyIndex);
2745
2746     m_codeBlock->addPropertyAccessInstruction(instructions().size());
2747     
2748     emitOpcode(op_put_by_id);
2749     instructions().append(base->index());
2750     instructions().append(propertyIndex);
2751     instructions().append(value->index());
2752     instructions().append(0); // old structure
2753     instructions().append(0); // offset
2754     instructions().append(0); // new structure
2755     instructions().append(0); // structure chain (unused if direct)
2756     instructions().append(static_cast<int>((putType == PropertyNode::KnownDirect || property != m_vm->propertyNames->underscoreProto) ? PutByIdIsDirect : PutByIdNone));
2757     return value;
2758 }
2759
2760 void BytecodeGenerator::emitPutGetterById(RegisterID* base, const Identifier& property, unsigned attributes, RegisterID* getter)
2761 {
2762     unsigned propertyIndex = addConstant(property);
2763     m_staticPropertyAnalyzer.putById(base->index(), propertyIndex);
2764
2765     emitOpcode(op_put_getter_by_id);
2766     instructions().append(base->index());
2767     instructions().append(propertyIndex);
2768     instructions().append(attributes);
2769     instructions().append(getter->index());
2770 }
2771
2772 void BytecodeGenerator::emitPutSetterById(RegisterID* base, const Identifier& property, unsigned attributes, RegisterID* setter)
2773 {
2774     unsigned propertyIndex = addConstant(property);
2775     m_staticPropertyAnalyzer.putById(base->index(), propertyIndex);
2776
2777     emitOpcode(op_put_setter_by_id);
2778     instructions().append(base->index());
2779     instructions().append(propertyIndex);
2780     instructions().append(attributes);
2781     instructions().append(setter->index());
2782 }
2783
2784 void BytecodeGenerator::emitPutGetterSetter(RegisterID* base, const Identifier& property, unsigned attributes, RegisterID* getter, RegisterID* setter)
2785 {
2786     unsigned propertyIndex = addConstant(property);
2787
2788     m_staticPropertyAnalyzer.putById(base->index(), propertyIndex);
2789
2790     emitOpcode(op_put_getter_setter_by_id);
2791     instructions().append(base->index());
2792     instructions().append(propertyIndex);
2793     instructions().append(attributes);
2794     instructions().append(getter->index());
2795     instructions().append(setter->index());
2796 }
2797
2798 void BytecodeGenerator::emitPutGetterByVal(RegisterID* base, RegisterID* property, unsigned attributes, RegisterID* getter)
2799 {
2800     emitOpcode(op_put_getter_by_val);
2801     instructions().append(base->index());
2802     instructions().append(property->index());
2803     instructions().append(attributes);
2804     instructions().append(getter->index());
2805 }
2806
2807 void BytecodeGenerator::emitPutSetterByVal(RegisterID* base, RegisterID* property, unsigned attributes, RegisterID* setter)
2808 {
2809     emitOpcode(op_put_setter_by_val);
2810     instructions().append(base->index());
2811     instructions().append(property->index());
2812     instructions().append(attributes);
2813     instructions().append(setter->index());
2814 }
2815
2816 void BytecodeGenerator::emitPutGeneratorFields(RegisterID* nextFunction)
2817 {
2818     // FIXME: Currently, we just create an object and store generator related fields as its properties for ease.
2819     // But to make it efficient, we will introduce JSGenerator class, add opcode new_generator and use its C++ fields instead of these private properties.
2820     // https://bugs.webkit.org/show_bug.cgi?id=151545
2821
2822     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorNextPrivateName(), nextFunction, PropertyNode::KnownDirect);
2823
2824     // We do not store 'this' in arrow function within constructor,
2825     // because it might be not initialized, if super is called later.
