[ES6] implement block scoping to enable 'let'
[WebKit-https.git] / Source / JavaScriptCore / bytecompiler / NodesCodegen.cpp
1 /*
2 *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
3 *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
4 *  Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2012, 2013, 2015 Apple Inc. All rights reserved.
5 *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
6 *  Copyright (C) 2007 Maks Orlovich
7 *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
8  * Copyright (C) 2012 Igalia, S.L.
9 *
10 *  This library is free software; you can redistribute it and/or
11 *  modify it under the terms of the GNU Library General Public
12 *  License as published by the Free Software Foundation; either
13 *  version 2 of the License, or (at your option) any later version.
14 *
15 *  This library is distributed in the hope that it will be useful,
16 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
17 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
18 *  Library General Public License for more details.
19 *
20 *  You should have received a copy of the GNU Library General Public License
21 *  along with this library; see the file COPYING.LIB.  If not, write to
22 *  the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
23 *  Boston, MA 02110-1301, USA.
24 *
25 */
26
27 #include "config.h"
28 #include "Nodes.h"
29 #include "NodeConstructors.h"
30
31 #include "BuiltinNames.h"
32 #include "BytecodeGenerator.h"
33 #include "CallFrame.h"
34 #include "Debugger.h"
35 #include "JIT.h"
36 #include "JSFunction.h"
37 #include "JSGlobalObject.h"
38 #include "JSNameScope.h"
39 #include "JSONObject.h"
40 #include "LabelScope.h"
41 #include "Lexer.h"
42 #include "JSCInlines.h"
43 #include "JSTemplateRegistryKey.h"
44 #include "Parser.h"
45 #include "PropertyNameArray.h"
46 #include "RegExpCache.h"
47 #include "RegExpObject.h"
48 #include "SamplingTool.h"
49 #include "StackAlignment.h"
50 #include "TemplateRegistryKey.h"
51 #include <wtf/Assertions.h>
52 #include <wtf/RefCountedLeakCounter.h>
53 #include <wtf/Threading.h>
54
55 using namespace WTF;
56
57 namespace JSC {
58
59 /*
60     Details of the emitBytecode function.
61
62     Return value: The register holding the production's value.
63              dst: An optional parameter specifying the most efficient destination at
64                   which to store the production's value. The callee must honor dst.
65
66     The dst argument provides for a crude form of copy propagation. For example,
67
68         x = 1
69
70     becomes
71     
72         load r[x], 1
73     
74     instead of 
75
76         load r0, 1
77         mov r[x], r0
78     
79     because the assignment node, "x =", passes r[x] as dst to the number node, "1".
80 */
81
82 void ExpressionNode::emitBytecodeInConditionContext(BytecodeGenerator& generator, Label* trueTarget, Label* falseTarget, FallThroughMode fallThroughMode)
83 {
84     RegisterID* result = generator.emitNode(this);
85     if (fallThroughMode == FallThroughMeansTrue)
86         generator.emitJumpIfFalse(result, falseTarget);
87     else
88         generator.emitJumpIfTrue(result, trueTarget);
89 }
90
91 // ------------------------------ ThrowableExpressionData --------------------------------
92
93 RegisterID* ThrowableExpressionData::emitThrowReferenceError(BytecodeGenerator& generator, const String& message)
94 {
95     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
96     generator.emitThrowReferenceError(message);
97     return generator.newTemporary();
98 }
99
100 // ------------------------------ ConstantNode ----------------------------------
101
102 void ConstantNode::emitBytecodeInConditionContext(BytecodeGenerator& generator, Label* trueTarget, Label* falseTarget, FallThroughMode fallThroughMode)
103 {
104     TriState value = jsValue(generator).pureToBoolean();
105     if (value == MixedTriState)
106         ExpressionNode::emitBytecodeInConditionContext(generator, trueTarget, falseTarget, fallThroughMode);
107     else if (value == TrueTriState && fallThroughMode == FallThroughMeansFalse)
108         generator.emitJump(trueTarget);
109     else if (value == FalseTriState && fallThroughMode == FallThroughMeansTrue)
110         generator.emitJump(falseTarget);
111
112     // All other cases are unconditional fall-throughs, like "if (true)".
113 }
114
115 RegisterID* ConstantNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
116 {
117     if (dst == generator.ignoredResult())
118         return 0;
119     return generator.emitLoad(dst, jsValue(generator));
120 }
121
122 JSValue StringNode::jsValue(BytecodeGenerator& generator) const
123 {
124     return generator.addStringConstant(m_value);
125 }
126
127 // ------------------------------ NumberNode ----------------------------------
128
129 RegisterID* NumberNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
130 {
131     if (dst == generator.ignoredResult())
132         return nullptr;
133     return generator.emitLoad(dst, jsValue(generator), isIntegerNode() ? SourceCodeRepresentation::Integer : SourceCodeRepresentation::Double);
134 }
135
136 // ------------------------------ RegExpNode -----------------------------------
137
138 RegisterID* RegExpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
139 {
140     if (dst == generator.ignoredResult())
141         return 0;
142     return generator.emitNewRegExp(generator.finalDestination(dst), RegExp::create(*generator.vm(), m_pattern.string(), regExpFlags(m_flags.string())));
143 }
144
145 // ------------------------------ ThisNode -------------------------------------
146
147 RegisterID* ThisNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
148 {
149     if (m_shouldAlwaysEmitTDZCheck || generator.constructorKind() == ConstructorKind::Derived)
150         generator.emitTDZCheck(generator.thisRegister());
151
152     if (dst == generator.ignoredResult())
153         return 0;
154
155     RegisterID* result = generator.moveToDestinationIfNeeded(dst, generator.thisRegister());
156     if (generator.vm()->typeProfiler()) {
157         generator.emitProfileType(generator.thisRegister(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
158         static const unsigned thisLength = 4;
159         generator.emitTypeProfilerExpressionInfo(position(), JSTextPosition(-1, position().offset + thisLength, -1));
160     }
161     return result;
162 }
163
164 // ------------------------------ SuperNode -------------------------------------
165
166 RegisterID* SuperNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
167 {
168     if (dst == generator.ignoredResult())
169         return 0;
170
171     RegisterID callee;
172     callee.setIndex(JSStack::Callee);
173
174     RefPtr<RegisterID> homeObject = generator.emitGetById(generator.newTemporary(), &callee, generator.propertyNames().homeObjectPrivateName);
175     RefPtr<RegisterID> protoParent = generator.emitGetById(generator.newTemporary(), homeObject.get(), generator.propertyNames().underscoreProto);
176     return generator.emitGetById(generator.finalDestination(dst), protoParent.get(), generator.propertyNames().constructor);
177 }
178
179 static RegisterID* emitSuperBaseForCallee(BytecodeGenerator& generator)
180 {
181     RegisterID callee;
182     callee.setIndex(JSStack::Callee);
183
184     RefPtr<RegisterID> homeObject = generator.emitGetById(generator.newTemporary(), &callee, generator.propertyNames().homeObjectPrivateName);
185     return generator.emitGetById(generator.newTemporary(), homeObject.get(), generator.propertyNames().underscoreProto);
186 }
187
188 // ------------------------------ ResolveNode ----------------------------------
189
190 bool ResolveNode::isPure(BytecodeGenerator& generator) const
191 {
192     return generator.variable(m_ident).offset().isStack();
193 }
194
195 RegisterID* ResolveNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
196 {
197     Variable var = generator.variable(m_ident);
198     if (RegisterID* local = var.local()) {
199         generator.emitTDZCheckIfNecessary(var, local, nullptr);
200         if (dst == generator.ignoredResult())
201             return nullptr;
202         if (generator.vm()->typeProfiler()) {
203             generator.emitProfileType(local, ProfileTypeBytecodeHasGlobalID, nullptr);
204             generator.emitTypeProfilerExpressionInfo(m_position, JSTextPosition(-1, m_position.offset + m_ident.length(), -1));
205         }
206         return generator.moveToDestinationIfNeeded(dst, local);
207     }
208     
209     JSTextPosition divot = m_start + m_ident.length();
210     generator.emitExpressionInfo(divot, m_start, divot);
211     RefPtr<RegisterID> scope = generator.emitResolveScope(dst, var);
212     RegisterID* finalDest = generator.finalDestination(dst);
213     RegisterID* result = generator.emitGetFromScope(finalDest, scope.get(), var, ThrowIfNotFound);
214     generator.emitTDZCheckIfNecessary(var, finalDest, nullptr);
215     if (generator.vm()->typeProfiler()) {
216         generator.emitProfileType(finalDest, var.isResolved() ? ProfileTypeBytecodeGetFromLocalScope : ProfileTypeBytecodeGetFromScope, &m_ident);
217         generator.emitTypeProfilerExpressionInfo(m_position, JSTextPosition(-1, m_position.offset + m_ident.length(), -1));
218     }
219     return result;
220 }
221
222 #if ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX)
223 // ------------------------------ TemplateStringNode -----------------------------------
224
225 RegisterID* TemplateStringNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
226 {
227     if (dst == generator.ignoredResult())
228         return nullptr;
229     return generator.emitLoad(dst, JSValue(generator.addStringConstant(cooked())));
230 }
231
232 // ------------------------------ TemplateLiteralNode -----------------------------------
233
234 RegisterID* TemplateLiteralNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
235 {
236     if (!m_templateExpressions) {
237         TemplateStringNode* templateString = m_templateStrings->value();
238         ASSERT_WITH_MESSAGE(!m_templateStrings->next(), "Only one template element exists because there's no expression in a given template literal.");
239         return generator.emitNode(dst, templateString);
240     }
241
242     Vector<RefPtr<RegisterID>, 16> temporaryRegisters;
243
244     TemplateStringListNode* templateString = m_templateStrings;
245     TemplateExpressionListNode* templateExpression = m_templateExpressions;
246     for (; templateExpression; templateExpression = templateExpression->next(), templateString = templateString->next()) {
247         // Evaluate TemplateString.
248         if (!templateString->value()->cooked().isEmpty()) {
249             temporaryRegisters.append(generator.newTemporary());
250             generator.emitNode(temporaryRegisters.last().get(), templateString->value());
251         }
252
253         // Evaluate Expression.
254         temporaryRegisters.append(generator.newTemporary());
255         generator.emitNode(temporaryRegisters.last().get(), templateExpression->value());
256         generator.emitToString(temporaryRegisters.last().get(), temporaryRegisters.last().get());
257     }
258
259     // Evaluate tail TemplateString.