2826     if (!(isDerivedConstructorContext() && m_codeBlock->parseMode() == SourceParseMode::AsyncArrowFunctionMode))
2827         emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorThisPrivateName(), &m_thisRegister, PropertyNode::KnownDirect);
2828
2829     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorStatePrivateName(), emitLoad(nullptr, jsNumber(0)), PropertyNode::KnownDirect);
2830
2831     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorFramePrivateName(), emitLoad(nullptr, jsNull()), PropertyNode::KnownDirect);
2832 }
2833
2834 void BytecodeGenerator::emitPutAsyncGeneratorFields(RegisterID* nextFunction)
2835 {
2836     ASSERT(isAsyncGeneratorFunctionParseMode(parseMode()));
2837
2838     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorNextPrivateName(), nextFunction, PropertyNode::KnownDirect);
2839         
2840     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorThisPrivateName(), &m_thisRegister, PropertyNode::KnownDirect);
2841         
2842     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorStatePrivateName(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSAsyncGeneratorFunction::AsyncGeneratorState::SuspendedStart))), PropertyNode::KnownDirect);
2843         
2844     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().generatorFramePrivateName(), emitLoad(nullptr, jsNull()), PropertyNode::KnownDirect);
2845
2846     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().asyncGeneratorSuspendReasonPrivateName(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason::None))), PropertyNode::KnownDirect);
2847
2848     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().asyncGeneratorQueueFirstPrivateName(), emitLoad(nullptr, jsNull()), PropertyNode::KnownDirect);
2849     emitDirectPutById(m_generatorRegister, propertyNames().builtinNames().asyncGeneratorQueueLastPrivateName(), emitLoad(nullptr, jsNull()), PropertyNode::KnownDirect);
2850 }
2851
2852 RegisterID* BytecodeGenerator::emitDeleteById(RegisterID* dst, RegisterID* base, const Identifier& property)
2853 {
2854     emitOpcode(op_del_by_id);
2855     instructions().append(dst->index());
2856     instructions().append(base->index());
2857     instructions().append(addConstant(property));
2858     return dst;
2859 }
2860
2861 RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
2862 {
2863     for (size_t i = m_forInContextStack.size(); i--; ) {
2864         ForInContext& context = m_forInContextStack[i].get();
2865         if (context.local() != property)
2866             continue;
2867
2868         unsigned instIndex = instructions().size();
2869
2870         if (context.type() == ForInContext::IndexedForInContextType) {
2871             static_cast<IndexedForInContext&>(context).addGetInst(instIndex, property->index());
2872             property = static_cast<IndexedForInContext&>(context).index();
2873             break;
2874         }
2875
2876         ASSERT(context.type() == ForInContext::StructureForInContextType);
2877         StructureForInContext& structureContext = static_cast<StructureForInContext&>(context);
2878         UnlinkedValueProfile profile = emitProfiledOpcode(op_get_direct_pname);
2879         instructions().append(kill(dst));
2880         instructions().append(base->index());
2881         instructions().append(property->index());
2882         instructions().append(structureContext.index()->index());
2883         instructions().append(structureContext.enumerator()->index());
2884         instructions().append(profile);
2885
2886         structureContext.addGetInst(instIndex, property->index(), profile);
2887         return dst;
2888     }
2889
2890     UnlinkedArrayProfile arrayProfile = newArrayProfile();
2891     UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val);
2892     instructions().append(kill(dst));
2893     instructions().append(base->index());
2894     instructions().append(property->index());
2895     instructions().append(arrayProfile);
2896     instructions().append(profile);
2897     return dst;
2898 }
2899
2900 RegisterID* BytecodeGenerator::emitGetByVal(RegisterID* dst, RegisterID* base, RegisterID* thisValue, RegisterID* property)
2901 {
2902     UnlinkedValueProfile profile = emitProfiledOpcode(op_get_by_val_with_this);
2903     instructions().append(kill(dst));
2904     instructions().append(base->index());
2905     instructions().append(thisValue->index());
2906     instructions().append(property->index());
2907     instructions().append(profile);
2908     return dst;
2909 }
2910