260     if (!templateString->value()->cooked().isEmpty()) {
261         temporaryRegisters.append(generator.newTemporary());
262         generator.emitNode(temporaryRegisters.last().get(), templateString->value());
263     }
264
265     return generator.emitStrcat(generator.finalDestination(dst, temporaryRegisters[0].get()), temporaryRegisters[0].get(), temporaryRegisters.size());
266 }
267
268 // ------------------------------ TaggedTemplateNode -----------------------------------
269
270 RegisterID* TaggedTemplateNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
271 {
272     ExpectedFunction expectedFunction = NoExpectedFunction;
273     RefPtr<RegisterID> tag = nullptr;
274     RefPtr<RegisterID> base = nullptr;
275     if (!m_tag->isLocation()) {
276         tag = generator.newTemporary();
277         tag = generator.emitNode(tag.get(), m_tag);
278     } else if (m_tag->isResolveNode()) {
279         ResolveNode* resolve = static_cast<ResolveNode*>(m_tag);
280         const Identifier& identifier = resolve->identifier();
281         expectedFunction = generator.expectedFunctionForIdentifier(identifier);
282
283         Variable var = generator.variable(identifier);
284         if (RegisterID* local = var.local())
285             tag = generator.emitMove(generator.newTemporary(), local);
286         else {
287             tag = generator.newTemporary();
288             base = generator.newTemporary();
289
290             JSTextPosition newDivot = divotStart() + identifier.length();
291             generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
292             generator.moveToDestinationIfNeeded(base.get(), generator.emitResolveScope(base.get(), var));
293             generator.emitGetFromScope(tag.get(), base.get(), var, ThrowIfNotFound);
294         }
295     } else if (m_tag->isBracketAccessorNode()) {
296         BracketAccessorNode* bracket = static_cast<BracketAccessorNode*>(m_tag);
297         base = generator.newTemporary();
298         base = generator.emitNode(base.get(), bracket->base());
299         RefPtr<RegisterID> property = generator.emitNode(bracket->subscript());
300         tag = generator.emitGetByVal(generator.newTemporary(), base.get(), property.get());
301     } else {
302         ASSERT(m_tag->isDotAccessorNode());
303         DotAccessorNode* dot = static_cast<DotAccessorNode*>(m_tag);
304         base = generator.newTemporary();
305         base = generator.emitNode(base.get(), dot->base());
306         tag = generator.emitGetById(generator.newTemporary(), base.get(), dot->identifier());
307     }
308
309     RefPtr<RegisterID> templateObject = generator.emitGetTemplateObject(generator.newTemporary(), this);
310
311     unsigned expressionsCount = 0;
312     for (TemplateExpressionListNode* templateExpression = m_templateLiteral->templateExpressions(); templateExpression; templateExpression = templateExpression->next())
313         ++expressionsCount;
314
315     CallArguments callArguments(generator, nullptr, 1 + expressionsCount);
316     if (base)
317         generator.emitMove(callArguments.thisRegister(), base.get());
318     else
319         generator.emitLoad(callArguments.thisRegister(), jsUndefined());
320
321     unsigned argumentIndex = 0;
322     generator.emitMove(callArguments.argumentRegister(argumentIndex++), templateObject.get());
323     for (TemplateExpressionListNode* templateExpression = m_templateLiteral->templateExpressions(); templateExpression; templateExpression = templateExpression->next())
324         generator.emitNode(callArguments.argumentRegister(argumentIndex++), templateExpression->value());
325
326     return generator.emitCall(generator.finalDestination(dst, tag.get()), tag.get(), expectedFunction, callArguments, divot(), divotStart(), divotEnd());
327 }
328 #endif
329
330 // ------------------------------ ArrayNode ------------------------------------
331
332 RegisterID* ArrayNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
333 {
334     // FIXME: Should we put all of this code into emitNewArray?
335
336     unsigned length = 0;
337     ElementNode* firstPutElement;
338     for (firstPutElement = m_element; firstPutElement; firstPutElement = firstPutElement->next()) {
339         if (firstPutElement->elision() || firstPutElement->value()->isSpreadExpression())
340             break;
341         ++length;
342     }
343
344     if (!firstPutElement && !m_elision)
345         return generator.emitNewArray(generator.finalDestination(dst), m_element, length);
346
347     RefPtr<RegisterID> array = generator.emitNewArray(generator.tempDestination(dst), m_element, length);
348     ElementNode* n = firstPutElement;
349     for (; n; n = n->next()) {
350         if (n->value()->isSpreadExpression())
351             goto handleSpread;
352         RegisterID* value = generator.emitNode(n->value());
353         length += n->elision();
354         generator.emitPutByIndex(array.get(), length++, value);
355     }
356
357     if (m_elision) {
358         RegisterID* value = generator.emitLoad(0, jsNumber(m_elision + length));
359         generator.emitPutById(array.get(), generator.propertyNames().length, value);
360     }
361
362     return generator.moveToDestinationIfNeeded(dst, array.get());
363     
364 handleSpread:
365     RefPtr<RegisterID> index = generator.emitLoad(generator.newTemporary(), jsNumber(length));
366     auto spreader = [this, array, index](BytecodeGenerator& generator, RegisterID* value)
367     {
368         generator.emitDirectPutByVal(array.get(), index.get(), value);
369         generator.emitInc(index.get());
370     };
371     for (; n; n = n->next()) {
372         if (n->elision())
373             generator.emitBinaryOp(op_add, index.get(), index.get(), generator.emitLoad(0, jsNumber(n->elision())), OperandTypes(ResultType::numberTypeIsInt32(), ResultType::numberTypeIsInt32()));
374         if (n->value()->isSpreadExpression()) {
375             SpreadExpressionNode* spread = static_cast<SpreadExpressionNode*>(n->value());
376             generator.emitEnumeration(spread, spread->expression(), spreader);
377         } else {
378             generator.emitDirectPutByVal(array.get(), index.get(), generator.emitNode(n->value()));
379             generator.emitInc(index.get());
380         }
381     }
382     
383     if (m_elision) {
384         generator.emitBinaryOp(op_add, index.get(), index.get(), generator.emitLoad(0, jsNumber(m_elision)), OperandTypes(ResultType::numberTypeIsInt32(), ResultType::numberTypeIsInt32()));
385         generator.emitPutById(array.get(), generator.propertyNames().length, index.get());
386     }
387     return generator.moveToDestinationIfNeeded(dst, array.get());
388 }
389
390 bool ArrayNode::isSimpleArray() const
391 {
392     if (m_elision || m_optional)
393         return false;
394     for (ElementNode* ptr = m_element; ptr; ptr = ptr->next()) {
395         if (ptr->elision())
396             return false;
397     }
398     return true;
399 }
400
401 ArgumentListNode* ArrayNode::toArgumentList(ParserArena& parserArena, int lineNumber, int startPosition) const
402 {
403     ASSERT(!m_elision && !m_optional);
404     ElementNode* ptr = m_element;
405     if (!ptr)
406         return 0;
407     JSTokenLocation location;
408     location.line = lineNumber;
409     location.startOffset = startPosition;
410     ArgumentListNode* head = new (parserArena) ArgumentListNode(location, ptr->value());
411     ArgumentListNode* tail = head;
412     ptr = ptr->next();
413     for (; ptr; ptr = ptr->next()) {
414         ASSERT(!ptr->elision());
415         tail = new (parserArena) ArgumentListNode(location, tail, ptr->value());
416     }
417     return head;
418 }
419
420 // ------------------------------ ObjectLiteralNode ----------------------------
421
422 RegisterID* ObjectLiteralNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
423 {
424     if (!m_list) {
425         if (dst == generator.ignoredResult())
426             return 0;
427         return generator.emitNewObject(generator.finalDestination(dst));
428     }
429     RefPtr<RegisterID> newObj = generator.emitNewObject(generator.tempDestination(dst));
430     generator.emitNode(newObj.get(), m_list);
431     return generator.moveToDestinationIfNeeded(dst, newObj.get());
432 }
433
434 // ------------------------------ PropertyListNode -----------------------------
435
436 static inline void emitPutHomeObject(BytecodeGenerator& generator, RegisterID* function, RegisterID* homeObject)
437 {
438     generator.emitPutById(function, generator.propertyNames().homeObjectPrivateName, homeObject);
439 }
440
441 RegisterID* PropertyListNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
442 {
443     // Fast case: this loop just handles regular value properties.
444     PropertyListNode* p = this;
445     for (; p && (p->m_node->m_type & PropertyNode::Constant); p = p->m_next)
446         emitPutConstantProperty(generator, dst, *p->m_node);
447
448     // Were there any get/set properties?
449     if (p) {
450         // Build a list of getter/setter pairs to try to put them at the same time. If we encounter
451         // a computed property, just emit everything as that may override previous values.
452         bool hasComputedProperty = false;
453
454         typedef std::pair<PropertyNode*, PropertyNode*> GetterSetterPair;
455         typedef HashMap<UniquedStringImpl*, GetterSetterPair, IdentifierRepHash> GetterSetterMap;
456         GetterSetterMap map;
457
458         // Build a map, pairing get/set values together.
459         for (PropertyListNode* q = p; q; q = q->m_next) {
460             PropertyNode* node = q->m_node;
461             if (node->m_type & PropertyNode::Computed) {
462                 hasComputedProperty = true;
463                 break;
464             }
465             if (node->m_type & PropertyNode::Constant)
466                 continue;
467
468             // Duplicates are possible.
469             GetterSetterPair pair(node, static_cast<PropertyNode*>(nullptr));
470             GetterSetterMap::AddResult result = map.add(node->name()->impl(), pair);
471             if (!result.isNewEntry) {
472                 if (result.iterator->value.first->m_type == node->m_type)
473                     result.iterator->value.first = node;
474                 else
475                     result.iterator->value.second = node;
476             }
477         }
478
479         // Iterate over the remaining properties in the list.
480         for (; p; p = p->m_next) {
481             PropertyNode* node = p->m_node;
482
483             // Handle regular values.
484             if (node->m_type & PropertyNode::Constant) {
485                 emitPutConstantProperty(generator, dst, *node);
486                 continue;
487             }
488
489             RegisterID* value = generator.emitNode(node->m_assign);
490             bool isClassProperty = node->needsSuperBinding();
491             if (isClassProperty)
492                 emitPutHomeObject(generator, value, dst);
493
494             ASSERT(node->m_type & (PropertyNode::Getter | PropertyNode::Setter));
495
496             // This is a get/set property which may be overridden by a computed property later.
497             if (hasComputedProperty) {
498                 if (node->m_type & PropertyNode::Getter)
499                     generator.emitPutGetterById(dst, *node->name(), value);
500                 else
501                     generator.emitPutSetterById(dst, *node->name(), value);
502                 continue;
503             }
504
505             // This is a get/set property pair.
506             GetterSetterMap::iterator it = map.find(node->name()->impl());
507             ASSERT(it != map.end());
508             GetterSetterPair& pair = it->value;
509
510             // Was this already generated as a part of its partner?
511             if (pair.second == node)
512                 continue;
513
514             // Generate the paired node now.
515             RefPtr<RegisterID> getterReg;
516             RefPtr<RegisterID> setterReg;
517             RegisterID* secondReg = nullptr;
518
519             if (node->m_type & PropertyNode::Getter) {
520                 getterReg = value;
521                 if (pair.second) {
522                     ASSERT(pair.second->m_type & PropertyNode::Setter);
523                     setterReg = generator.emitNode(pair.second->m_assign);
524                     secondReg = setterReg.get();
525                 } else {
526                     setterReg = generator.newTemporary();
527                     generator.emitLoad(setterReg.get(), jsUndefined());
528                 }
529             } else {
530                 ASSERT(node->m_type & PropertyNode::Setter);
531                 setterReg = value;
532                 if (pair.second) {
533                     ASSERT(pair.second->m_type & PropertyNode::Getter);
534                     getterReg = generator.emitNode(pair.second->m_assign);
535                     secondReg = getterReg.get();
536                 } else {
537                     getterReg = generator.newTemporary();
538                     generator.emitLoad(getterReg.get(), jsUndefined());
539                 }
540             }
541
542             ASSERT(!pair.second || isClassProperty == pair.second->needsSuperBinding());
543             if (isClassProperty && pair.second)
544                 emitPutHomeObject(generator, secondReg, dst);
545
546             if (isClassProperty) {
547                 RefPtr<RegisterID> propertyNameRegister = generator.emitLoad(generator.newTemporary(), *node->name());
548                 generator.emitCallDefineProperty(dst, propertyNameRegister.get(),
549                     nullptr, getterReg.get(), setterReg.get(), BytecodeGenerator::PropertyConfigurable, m_position);
550             } else
551                 generator.emitPutGetterSetter(dst, *node->name(), getterReg.get(), setterReg.get());
552         }
553     }
554
555     return dst;
556 }
557
558 void PropertyListNode::emitPutConstantProperty(BytecodeGenerator& generator, RegisterID* newObj, PropertyNode& node)
559 {
560     RefPtr<RegisterID> value = generator.emitNode(node.m_assign);
561     if (node.needsSuperBinding()) {
562         emitPutHomeObject(generator, value.get(), newObj);
563
564         RefPtr<RegisterID> propertyNameRegister;
565         if (node.name())
566             propertyNameRegister = generator.emitLoad(generator.newTemporary(), *node.name());
567         else
568             propertyNameRegister = generator.emitNode(node.m_expression);
569
570         generator.emitCallDefineProperty(newObj, propertyNameRegister.get(),
571             value.get(), nullptr, nullptr, BytecodeGenerator::PropertyConfigurable | BytecodeGenerator::PropertyWritable, m_position);
572         return;
573     }
574     if (const auto* identifier = node.name()) {
575         Optional<uint32_t> optionalIndex = parseIndex(*identifier);
576         if (!optionalIndex) {
577             generator.emitDirectPutById(newObj, *identifier, value.get(), node.putType());
578             return;
579         }
580
581         RefPtr<RegisterID> index = generator.emitLoad(generator.newTemporary(), jsNumber(optionalIndex.value()));
582         generator.emitDirectPutByVal(newObj, index.get(), value.get());
583         return;
584     }
585     RefPtr<RegisterID> propertyName = generator.emitNode(node.m_expression);
586     generator.emitDirectPutByVal(newObj, propertyName.get(), value.get());
587 }
588
589 // ------------------------------ BracketAccessorNode --------------------------------
590
591 RegisterID* BracketAccessorNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
592 {
593     if (m_base->isSuperNode()) {
594         // FIXME: Should we generate the profiler info?
595         if (m_subscript->isString()) {
596             const Identifier& id = static_cast<StringNode*>(m_subscript)->value();
597             return generator.emitGetById(generator.finalDestination(dst), emitSuperBaseForCallee(generator), id);
598         }
599         return generator.emitGetByVal(generator.finalDestination(dst), emitSuperBaseForCallee(generator), generator.emitNode(m_subscript));
600     }
601
602     RegisterID* ret;
603     RegisterID* finalDest = generator.finalDestination(dst);
604
605     if (m_subscript->isString()) {
606         RefPtr<RegisterID> base = generator.emitNode(m_base);
607         ret = generator.emitGetById(finalDest, base.get(), static_cast<StringNode*>(m_subscript)->value());
608     } else {
609         RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_subscriptHasAssignments, m_subscript->isPure(generator));
610         RegisterID* property = generator.emitNode(m_subscript);
611         ret = generator.emitGetByVal(finalDest, base.get(), property);
612     }
613
614     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
615
616     if (generator.vm()->typeProfiler()) {
617         generator.emitProfileType(finalDest, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
618         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
619     }
620     return ret;
621 }
622
623 // ------------------------------ DotAccessorNode --------------------------------
624
625 RegisterID* DotAccessorNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
626 {
627     RefPtr<RegisterID> base = m_base->isSuperNode() ? emitSuperBaseForCallee(generator) : generator.emitNode(m_base);
628     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
629     RegisterID* finalDest = generator.finalDestination(dst);
630     RegisterID* ret = generator.emitGetById(finalDest, base.get(), m_ident);
631     if (generator.vm()->typeProfiler()) {
632         generator.emitProfileType(finalDest, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
633         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
634     }
635     return ret;
636 }
637
638 // ------------------------------ ArgumentListNode -----------------------------
639
640 RegisterID* ArgumentListNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
641 {
642     ASSERT(m_expr);
643     return generator.emitNode(dst, m_expr);
644 }
645
646 // ------------------------------ NewExprNode ----------------------------------
647
648 RegisterID* NewExprNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
649 {
650     ExpectedFunction expectedFunction;
651     if (m_expr->isResolveNode())
652         expectedFunction = generator.expectedFunctionForIdentifier(static_cast<ResolveNode*>(m_expr)->identifier());
653     else
654         expectedFunction = NoExpectedFunction;
655     RefPtr<RegisterID> func = generator.emitNode(m_expr);
656     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, func.get());
657     CallArguments callArguments(generator, m_args);
658     generator.emitMove(callArguments.thisRegister(), func.get());
659     return generator.emitConstruct(returnValue.get(), func.get(), expectedFunction, callArguments, divot(), divotStart(), divotEnd());
660 }
661
662 CallArguments::CallArguments(BytecodeGenerator& generator, ArgumentsNode* argumentsNode, unsigned additionalArguments)
663     : m_argumentsNode(argumentsNode)
664     , m_padding(0)
665 {
666     if (generator.shouldEmitProfileHooks())
667         m_profileHookRegister = generator.newTemporary();
668
669     size_t argumentCountIncludingThis = 1 + additionalArguments; // 'this' register.
670     if (argumentsNode) {
671         for (ArgumentListNode* node = argumentsNode->m_listNode; node; node = node->m_next)
672             ++argumentCountIncludingThis;
673     }
674
675     m_argv.grow(argumentCountIncludingThis);
676     for (int i = argumentCountIncludingThis - 1; i >= 0; --i) {
677         m_argv[i] = generator.newTemporary();
678         ASSERT(static_cast<size_t>(i) == m_argv.size() - 1 || m_argv[i]->index() == m_argv[i + 1]->index() - 1);
679     }
680     
681     while (stackOffset() % stackAlignmentRegisters()) {
682         m_argv.insert(0, generator.newTemporary());
683         m_padding++;
684     }
685 }
686
687 // ------------------------------ EvalFunctionCallNode ----------------------------------
688
689 RegisterID* EvalFunctionCallNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
690 {
691     Variable var = generator.variable(generator.propertyNames().eval);
692     if (RegisterID* local = var.local()) {
693         RefPtr<RegisterID> func = generator.emitMove(generator.tempDestination(dst), local);
694         CallArguments callArguments(generator, m_args);
695         generator.emitLoad(callArguments.thisRegister(), jsUndefined());
696         return generator.emitCallEval(generator.finalDestination(dst, func.get()), func.get(), callArguments, divot(), divotStart(), divotEnd());
697     }
698
699     RefPtr<RegisterID> func = generator.newTemporary();
700     CallArguments callArguments(generator, m_args);
701     JSTextPosition newDivot = divotStart() + 4;
702     generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
703     generator.moveToDestinationIfNeeded(
704         callArguments.thisRegister(),
705         generator.emitResolveScope(callArguments.thisRegister(), var));
706     generator.emitGetFromScope(func.get(), callArguments.thisRegister(), var, ThrowIfNotFound);
707     return generator.emitCallEval(generator.finalDestination(dst, func.get()), func.get(), callArguments, divot(), divotStart(), divotEnd());
708 }
709
710 // ------------------------------ FunctionCallValueNode ----------------------------------
711
712 RegisterID* FunctionCallValueNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
713 {
714     RefPtr<RegisterID> func = generator.emitNode(m_expr);
715     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, func.get());
716     CallArguments callArguments(generator, m_args);
717     if (m_expr->isSuperNode()) {
718         ASSERT(generator.isConstructor());
719         ASSERT(generator.constructorKind() == ConstructorKind::Derived);
720         generator.emitMove(callArguments.thisRegister(), generator.newTarget());
721         RegisterID* ret = generator.emitConstruct(returnValue.get(), func.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
722         generator.emitMove(generator.thisRegister(), ret);
723         return ret;
724     }
725     generator.emitLoad(callArguments.thisRegister(), jsUndefined());
726     RegisterID* ret = generator.emitCall(returnValue.get(), func.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
727     if (generator.vm()->typeProfiler()) {
728         generator.emitProfileType(returnValue.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
729         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
730     }
731     return ret;
732 }
733
734 // ------------------------------ FunctionCallResolveNode ----------------------------------
735
736 RegisterID* FunctionCallResolveNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
737 {
738     ExpectedFunction expectedFunction = generator.expectedFunctionForIdentifier(m_ident);
739
740     Variable var = generator.variable(m_ident);
741     if (RegisterID* local = var.local()) {
742         generator.emitTDZCheckIfNecessary(var, local, nullptr);
743         RefPtr<RegisterID> func = generator.emitMove(generator.tempDestination(dst), local);
744         RefPtr<RegisterID> returnValue = generator.finalDestination(dst, func.get());
745         CallArguments callArguments(generator, m_args);
746         generator.emitLoad(callArguments.thisRegister(), jsUndefined());
747         // This passes NoExpectedFunction because we expect that if the function is in a
748         // local variable, then it's not one of our built-in constructors.