2911 RegisterID* BytecodeGenerator::emitPutByVal(RegisterID* base, RegisterID* property, RegisterID* value)
2912 {
2913     UnlinkedArrayProfile arrayProfile = newArrayProfile();
2914     emitOpcode(op_put_by_val);
2915     instructions().append(base->index());
2916     instructions().append(property->index());
2917     instructions().append(value->index());
2918     instructions().append(arrayProfile);
2919
2920     return value;
2921 }
2922
2923 RegisterID* BytecodeGenerator::emitPutByVal(RegisterID* base, RegisterID* thisValue, RegisterID* property, RegisterID* value)
2924 {
2925     emitOpcode(op_put_by_val_with_this);
2926     instructions().append(base->index());
2927     instructions().append(thisValue->index());
2928     instructions().append(property->index());
2929     instructions().append(value->index());
2930
2931     return value;
2932 }
2933
2934 RegisterID* BytecodeGenerator::emitDirectPutByVal(RegisterID* base, RegisterID* property, RegisterID* value)
2935 {
2936     UnlinkedArrayProfile arrayProfile = newArrayProfile();
2937     emitOpcode(op_put_by_val_direct);
2938     instructions().append(base->index());
2939     instructions().append(property->index());
2940     instructions().append(value->index());
2941     instructions().append(arrayProfile);
2942     return value;
2943 }
2944
2945 RegisterID* BytecodeGenerator::emitDeleteByVal(RegisterID* dst, RegisterID* base, RegisterID* property)
2946 {
2947     emitOpcode(op_del_by_val);
2948     instructions().append(dst->index());
2949     instructions().append(base->index());
2950     instructions().append(property->index());
2951     return dst;
2952 }
2953
2954 RegisterID* BytecodeGenerator::emitPutByIndex(RegisterID* base, unsigned index, RegisterID* value)
2955 {
2956     emitOpcode(op_put_by_index);
2957     instructions().append(base->index());
2958     instructions().append(index);
2959     instructions().append(value->index());
2960     return value;
2961 }
2962
2963 RegisterID* BytecodeGenerator::emitAssert(RegisterID* condition, int line)
2964 {
2965     emitOpcode(op_assert);
2966     instructions().append(condition->index());
2967     instructions().append(line);
2968     return condition;
2969 }
2970
2971 void BytecodeGenerator::emitSuperSamplerBegin()
2972 {
2973     emitOpcode(op_super_sampler_begin);
2974 }
2975
2976 void BytecodeGenerator::emitSuperSamplerEnd()
2977 {
2978     emitOpcode(op_super_sampler_end);
2979 }
2980
2981 RegisterID* BytecodeGenerator::emitIdWithProfile(RegisterID* src, SpeculatedType profile)
2982 {
2983     emitOpcode(op_identity_with_profile);
2984     instructions().append(src->index());
2985     instructions().append(static_cast<uint32_t>(profile >> 32));
2986     instructions().append(static_cast<uint32_t>(profile));
2987     return src;
2988 }
2989
2990 void BytecodeGenerator::emitUnreachable()
2991 {
2992     emitOpcode(op_unreachable);
2993 }
2994
2995 RegisterID* BytecodeGenerator::emitGetArgument(RegisterID* dst, int32_t index)
2996 {
2997     UnlinkedValueProfile profile = emitProfiledOpcode(op_get_argument);
2998     instructions().append(dst->index());
2999     instructions().append(index + 1); // Including |this|.
3000     instructions().append(profile);
3001     return dst;
3002 }
3003
3004 RegisterID* BytecodeGenerator::emitCreateThis(RegisterID* dst)
3005 {
3006     size_t begin = instructions().size();
3007     m_staticPropertyAnalyzer.createThis(dst->index(), begin + 3);
3008
3009     m_codeBlock->addPropertyAccessInstruction(instructions().size());
3010     emitOpcode(op_create_this); 
3011     instructions().append(dst->index());
3012     instructions().append(dst->index());
3013     instructions().append(0);
3014     instructions().append(0);
3015     return dst;
3016 }
3017
3018 void BytecodeGenerator::emitTDZCheck(RegisterID* target)
3019 {
3020     emitOpcode(op_check_tdz);
3021     instructions().append(target->index());
3022 }
3023
3024 bool BytecodeGenerator::needsTDZCheck(const Variable& variable)
3025 {
3026     for (unsigned i = m_TDZStack.size(); i--;) {
3027         auto iter = m_TDZStack[i].find(variable.ident().impl());
3028         if (iter == m_TDZStack[i].end())
3029             continue;
3030         return iter->value != TDZNecessityLevel::NotNeeded;
3031     }
3032
3033     return false;
3034 }
3035
3036 void BytecodeGenerator::emitTDZCheckIfNecessary(const Variable& variable, RegisterID* target, RegisterID* scope)
3037 {
3038     if (needsTDZCheck(variable)) {
3039         if (target)
3040             emitTDZCheck(target);
3041         else {