749         RegisterID* ret = generator.emitCall(returnValue.get(), func.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
750         if (generator.vm()->typeProfiler()) {
751             generator.emitProfileType(returnValue.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
752             generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
753         }
754         return ret;
755     }
756
757     RefPtr<RegisterID> func = generator.newTemporary();
758     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, func.get());
759     CallArguments callArguments(generator, m_args);
760
761     JSTextPosition newDivot = divotStart() + m_ident.length();
762     generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
763     generator.moveToDestinationIfNeeded(
764         callArguments.thisRegister(),
765         generator.emitResolveScope(callArguments.thisRegister(), var));
766     generator.emitGetFromScope(func.get(), callArguments.thisRegister(), var, ThrowIfNotFound);
767     generator.emitTDZCheckIfNecessary(var, func.get(), nullptr);
768     RegisterID* ret = generator.emitCall(returnValue.get(), func.get(), expectedFunction, callArguments, divot(), divotStart(), divotEnd());
769     if (generator.vm()->typeProfiler()) {
770         generator.emitProfileType(returnValue.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
771         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
772     }
773     return ret;
774 }
775
776 // ------------------------------ BytecodeIntrinsicNode ----------------------------------
777
778 RegisterID* BytecodeIntrinsicNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
779 {
780     return (this->*m_emitter)(generator, dst);
781 }
782
783 RegisterID* BytecodeIntrinsicNode::emit_intrinsic_putByValDirect(BytecodeGenerator& generator, RegisterID* dst)
784 {
785     ArgumentListNode* node = m_args->m_listNode;
786     RefPtr<RegisterID> base = generator.emitNode(node);
787     node = node->m_next;
788     RefPtr<RegisterID> index = generator.emitNode(node);
789     node = node->m_next;
790     RefPtr<RegisterID> value = generator.emitNode(node);
791
792     ASSERT(!node->m_next);
793
794     return generator.moveToDestinationIfNeeded(dst, generator.emitDirectPutByVal(base.get(), index.get(), value.get()));
795 }
796
797 RegisterID* BytecodeIntrinsicNode::emit_intrinsic_toString(BytecodeGenerator& generator, RegisterID* dst)
798 {
799     ArgumentListNode* node = m_args->m_listNode;
800     RefPtr<RegisterID> src = generator.emitNode(node);
801     ASSERT(!node->m_next);
802
803     return generator.moveToDestinationIfNeeded(dst, generator.emitToString(generator.tempDestination(dst), src.get()));
804 }
805
806 // ------------------------------ FunctionCallBracketNode ----------------------------------
807
808 RegisterID* FunctionCallBracketNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
809 {
810     bool baseIsSuper = m_base->isSuperNode();
811     bool subscriptIsString = m_subscript->isString();
812
813     RefPtr<RegisterID> base;
814     if (baseIsSuper)
815         base = emitSuperBaseForCallee(generator);
816     else {
817         if (subscriptIsString)
818             base = generator.emitNode(m_base);
819         else
820             base = generator.emitNodeForLeftHandSide(m_base, m_subscriptHasAssignments, m_subscript->isPure(generator));
821     }
822
823     RefPtr<RegisterID> function;
824     if (subscriptIsString) {
825         generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
826         function = generator.emitGetById(generator.tempDestination(dst), base.get(), static_cast<StringNode*>(m_subscript)->value());
827     } else {
828         RefPtr<RegisterID> property = generator.emitNode(m_subscript);
829         generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
830         function = generator.emitGetByVal(generator.tempDestination(dst), base.get(), property.get());
831     }
832
833     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, function.get());
834     CallArguments callArguments(generator, m_args);
835     if (baseIsSuper)
836         generator.emitMove(callArguments.thisRegister(), generator.thisRegister());
837     else
838         generator.emitMove(callArguments.thisRegister(), base.get());
839     RegisterID* ret = generator.emitCall(returnValue.get(), function.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
840     if (generator.vm()->typeProfiler()) {
841         generator.emitProfileType(returnValue.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
842         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
843     }
844     return ret;
845 }
846
847 // ------------------------------ FunctionCallDotNode ----------------------------------
848
849 RegisterID* FunctionCallDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
850 {
851     RefPtr<RegisterID> function = generator.tempDestination(dst);
852     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, function.get());
853     CallArguments callArguments(generator, m_args);
854     bool baseIsSuper = m_base->isSuperNode();
855     if (baseIsSuper)
856         generator.emitMove(callArguments.thisRegister(), generator.thisRegister());
857     else
858         generator.emitNode(callArguments.thisRegister(), m_base);
859     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
860     generator.emitGetById(function.get(), baseIsSuper ? emitSuperBaseForCallee(generator) : callArguments.thisRegister(), m_ident);
861     RegisterID* ret = generator.emitCall(returnValue.get(), function.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
862     if (generator.vm()->typeProfiler()) {
863         generator.emitProfileType(returnValue.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
864         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
865     }
866     return ret;
867 }
868
869 RegisterID* CallFunctionCallDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
870 {
871     RefPtr<Label> realCall = generator.newLabel();
872     RefPtr<Label> end = generator.newLabel();
873     RefPtr<RegisterID> base = generator.emitNode(m_base);
874     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
875     RefPtr<RegisterID> function;
876     bool emitCallCheck = !generator.isBuiltinFunction();
877     if (emitCallCheck) {
878         function = generator.emitGetById(generator.tempDestination(dst), base.get(), generator.propertyNames().builtinNames().callPublicName());
879         generator.emitJumpIfNotFunctionCall(function.get(), realCall.get());
880     }
881     RefPtr<RegisterID> returnValue = generator.finalDestination(dst);
882     {
883         if (m_args->m_listNode && m_args->m_listNode->m_expr && m_args->m_listNode->m_expr->isSpreadExpression()) {
884             RefPtr<RegisterID> profileHookRegister;
885             if (generator.shouldEmitProfileHooks())
886                 profileHookRegister = generator.newTemporary();
887             SpreadExpressionNode* spread = static_cast<SpreadExpressionNode*>(m_args->m_listNode->m_expr);
888             ExpressionNode* subject = spread->expression();
889             RefPtr<RegisterID> argumentsRegister;
890             argumentsRegister = generator.emitNode(subject);
891             generator.emitExpressionInfo(spread->divot(), spread->divotStart(), spread->divotEnd());
892             RefPtr<RegisterID> thisRegister = generator.emitGetByVal(generator.newTemporary(), argumentsRegister.get(), generator.emitLoad(0, jsNumber(0)));
893             generator.emitCallVarargs(returnValue.get(), base.get(), thisRegister.get(), argumentsRegister.get(), generator.newTemporary(), 1, profileHookRegister.get(), divot(), divotStart(), divotEnd());
894         } else if (m_args->m_listNode && m_args->m_listNode->m_expr) {
895             ArgumentListNode* oldList = m_args->m_listNode;
896             m_args->m_listNode = m_args->m_listNode->m_next;
897
898             RefPtr<RegisterID> realFunction = generator.emitMove(generator.tempDestination(dst), base.get());
899             CallArguments callArguments(generator, m_args);
900             generator.emitNode(callArguments.thisRegister(), oldList->m_expr);
901             generator.emitCall(returnValue.get(), realFunction.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
902             m_args->m_listNode = oldList;
903         } else {
904             RefPtr<RegisterID> realFunction = generator.emitMove(generator.tempDestination(dst), base.get());
905             CallArguments callArguments(generator, m_args);
906             generator.emitLoad(callArguments.thisRegister(), jsUndefined());
907             generator.emitCall(returnValue.get(), realFunction.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
908         }
909     }
910     if (emitCallCheck) {
911         generator.emitJump(end.get());
912         generator.emitLabel(realCall.get());
913         {
914             CallArguments callArguments(generator, m_args);
915             generator.emitMove(callArguments.thisRegister(), base.get());
916             generator.emitCall(returnValue.get(), function.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
917         }
918         generator.emitLabel(end.get());
919     }
920     if (generator.vm()->typeProfiler()) {
921         generator.emitProfileType(returnValue.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
922         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
923     }
924     return returnValue.get();
925 }
926
927 static bool areTrivialApplyArguments(ArgumentsNode* args)
928 {
929     return !args->m_listNode || !args->m_listNode->m_expr || !args->m_listNode->m_next
930         || (!args->m_listNode->m_next->m_next && args->m_listNode->m_next->m_expr->isSimpleArray());
931 }
932
933 RegisterID* ApplyFunctionCallDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
934 {
935     // A few simple cases can be trivially handled as ordinary function calls.