3042             RELEASE_ASSERT(!variable.isLocal() && scope);
3043             RefPtr<RegisterID> result = emitGetFromScope(newTemporary(), scope, variable, DoNotThrowIfNotFound);
3044             emitTDZCheck(result.get());
3045         }
3046     }
3047 }
3048
3049 void BytecodeGenerator::liftTDZCheckIfPossible(const Variable& variable)
3050 {
3051     RefPtr<UniquedStringImpl> identifier(variable.ident().impl());
3052     for (unsigned i = m_TDZStack.size(); i--;) {
3053         auto iter = m_TDZStack[i].find(identifier);
3054         if (iter != m_TDZStack[i].end()) {
3055             if (iter->value == TDZNecessityLevel::Optimize)
3056                 iter->value = TDZNecessityLevel::NotNeeded;
3057             break;
3058         }
3059     }
3060 }
3061
3062 void BytecodeGenerator::pushTDZVariables(const VariableEnvironment& environment, TDZCheckOptimization optimization, TDZRequirement requirement)
3063 {
3064     if (!environment.size())
3065         return;
3066     
3067     TDZNecessityLevel level;
3068     if (requirement == TDZRequirement::UnderTDZ) {
3069         if (optimization == TDZCheckOptimization::Optimize)
3070             level = TDZNecessityLevel::Optimize;
3071         else
3072             level = TDZNecessityLevel::DoNotOptimize;
3073     } else
3074         level = TDZNecessityLevel::NotNeeded;
3075     
3076     TDZMap map;
3077     for (const auto& entry : environment)
3078         map.add(entry.key, entry.value.isFunction() ? TDZNecessityLevel::NotNeeded : level);
3079
3080     m_TDZStack.append(WTFMove(map));
3081 }
3082
3083 void BytecodeGenerator::getVariablesUnderTDZ(VariableEnvironment& result)
3084 {
3085     // We keep track of variablesThatDontNeedTDZ in this algorithm to prevent
3086     // reporting that "x" is under TDZ if this function is called at "...".
3087     //
3088     //     {
3089     //         {
3090     //             let x;
3091     //             ...
3092     //         }
3093     //         let x;
3094     //     }
3095     //
3096     SmallPtrSet<UniquedStringImpl*, 16> variablesThatDontNeedTDZ;
3097     for (unsigned i = m_TDZStack.size(); i--; ) {
3098         auto& map = m_TDZStack[i];
3099         for (auto& entry : map)  {
3100             if (entry.value != TDZNecessityLevel::NotNeeded) {
3101                 if (!variablesThatDontNeedTDZ.contains(entry.key.get()))
3102                     result.add(entry.key.get());
3103             } else
3104                 variablesThatDontNeedTDZ.add(entry.key.get());
3105         }
3106     }
3107 }
3108
3109 RegisterID* BytecodeGenerator::emitNewObject(RegisterID* dst)
3110 {
3111     size_t begin = instructions().size();
3112     m_staticPropertyAnalyzer.newObject(dst->index(), begin + 2);
3113
3114     emitOpcode(op_new_object);
3115     instructions().append(dst->index());
3116     instructions().append(0);
3117     instructions().append(newObjectAllocationProfile());
3118     return dst;
3119 }
3120
3121 unsigned BytecodeGenerator::addConstantBuffer(unsigned length)
3122 {
3123     return m_codeBlock->addConstantBuffer(length);
3124 }
3125
3126 JSString* BytecodeGenerator::addStringConstant(const Identifier& identifier)
3127 {
3128     JSString*& stringInMap = m_stringMap.add(identifier.impl(), nullptr).iterator->value;
3129     if (!stringInMap) {
3130         stringInMap = jsString(vm(), identifier.string());
3131         addConstantValue(stringInMap);
3132     }
3133     return stringInMap;
3134 }
3135
3136 RegisterID* BytecodeGenerator::addTemplateRegistryKeyConstant(Ref<TemplateRegistryKey>&& templateRegistryKey)
3137 {
3138     return m_templateRegistryKeyMap.ensure(templateRegistryKey.copyRef(), [&] {
3139         auto* result = JSTemplateRegistryKey::create(*vm(), WTFMove(templateRegistryKey));
3140         unsigned index = addConstantIndex();
3141         m_codeBlock->addConstant(result);
3142         return &m_constantPoolRegisters[index];
3143     }).iterator->value;
3144 }
3145
3146 RegisterID* BytecodeGenerator::emitNewArray(RegisterID* dst, ElementNode* elements, unsigned length)
3147 {
3148 #if !ASSERT_DISABLED
3149     unsigned checkLength = 0;
3150 #endif
3151     bool hadVariableExpression = false;
3152     if (length) {
3153         for (ElementNode* n = elements; n; n = n->next()) {
3154             if (!n->value()->isConstant()) {
3155                 hadVariableExpression = true;
3156                 break;
3157             }
3158             if (n->elision())
3159                 break;
3160 #if !ASSERT_DISABLED
3161             checkLength++;<