936     // function.apply(), function.apply(arg) -> identical to function.call
937     // function.apply(thisArg, [arg0, arg1, ...]) -> can be trivially coerced into function.call(thisArg, arg0, arg1, ...) and saves object allocation
938     bool mayBeCall = areTrivialApplyArguments(m_args);
939
940     RefPtr<Label> realCall = generator.newLabel();
941     RefPtr<Label> end = generator.newLabel();
942     RefPtr<RegisterID> base = generator.emitNode(m_base);
943     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
944     RefPtr<RegisterID> function;
945     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, function.get());
946     bool emitCallCheck = !generator.isBuiltinFunction();
947     if (emitCallCheck) {
948         function = generator.emitGetById(generator.tempDestination(dst), base.get(), generator.propertyNames().builtinNames().applyPublicName());
949         generator.emitJumpIfNotFunctionApply(function.get(), realCall.get());
950     }
951     if (mayBeCall) {
952         if (m_args->m_listNode && m_args->m_listNode->m_expr) {
953             ArgumentListNode* oldList = m_args->m_listNode;
954             if (m_args->m_listNode->m_expr->isSpreadExpression()) {
955                 SpreadExpressionNode* spread = static_cast<SpreadExpressionNode*>(m_args->m_listNode->m_expr);
956                 RefPtr<RegisterID> profileHookRegister;
957                 if (generator.shouldEmitProfileHooks())
958                     profileHookRegister = generator.newTemporary();
959                 RefPtr<RegisterID> realFunction = generator.emitMove(generator.newTemporary(), base.get());
960                 RefPtr<RegisterID> index = generator.emitLoad(generator.newTemporary(), jsNumber(0));
961                 RefPtr<RegisterID> thisRegister = generator.emitLoad(generator.newTemporary(), jsUndefined());
962                 RefPtr<RegisterID> argumentsRegister = generator.emitLoad(generator.newTemporary(), jsUndefined());
963                 
964                 auto extractor = [&thisRegister, &argumentsRegister, &index](BytecodeGenerator& generator, RegisterID* value)
965                 {
966                     RefPtr<Label> haveThis = generator.newLabel();
967                     RefPtr<Label> end = generator.newLabel();
968                     RefPtr<RegisterID> compareResult = generator.newTemporary();
969                     RefPtr<RegisterID> indexZeroCompareResult = generator.emitBinaryOp(op_eq, compareResult.get(), index.get(), generator.emitLoad(0, jsNumber(0)), OperandTypes(ResultType::numberTypeIsInt32(), ResultType::numberTypeIsInt32()));
970                     generator.emitJumpIfFalse(indexZeroCompareResult.get(), haveThis.get());
971                     generator.emitMove(thisRegister.get(), value);
972                     generator.emitLoad(index.get(), jsNumber(1));
973                     generator.emitJump(end.get());
974                     generator.emitLabel(haveThis.get());
975                     RefPtr<RegisterID> indexOneCompareResult = generator.emitBinaryOp(op_eq, compareResult.get(), index.get(), generator.emitLoad(0, jsNumber(1)), OperandTypes(ResultType::numberTypeIsInt32(), ResultType::numberTypeIsInt32()));
976                     generator.emitJumpIfFalse(indexOneCompareResult.get(), end.get());
977                     generator.emitMove(argumentsRegister.get(), value);
978                     generator.emitLoad(index.get(), jsNumber(2));
979                     generator.emitLabel(end.get());
980                 };
981                 generator.emitEnumeration(this, spread->expression(), extractor);
982                 generator.emitCallVarargs(returnValue.get(), realFunction.get(), thisRegister.get(), argumentsRegister.get(), generator.newTemporary(), 0, profileHookRegister.get(), divot(), divotStart(), divotEnd());
983             } else if (m_args->m_listNode->m_next) {
984                 ASSERT(m_args->m_listNode->m_next->m_expr->isSimpleArray());
985                 ASSERT(!m_args->m_listNode->m_next->m_next);
986                 m_args->m_listNode = static_cast<ArrayNode*>(m_args->m_listNode->m_next->m_expr)->toArgumentList(generator.parserArena(), 0, 0);
987                 RefPtr<RegisterID> realFunction = generator.emitMove(generator.tempDestination(dst), base.get());
988                 CallArguments callArguments(generator, m_args);
989                 generator.emitNode(callArguments.thisRegister(), oldList->m_expr);
990                 generator.emitCall(returnValue.get(), realFunction.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
991             } else {
992                 m_args->m_listNode = m_args->m_listNode->m_next;
993                 RefPtr<RegisterID> realFunction = generator.emitMove(generator.tempDestination(dst), base.get());
994                 CallArguments callArguments(generator, m_args);
995                 generator.emitNode(callArguments.thisRegister(), oldList->m_expr);
996                 generator.emitCall(returnValue.get(), realFunction.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
997             }
998             m_args->m_listNode = oldList;
999         } else {
1000             RefPtr<RegisterID> realFunction = generator.emitMove(generator.tempDestination(dst), base.get());
1001             CallArguments callArguments(generator, m_args);
1002             generator.emitLoad(callArguments.thisRegister(), jsUndefined());
1003             generator.emitCall(returnValue.get(), realFunction.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
1004         }
1005     } else {
1006         ASSERT(m_args->m_listNode && m_args->m_listNode->m_next);
1007         RefPtr<RegisterID> profileHookRegister;
1008         if (generator.shouldEmitProfileHooks())
1009             profileHookRegister = generator.newTemporary();
1010         RefPtr<RegisterID> realFunction = generator.emitMove(generator.tempDestination(dst), base.get());
1011         RefPtr<RegisterID> thisRegister = generator.emitNode(m_args->m_listNode->m_expr);
1012         RefPtr<RegisterID> argsRegister;
1013         ArgumentListNode* args = m_args->m_listNode->m_next;
1014         argsRegister = generator.emitNode(args->m_expr);
1015
1016         // Function.prototype.apply ignores extra arguments, but we still
1017         // need to evaluate them for side effects.
1018         while ((args = args->m_next))
1019             generator.emitNode(args->m_expr);
1020
1021         generator.emitCallVarargs(returnValue.get(), realFunction.get(), thisRegister.get(), argsRegister.get(), generator.newTemporary(), 0, profileHookRegister.get(), divot(), divotStart(), divotEnd());
1022     }
1023     if (emitCallCheck) {
1024         generator.emitJump(end.get());
1025         generator.emitLabel(realCall.get());
1026         CallArguments callArguments(generator, m_args);
1027         generator.emitMove(callArguments.thisRegister(), base.get());
1028         generator.emitCall(returnValue.get(), function.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
1029         generator.emitLabel(end.get());
1030     }
1031     if (generator.vm()->typeProfiler()) {
1032         generator.emitProfileType(returnValue.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1033         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1034     }
1035     return returnValue.get();
1036 }
1037
1038 // ------------------------------ PostfixNode ----------------------------------
1039
1040 static RegisterID* emitIncOrDec(BytecodeGenerator& generator, RegisterID* srcDst, Operator oper)
1041 {
1042     return (oper == OpPlusPlus) ? generator.emitInc(srcDst) : generator.emitDec(srcDst);
1043 }
1044
1045 static RegisterID* emitPostIncOrDec(BytecodeGenerator& generator, RegisterID* dst, RegisterID* srcDst, Operator oper)
1046 {
1047     if (dst == srcDst)
1048         return generator.emitToNumber(generator.finalDestination(dst), srcDst);
1049     RefPtr<RegisterID> tmp = generator.emitToNumber(generator.tempDestination(dst), srcDst);
1050     emitIncOrDec(generator, srcDst, oper);
1051     return generator.moveToDestinationIfNeeded(dst, tmp.get());
1052 }
1053
1054 RegisterID* PostfixNode::emitResolve(BytecodeGenerator& generator, RegisterID* dst)
1055 {
1056     if (dst == generator.ignoredResult())
1057         return PrefixNode::emitResolve(generator, dst);
1058
1059     ASSERT(m_expr->isResolveNode());
1060     ResolveNode* resolve = static_cast<ResolveNode*>(m_expr);
1061     const Identifier& ident = resolve->identifier();
1062
1063     Variable var = generator.variable(ident);
1064     if (RegisterID* local = var.local()) {
1065         generator.emitTDZCheckIfNecessary(var, local, nullptr);
1066         RefPtr<RegisterID> localReg = local;
1067         if (var.isReadOnly()) {
1068             generator.emitReadOnlyExceptionIfNeeded();
1069             localReg = generator.emitMove(generator.tempDestination(dst), local);
1070         } else if (generator.vm()->typeProfiler()) {
1071             RefPtr<RegisterID> tempDst = generator.finalDestination(dst);
1072             ASSERT(dst != localReg);
1073             RefPtr<RegisterID> tempDstSrc = generator.newTemporary();
1074             generator.emitToNumber(tempDst.get(), localReg.get());
1075             generator.emitMove(tempDstSrc.get(), localReg.get());
1076             emitIncOrDec(generator, tempDstSrc.get(), m_operator);
1077             generator.emitMove(localReg.get(), tempDstSrc.get());
1078             if (generator.vm()->typeProfiler())
1079                 generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1080             return tempDst.get();
1081         }
1082         return emitPostIncOrDec(generator, generator.finalDestination(dst), localReg.get(), m_operator);
1083     }
1084
1085     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1086     RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
1087     RefPtr<RegisterID> value = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, ThrowIfNotFound);
1088     generator.emitTDZCheckIfNecessary(var, value.get(), nullptr);
1089     RefPtr<RegisterID> oldValue = emitPostIncOrDec(generator, generator.finalDestination(dst), value.get(), m_operator);
1090     generator.emitPutToScope(scope.get(), var, value.get(), ThrowIfNotFound);
1091     if (generator.vm()->typeProfiler()) {
1092         generator.emitProfileType(value.get(), var.isResolved() ? ProfileTypeBytecodePutToLocalScope : ProfileTypeBytecodePutToScope, &ident);
1093         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1094     }
1095
1096     return oldValue.get();
1097 }
1098
1099 RegisterID* PostfixNode::emitBracket(BytecodeGenerator& generator, RegisterID* dst)
1100 {
1101     if (dst == generator.ignoredResult())
1102         return PrefixNode::emitBracket(generator, dst);
1103
1104     ASSERT(m_expr->isBracketAccessorNode());
1105     BracketAccessorNode* bracketAccessor = static_cast<BracketAccessorNode*>(m_expr);
1106     ExpressionNode* baseNode = bracketAccessor->base();
1107     ExpressionNode* subscript = bracketAccessor->subscript();
1108
1109     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(baseNode, bracketAccessor->subscriptHasAssignments(), subscript->isPure(generator));
1110     RefPtr<RegisterID> property = generator.emitNode(subscript);
1111
1112     generator.emitExpressionInfo(bracketAccessor->divot(), bracketAccessor->divotStart(), bracketAccessor->divotEnd());
1113     RefPtr<RegisterID> value = generator.emitGetByVal(generator.newTemporary(), base.get(), property.get());
1114     RegisterID* oldValue = emitPostIncOrDec(generator, generator.tempDestination(dst), value.get(), m_operator);
1115     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1116     generator.emitPutByVal(base.get(), property.get(), value.get());
1117     if (generator.vm()->typeProfiler()) {
1118         generator.emitProfileType(value.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1119         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1120     }
1121     return generator.moveToDestinationIfNeeded(dst, oldValue);
1122 }
1123
1124 RegisterID* PostfixNode::emitDot(BytecodeGenerator& generator, RegisterID* dst)
1125 {
1126     if (dst == generator.ignoredResult())
1127         return PrefixNode::emitDot(generator, dst);
1128
1129     ASSERT(m_expr->isDotAccessorNode());
1130     DotAccessorNode* dotAccessor = static_cast<DotAccessorNode*>(m_expr);
1131     ExpressionNode* baseNode = dotAccessor->base();
1132     const Identifier& ident = dotAccessor->identifier();
1133
1134     RefPtr<RegisterID> base = generator.emitNode(baseNode);
1135
1136     generator.emitExpressionInfo(dotAccessor->divot(), dotAccessor->divotStart(), dotAccessor->divotEnd());
1137     RefPtr<RegisterID> value = generator.emitGetById(generator.newTemporary(), base.get(), ident);
1138     RegisterID* oldValue = emitPostIncOrDec(generator, generator.tempDestination(dst), value.get(), m_operator);
1139     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1140     generator.emitPutById(base.get(), ident, value.get());
1141     if (generator.vm()->typeProfiler()) {
1142         generator.emitProfileType(value.get(), ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1143         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1144     }
1145     return generator.moveToDestinationIfNeeded(dst, oldValue);
1146 }
1147
1148 RegisterID* PostfixNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1149 {
1150     if (m_expr->isResolveNode())
1151         return emitResolve(generator, dst);
1152
1153     if (m_expr->isBracketAccessorNode())
1154         return emitBracket(generator, dst);
1155
1156     if (m_expr->isDotAccessorNode())
1157         return emitDot(generator, dst);
1158
1159     return emitThrowReferenceError(generator, m_operator == OpPlusPlus
1160         ? ASCIILiteral("Postfix ++ operator applied to value that is not a reference.")
1161         : ASCIILiteral("Postfix -- operator applied to value that is not a reference."));
1162 }
1163
1164 // ------------------------------ DeleteResolveNode -----------------------------------
1165
1166 RegisterID* DeleteResolveNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1167 {
1168     Variable var = generator.variable(m_ident);
1169     if (var.local()) {
1170         generator.emitTDZCheckIfNecessary(var, var.local(), nullptr);
1171         return generator.emitLoad(generator.finalDestination(dst), false);
1172     }
1173
1174     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1175     RefPtr<RegisterID> base = generator.emitResolveScope(dst, var);
1176     generator.emitTDZCheckIfNecessary(var, nullptr, base.get());
1177     return generator.emitDeleteById(generator.finalDestination(dst, base.get()), base.get(), m_ident);
1178 }
1179
1180 // ------------------------------ DeleteBracketNode -----------------------------------
1181
1182 RegisterID* DeleteBracketNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1183 {
1184     RefPtr<RegisterID> r0 = generator.emitNode(m_base);
1185     RefPtr<RegisterID> r1 = generator.emitNode(m_subscript);
1186
1187     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1188     if (m_base->isSuperNode())
1189         return emitThrowReferenceError(generator, "Cannot delete a super property");
1190     return generator.emitDeleteByVal(generator.finalDestination(dst), r0.get(), r1.get());
1191 }
1192
1193 // ------------------------------ DeleteDotNode -----------------------------------
1194
1195 RegisterID* DeleteDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1196 {
1197     RefPtr<RegisterID> r0 = generator.emitNode(m_base);
1198
1199     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1200     if (m_base->isSuperNode())
1201         return emitThrowReferenceError(generator, "Cannot delete a super property");
1202     return generator.emitDeleteById(generator.finalDestination(dst), r0.get(), m_ident);
1203 }
1204
1205 // ------------------------------ DeleteValueNode -----------------------------------
1206
1207 RegisterID* DeleteValueNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1208 {
1209     generator.emitNode(generator.ignoredResult(), m_expr);
1210
1211     // delete on a non-location expression ignores the value and returns true
1212     return generator.emitLoad(generator.finalDestination(dst), true);
1213 }
1214
1215 // ------------------------------ VoidNode -------------------------------------
1216
1217 RegisterID* VoidNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1218 {
1219     if (dst == generator.ignoredResult()) {
1220         generator.emitNode(generator.ignoredResult(), m_expr);
1221         return 0;
1222     }
1223     RefPtr<RegisterID> r0 = generator.emitNode(m_expr);
1224     return generator.emitLoad(dst, jsUndefined());
1225 }
1226
1227 // ------------------------------ TypeOfResolveNode -----------------------------------
1228
1229 RegisterID* TypeOfResolveNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1230 {
1231     Variable var = generator.variable(m_ident);
1232     if (RegisterID* local = var.local()) {
1233         generator.emitTDZCheckIfNecessary(var, local, nullptr);
1234         if (dst == generator.ignoredResult())
1235             return 0;
1236         return generator.emitTypeOf(generator.finalDestination(dst), local);
1237     }
1238
1239     RefPtr<RegisterID> scope = generator.emitResolveScope(dst, var);
1240     RefPtr<RegisterID> value = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, DoNotThrowIfNotFound);
1241     generator.emitTDZCheckIfNecessary(var, value.get(), nullptr);
1242     if (dst == generator.ignoredResult())
1243         return 0;
1244     return generator.emitTypeOf(generator.finalDestination(dst, scope.get()), value.get());
1245 }
1246
1247 // ------------------------------ TypeOfValueNode -----------------------------------
1248
1249 RegisterID* TypeOfValueNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1250 {
1251     if (dst == generator.ignoredResult()) {
1252         generator.emitNode(generator.ignoredResult(), m_expr);
1253         return 0;
1254     }
1255     RefPtr<RegisterID> src = generator.emitNode(m_expr);
1256     return generator.emitTypeOf(generator.finalDestination(dst), src.get());
1257 }
1258
1259 // ------------------------------ PrefixNode ----------------------------------
1260
1261 RegisterID* PrefixNode::emitResolve(BytecodeGenerator& generator, RegisterID* dst)
1262 {
1263     ASSERT(m_expr->isResolveNode());
1264     ResolveNode* resolve = static_cast<ResolveNode*>(m_expr);
1265     const Identifier& ident = resolve->identifier();
1266
1267     Variable var = generator.variable(ident);
1268     if (RegisterID* local = var.local()) {
1269         generator.emitTDZCheckIfNecessary(var, local, nullptr);
1270         RefPtr<RegisterID> localReg = local;
1271         if (var.isReadOnly()) {
1272             generator.emitReadOnlyExceptionIfNeeded();
1273             localReg = generator.emitMove(generator.tempDestination(dst), localReg.get());
1274         } else if (generator.vm()->typeProfiler()) {
1275             RefPtr<RegisterID> tempDst = generator.tempDestination(dst);
1276             generator.emitMove(tempDst.get(), localReg.get());
1277             emitIncOrDec(generator, tempDst.get(), m_operator);
1278             generator.emitMove(localReg.get(), tempDst.get());
1279             if (generator.vm()->typeProfiler())
1280                 generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1281             return generator.moveToDestinationIfNeeded(dst, tempDst.get());
1282         }
1283         emitIncOrDec(generator, localReg.get(), m_operator);
1284         return generator.moveToDestinationIfNeeded(dst, localReg.get());
1285     }
1286
1287     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1288     RefPtr<RegisterID> scope = generator.emitResolveScope(dst, var);
1289     RefPtr<RegisterID> value = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, ThrowIfNotFound);
1290     generator.emitTDZCheckIfNecessary(var, value.get(), nullptr);
1291
1292     emitIncOrDec(generator, value.get(), m_operator);
1293     generator.emitPutToScope(scope.get(), var, value.get(), ThrowIfNotFound);
1294     if (generator.vm()->typeProfiler()) {
1295         generator.emitProfileType(value.get(), var.isResolved() ? ProfileTypeBytecodePutToLocalScope : ProfileTypeBytecodePutToScope, &ident);
1296         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1297     }
1298     return generator.moveToDestinationIfNeeded(dst, value.get());
1299 }
1300
1301 RegisterID* PrefixNode::emitBracket(BytecodeGenerator& generator, RegisterID* dst)
1302 {
1303     ASSERT(m_expr->isBracketAccessorNode());
1304     BracketAccessorNode* bracketAccessor = static_cast<BracketAccessorNode*>(m_expr);
1305     ExpressionNode* baseNode = bracketAccessor->base();
1306     ExpressionNode* subscript = bracketAccessor->subscript();
1307
1308     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(baseNode, bracketAccessor->subscriptHasAssignments(), subscript->isPure(generator));
1309     RefPtr<RegisterID> property = generator.emitNode(subscript);
1310     RefPtr<RegisterID> propDst = generator.tempDestination(dst);
1311
1312     generator.emitExpressionInfo(bracketAccessor->divot(), bracketAccessor->divotStart(), bracketAccessor->divotEnd());
1313     RegisterID* value = generator.emitGetByVal(propDst.get(), base.get(), property.get());
1314     emitIncOrDec(generator, value, m_operator);
1315     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1316     generator.emitPutByVal(base.get(), property.get(), value);
1317     if (generator.vm()->typeProfiler()) {
1318         generator.emitProfileType(value, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1319         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1320     }
1321     return generator.moveToDestinationIfNeeded(dst, propDst.get());
1322 }
1323
1324 RegisterID* PrefixNode::emitDot(BytecodeGenerator& generator, RegisterID* dst)
1325 {
1326     ASSERT(m_expr->isDotAccessorNode());
1327     DotAccessorNode* dotAccessor = static_cast<DotAccessorNode*>(m_expr);
1328     ExpressionNode* baseNode = dotAccessor->base();
1329     const Identifier& ident = dotAccessor->identifier();
1330
1331     RefPtr<RegisterID> base = generator.emitNode(baseNode);
1332     RefPtr<RegisterID> propDst = generator.tempDestination(dst);
1333
1334     generator.emitExpressionInfo(dotAccessor->divot(), dotAccessor->divotStart(), dotAccessor->divotEnd());
1335     RegisterID* value = generator.emitGetById(propDst.get(), base.get(), ident);
1336     emitIncOrDec(generator, value, m_operator);
1337     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1338     generator.emitPutById(base.get(), ident, value);
1339     if (generator.vm()->typeProfiler()) {
1340         generator.emitProfileType(value, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1341         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1342     }
1343     return generator.moveToDestinationIfNeeded(dst, propDst.get());
1344 }
1345
1346 RegisterID* PrefixNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1347 {
1348     if (m_expr->isResolveNode())
1349         return emitResolve(generator, dst);
1350
1351     if (m_expr->isBracketAccessorNode())
1352         return emitBracket(generator, dst);
1353
1354     if (m_expr->isDotAccessorNode())
1355         return emitDot(generator, dst);
1356
1357     return emitThrowReferenceError(generator, m_operator == OpPlusPlus
1358         ? ASCIILiteral("Prefix ++ operator applied to value that is not a reference.")
1359         : ASCIILiteral("Prefix -- operator applied to value that is not a reference."));
1360 }
1361
1362 // ------------------------------ Unary Operation Nodes -----------------------------------
1363
1364 RegisterID* UnaryOpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1365 {
1366     RefPtr<RegisterID> src = generator.emitNode(m_expr);
1367     generator.emitExpressionInfo(position(), position(), position());
1368     return generator.emitUnaryOp(opcodeID(), generator.finalDestination(dst), src.get());
1369 }
1370
1371 // ------------------------------ BitwiseNotNode -----------------------------------
1372  
1373 RegisterID* BitwiseNotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1374 {
1375     RefPtr<RegisterID> src2 = generator.emitLoad(generator.newTemporary(), jsNumber(-1));
1376     RefPtr<RegisterID> src1 = generator.emitNode(m_expr);
1377     return generator.emitBinaryOp(op_bitxor, generator.finalDestination(dst, src1.get()), src1.get(), src2.get(), OperandTypes(m_expr->resultDescriptor(), ResultType::numberTypeIsInt32()));
1378 }
1379  
1380 // ------------------------------ LogicalNotNode -----------------------------------
1381
1382 void LogicalNotNode::emitBytecodeInConditionContext(BytecodeGenerator& generator, Label* trueTarget, Label* falseTarget, FallThroughMode fallThroughMode)
1383 {
1384     // reverse the true and false targets
1385     generator.emitNodeInConditionContext(expr(), falseTarget, trueTarget, invert(fallThroughMode));
1386 }
1387
1388
1389 // ------------------------------ Binary Operation Nodes -----------------------------------
1390
1391 // BinaryOpNode::emitStrcat:
1392 //
1393 // This node generates an op_strcat operation.  This opcode can handle concatenation of three or
1394 // more values, where we can determine a set of separate op_add operations would be operating on
1395 // string values.
1396 //
1397 // This function expects to be operating on a graph of AST nodes looking something like this:
1398 //
1399 //     (a)...     (b)
1400 //          \   /
1401 //           (+)     (c)
1402 //              \   /
1403 //      [d]     ((+))
1404 //         \    /
1405 //          [+=]
1406 //
1407 // The assignment operation is optional, if it exists the register holding the value on the
1408 // lefthand side of the assignment should be passing as the optional 'lhs' argument.
1409 //
1410 // The method should be called on the node at the root of the tree of regular binary add
1411 // operations (marked in the diagram with a double set of parentheses).  This node must
1412 // be performing a string concatenation (determined by statically detecting that at least
1413 // one child must be a string).  
1414 //
1415 // Since the minimum number of values being concatenated together is expected to be 3, if
1416 // a lhs to a concatenating assignment is not provided then the  root add should have at
1417 // least one left child that is also an add that can be determined to be operating on strings.
1418 //
1419 RegisterID* BinaryOpNode::emitStrcat(BytecodeGenerator& generator, RegisterID* dst, RegisterID* lhs, ReadModifyResolveNode* emitExpressionInfoForMe)
1420 {
1421     ASSERT(isAdd());
1422     ASSERT(resultDescriptor().definitelyIsString());
1423
1424     // Create a list of expressions for all the adds in the tree of nodes we can convert into
1425     // a string concatenation.  The rightmost node (c) is added first.  The rightmost node is
1426     // added first, and the leftmost child is never added, so the vector produced for the
1427     // example above will be [ c, b ].
1428     Vector<ExpressionNode*, 16> reverseExpressionList;
1429     reverseExpressionList.append(m_expr2);
1430
1431     // Examine the left child of the add.  So long as this is a string add, add its right-child
1432     // to the list, and keep processing along the left fork.
1433     ExpressionNode* leftMostAddChild = m_expr1;
1434     while (leftMostAddChild->isAdd() && leftMostAddChild->resultDescriptor().definitelyIsString()) {
1435         reverseExpressionList.append(static_cast<AddNode*>(leftMostAddChild)->m_expr2);
1436         leftMostAddChild = static_cast<AddNode*>(leftMostAddChild)->m_expr1;
1437     }
1438
1439     Vector<RefPtr<RegisterID>, 16> temporaryRegisters;
1440
1441     // If there is an assignment, allocate a temporary to hold the lhs after conversion.
1442     // We could possibly avoid this (the lhs is converted last anyway, we could let the
1443     // op_strcat node handle its conversion if required).
1444     if (lhs)
1445         temporaryRegisters.append(generator.newTemporary());
1446
1447     // Emit code for the leftmost node ((a) in the example).
1448     temporaryRegisters.append(generator.newTemporary());
1449     RegisterID* leftMostAddChildTempRegister = temporaryRegisters.last().get();
1450     generator.emitNode(leftMostAddChildTempRegister, leftMostAddChild);
1451
1452     // Note on ordering of conversions:
1453     //
1454     // We maintain the same ordering of conversions as we would see if the concatenations
1455     // was performed as a sequence of adds (otherwise this optimization could change
1456     // behaviour should an object have been provided a valueOf or toString method).
1457     //
1458     // Considering the above example, the sequnce of execution is:
1459     //     * evaluate operand (a)
1460     //     * evaluate operand (b)
1461     //     * convert (a) to primitive   <-  (this would be triggered by the first add)
1462     //     * convert (b) to primitive   <-  (ditto)
1463     //     * evaluate operand (c)
1464     //     * convert (c) to primitive   <-  (this would be triggered by the second add)
1465     // And optionally, if there is an assignment:
1466     //     * convert (d) to primitive   <-  (this would be triggered by the assigning addition)
1467     //
1468     // As such we do not plant an op to convert the leftmost child now.  Instead, use
1469     // 'leftMostAddChildTempRegister' as a flag to trigger generation of the conversion
1470     // once the second node has been generated.  However, if the leftmost child is an
1471     // immediate we can trivially determine that no conversion will be required.
1472     // If this is the case
1473     if (leftMostAddChild->isString())
1474         leftMostAddChildTempRegister = 0;
1475
1476     while (reverseExpressionList.size()) {
1477         ExpressionNode* node = reverseExpressionList.last();
1478         reverseExpressionList.removeLast();
1479
1480         // Emit the code for the current node.
1481         temporaryRegisters.append(generator.newTemporary());
1482         generator.emitNode(temporaryRegisters.last().get(), node);
1483
1484         // On the first iteration of this loop, when we first reach this point we have just
1485         // generated the second node, which means it is time to convert the leftmost operand.
1486         if (leftMostAddChildTempRegister) {
1487             generator.emitToPrimitive(leftMostAddChildTempRegister, leftMostAddChildTempRegister);
1488             leftMostAddChildTempRegister = 0; // Only do this once.
1489         }
1490         // Plant a conversion for this node, if necessary.
1491         if (!node->isString())
1492             generator.emitToPrimitive(temporaryRegisters.last().get(), temporaryRegisters.last().get());
1493     }
1494     ASSERT(temporaryRegisters.size() >= 3);
1495
1496     // Certain read-modify nodes require expression info to be emitted *after* m_right has been generated.
1497     // If this is required the node is passed as 'emitExpressionInfoForMe'; do so now.
1498     if (emitExpressionInfoForMe)
1499         generator.emitExpressionInfo(emitExpressionInfoForMe->divot(), emitExpressionInfoForMe->divotStart(), emitExpressionInfoForMe->divotEnd());
1500     // If there is an assignment convert the lhs now.  This will also copy lhs to
1501     // the temporary register we allocated for it.
1502     if (lhs)
1503         generator.emitToPrimitive(temporaryRegisters[0].get(), lhs);
1504
1505     return generator.emitStrcat(generator.finalDestination(dst, temporaryRegisters[0].get()), temporaryRegisters[0].get(), temporaryRegisters.size());
1506 }
1507
1508 void BinaryOpNode::emitBytecodeInConditionContext(BytecodeGenerator& generator, Label* trueTarget, Label* falseTarget, FallThroughMode fallThroughMode)
1509 {
1510     TriState branchCondition;
1511     ExpressionNode* branchExpression;
1512     tryFoldToBranch(generator, branchCondition, branchExpression);
1513
1514     if (branchCondition == MixedTriState)
1515         ExpressionNode::emitBytecodeInConditionContext(generator, trueTarget, falseTarget, fallThroughMode);
1516     else if (branchCondition == TrueTriState)
1517         generator.emitNodeInConditionContext(branchExpression, trueTarget, falseTarget, fallThroughMode);
1518     else
1519         generator.emitNodeInConditionContext(branchExpression, falseTarget, trueTarget, invert(fallThroughMode));
1520 }
1521
1522 static inline bool canFoldToBranch(OpcodeID opcodeID, ExpressionNode* branchExpression, JSValue constant)
1523 {
1524     ResultType expressionType = branchExpression->resultDescriptor();
1525
1526     if (expressionType.definitelyIsBoolean() && constant.isBoolean())
1527         return true;
1528     else if (expressionType.definitelyIsBoolean() && constant.isInt32() && (constant.asInt32() == 0 || constant.asInt32() == 1))
1529         return opcodeID == op_eq || opcodeID == op_neq; // Strict equality is false in the case of type mismatch.
1530     else if (expressionType.isInt32() && constant.isInt32() && constant.asInt32() == 0)
1531         return true;
1532
1533     return false;
1534 }
1535
1536 void BinaryOpNode::tryFoldToBranch(BytecodeGenerator& generator, TriState& branchCondition, ExpressionNode*& branchExpression)
1537 {
1538     branchCondition = MixedTriState;
1539     branchExpression = 0;
1540
1541     ConstantNode* constant = 0;
1542     if (m_expr1->isConstant()) {
1543         constant = static_cast<ConstantNode*>(m_expr1);
1544         branchExpression = m_expr2;
1545     } else if (m_expr2->isConstant()) {
1546         constant = static_cast<ConstantNode*>(m_expr2);
1547         branchExpression = m_expr1;
1548     }
1549
1550     if (!constant)
1551         return;
1552     ASSERT(branchExpression);
1553
1554     OpcodeID opcodeID = this->opcodeID();
1555     JSValue value = constant->jsValue(generator);
1556     bool canFoldToBranch = JSC::canFoldToBranch(opcodeID, branchExpression, value);
1557     if (!canFoldToBranch)
1558         return;
1559
1560     if (opcodeID == op_eq || opcodeID == op_stricteq)
1561         branchCondition = triState(value.pureToBoolean());
1562     else if (opcodeID == op_neq || opcodeID == op_nstricteq)
1563         branchCondition = triState(!value.pureToBoolean());
1564 }
1565
1566 RegisterID* BinaryOpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1567 {
1568     OpcodeID opcodeID = this->opcodeID();
1569
1570     if (opcodeID == op_add && m_expr1->isAdd() && m_expr1->resultDescriptor().definitelyIsString()) {
1571         generator.emitExpressionInfo(position(), position(), position());
1572         return emitStrcat(generator, dst);
1573     }
1574
1575     if (opcodeID == op_neq) {
1576         if (m_expr1->isNull() || m_expr2->isNull()) {
1577             RefPtr<RegisterID> src = generator.tempDestination(dst);
1578             generator.emitNode(src.get(), m_expr1->isNull() ? m_expr2 : m_expr1);
1579             return generator.emitUnaryOp(op_neq_null, generator.finalDestination(dst, src.get()), src.get());
1580         }
1581     }
1582
1583     ExpressionNode* left = m_expr1;
1584     ExpressionNode* right = m_expr2;
1585     if (opcodeID == op_neq || opcodeID == op_nstricteq) {
1586         if (left->isString())
1587             std::swap(left, right);
1588     }
1589
1590     RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(left, m_rightHasAssignments, right->isPure(generator));
1591     bool wasTypeof = generator.lastOpcodeID() == op_typeof;
1592     RefPtr<RegisterID> src2 = generator.emitNode(right);
1593     generator.emitExpressionInfo(position(), position(), position());
1594     if (wasTypeof && (opcodeID == op_neq || opcodeID == op_nstricteq)) {
1595         RefPtr<RegisterID> tmp = generator.tempDestination(dst);
1596         if (opcodeID == op_neq)
1597             generator.emitEqualityOp(op_eq, generator.finalDestination(tmp.get(), src1.get()), src1.get(), src2.get());
1598         else if (opcodeID == op_nstricteq)
1599             generator.emitEqualityOp(op_stricteq, generator.finalDestination(tmp.get(), src1.get()), src1.get(), src2.get());
1600         else
1601             RELEASE_ASSERT_NOT_REACHED();
1602         return generator.emitUnaryOp(op_not, generator.finalDestination(dst, tmp.get()), tmp.get());
1603     }
1604     RegisterID* result = generator.emitBinaryOp(opcodeID, generator.finalDestination(dst, src1.get()), src1.get(), src2.get(), OperandTypes(left->resultDescriptor(), right->resultDescriptor()));
1605     if (opcodeID == op_urshift && dst != generator.ignoredResult())
1606         return generator.emitUnaryOp(op_unsigned, result, result);
1607     return result;
1608 }
1609
1610 RegisterID* EqualNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1611 {
1612     if (m_expr1->isNull() || m_expr2->isNull()) {
1613         RefPtr<RegisterID> src = generator.tempDestination(dst);
1614         generator.emitNode(src.get(), m_expr1->isNull() ? m_expr2 : m_expr1);
1615         return generator.emitUnaryOp(op_eq_null, generator.finalDestination(dst, src.get()), src.get());
1616     }
1617
1618     ExpressionNode* left = m_expr1;
1619     ExpressionNode* right = m_expr2;
1620     if (left->isString())
1621         std::swap(left, right);
1622
1623     RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(left, m_rightHasAssignments, m_expr2->isPure(generator));
1624     RefPtr<RegisterID> src2 = generator.emitNode(right);
1625     return generator.emitEqualityOp(op_eq, generator.finalDestination(dst, src1.get()), src1.get(), src2.get());
1626 }
1627
1628 RegisterID* StrictEqualNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1629 {
1630     ExpressionNode* left = m_expr1;
1631     ExpressionNode* right = m_expr2;
1632     if (left->isString())
1633         std::swap(left, right);
1634
1635     RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(left, m_rightHasAssignments, m_expr2->isPure(generator));
1636     RefPtr<RegisterID> src2 = generator.emitNode(right);
1637     return generator.emitEqualityOp(op_stricteq, generator.finalDestination(dst, src1.get()), src1.get(), src2.get());
1638 }
1639
1640 RegisterID* ThrowableBinaryOpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1641 {
1642     RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
1643     RefPtr<RegisterID> src2 = generator.emitNode(m_expr2);
1644     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1645     return generator.emitBinaryOp(opcodeID(), generator.finalDestination(dst, src1.get()), src1.get(), src2.get(), OperandTypes(m_expr1->resultDescriptor(), m_expr2->resultDescriptor()));
1646 }
1647
1648 RegisterID* InstanceOfNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1649 {
1650     RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
1651     RefPtr<RegisterID> src2 = generator.emitNode(m_expr2);
1652     RefPtr<RegisterID> prototype = generator.newTemporary();
1653     RefPtr<RegisterID> dstReg = generator.finalDestination(dst, src1.get());
1654     RefPtr<Label> target = generator.newLabel();
1655
1656     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1657     generator.emitCheckHasInstance(dstReg.get(), src1.get(), src2.get(), target.get());
1658
1659     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1660     generator.emitGetById(prototype.get(), src2.get(), generator.vm()->propertyNames->prototype);
1661
1662     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1663     RegisterID* result = generator.emitInstanceOf(dstReg.get(), src1.get(), prototype.get());
1664     generator.emitLabel(target.get());
1665     return result;
1666 }
1667
1668 // ------------------------------ LogicalOpNode ----------------------------
1669
1670 RegisterID* LogicalOpNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1671 {
1672     RefPtr<RegisterID> temp = generator.tempDestination(dst);
1673     RefPtr<Label> target = generator.newLabel();
1674     
1675     generator.emitNode(temp.get(), m_expr1);
1676     if (m_operator == OpLogicalAnd)
1677         generator.emitJumpIfFalse(temp.get(), target.get());
1678     else
1679         generator.emitJumpIfTrue(temp.get(), target.get());
1680     generator.emitNode(temp.get(), m_expr2);
1681     generator.emitLabel(target.get());
1682
1683     return generator.moveToDestinationIfNeeded(dst, temp.get());
1684 }
1685
1686 void LogicalOpNode::emitBytecodeInConditionContext(BytecodeGenerator& generator, Label* trueTarget, Label* falseTarget, FallThroughMode fallThroughMode)
1687 {
1688     RefPtr<Label> afterExpr1 = generator.newLabel();
1689     if (m_operator == OpLogicalAnd)
1690         generator.emitNodeInConditionContext(m_expr1, afterExpr1.get(), falseTarget, FallThroughMeansTrue);
1691     else 
1692         generator.emitNodeInConditionContext(m_expr1, trueTarget, afterExpr1.get(), FallThroughMeansFalse);
1693     generator.emitLabel(afterExpr1.get());
1694
1695     generator.emitNodeInConditionContext(m_expr2, trueTarget, falseTarget, fallThroughMode);
1696 }
1697
1698 // ------------------------------ ConditionalNode ------------------------------
1699
1700 RegisterID* ConditionalNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1701 {
1702     RefPtr<RegisterID> newDst = generator.finalDestination(dst);
1703     RefPtr<Label> beforeElse = generator.newLabel();
1704     RefPtr<Label> afterElse = generator.newLabel();
1705
1706     RefPtr<Label> beforeThen = generator.newLabel();
1707     generator.emitNodeInConditionContext(m_logical, beforeThen.get(), beforeElse.get(), FallThroughMeansTrue);
1708     generator.emitLabel(beforeThen.get());
1709
1710     generator.emitProfileControlFlow(m_expr1->startOffset());
1711     generator.emitNode(newDst.get(), m_expr1);
1712     generator.emitJump(afterElse.get());
1713
1714     generator.emitLabel(beforeElse.get());
1715     generator.emitProfileControlFlow(m_expr1->endOffset() + 1);
1716     generator.emitNode(newDst.get(), m_expr2);
1717
1718     generator.emitLabel(afterElse.get());
1719
1720     generator.emitProfileControlFlow(m_expr2->endOffset() + 1);
1721
1722     return newDst.get();
1723 }
1724
1725 // ------------------------------ ReadModifyResolveNode -----------------------------------
1726
1727 // FIXME: should this be moved to be a method on BytecodeGenerator?
1728 static ALWAYS_INLINE RegisterID* emitReadModifyAssignment(BytecodeGenerator& generator, RegisterID* dst, RegisterID* src1, ExpressionNode* m_right, Operator oper, OperandTypes types, ReadModifyResolveNode* emitExpressionInfoForMe = 0)
1729 {
1730     OpcodeID opcodeID;
1731     switch (oper) {
1732         case OpMultEq:
1733             opcodeID = op_mul;
1734             break;
1735         case OpDivEq:
1736             opcodeID = op_div;
1737             break;
1738         case OpPlusEq:
1739             if (m_right->isAdd() && m_right->resultDescriptor().definitelyIsString())
1740                 return static_cast<AddNode*>(m_right)->emitStrcat(generator, dst, src1, emitExpressionInfoForMe);
1741             opcodeID = op_add;
1742             break;
1743         case OpMinusEq:
1744             opcodeID = op_sub;
1745             break;
1746         case OpLShift:
1747             opcodeID = op_lshift;
1748             break;
1749         case OpRShift:
1750             opcodeID = op_rshift;
1751             break;
1752         case OpURShift:
1753             opcodeID = op_urshift;
1754             break;
1755         case OpAndEq:
1756             opcodeID = op_bitand;
1757             break;
1758         case OpXOrEq:
1759             opcodeID = op_bitxor;
1760             break;
1761         case OpOrEq:
1762             opcodeID = op_bitor;
1763             break;
1764         case OpModEq:
1765             opcodeID = op_mod;
1766             break;
1767         default:
1768             RELEASE_ASSERT_NOT_REACHED();
1769             return dst;
1770     }
1771
1772     RegisterID* src2 = generator.emitNode(m_right);
1773
1774     // Certain read-modify nodes require expression info to be emitted *after* m_right has been generated.
1775     // If this is required the node is passed as 'emitExpressionInfoForMe'; do so now.
1776     if (emitExpressionInfoForMe)
1777         generator.emitExpressionInfo(emitExpressionInfoForMe->divot(), emitExpressionInfoForMe->divotStart(), emitExpressionInfoForMe->divotEnd());
1778     RegisterID* result = generator.emitBinaryOp(opcodeID, dst, src1, src2, types);
1779     if (oper == OpURShift)
1780         return generator.emitUnaryOp(op_unsigned, result, result);
1781     return result;
1782 }
1783
1784 RegisterID* ReadModifyResolveNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1785 {
1786     JSTextPosition newDivot = divotStart() + m_ident.length();
1787     Variable var = generator.variable(m_ident);
1788     if (RegisterID* local = var.local()) {
1789         generator.emitTDZCheckIfNecessary(var, local, nullptr);
1790         if (var.isReadOnly()) {
1791             generator.emitReadOnlyExceptionIfNeeded();
1792             return emitReadModifyAssignment(generator, generator.finalDestination(dst), local, m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
1793         }
1794         
1795         if (generator.vm()->typeProfiler()
1796             || generator.leftHandSideNeedsCopy(m_rightHasAssignments, m_right->isPure(generator))) {
1797             RefPtr<RegisterID> result = generator.newTemporary();
1798             generator.emitMove(result.get(), local);
1799             emitReadModifyAssignment(generator, result.get(), result.get(), m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
1800             generator.emitMove(local, result.get());
1801             generator.invalidateForInContextForLocal(local);
1802             if (generator.vm()->typeProfiler())
1803                 generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1804             return generator.moveToDestinationIfNeeded(dst, result.get());
1805         }
1806         
1807         RegisterID* result = emitReadModifyAssignment(generator, local, local, m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
1808         generator.invalidateForInContextForLocal(local);
1809         return generator.moveToDestinationIfNeeded(dst, result);
1810     }
1811
1812     generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
1813     RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
1814     RefPtr<RegisterID> value = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, ThrowIfNotFound);
1815     generator.emitTDZCheckIfNecessary(var, value.get(), nullptr);
1816     RefPtr<RegisterID> result = emitReadModifyAssignment(generator, generator.finalDestination(dst, value.get()), value.get(), m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()), this);
1817     RegisterID* returnResult = generator.emitPutToScope(scope.get(), var, result.get(), ThrowIfNotFound);
1818     if (generator.vm()->typeProfiler()) {
1819         generator.emitProfileType(result.get(), var.isResolved() ? ProfileTypeBytecodePutToLocalScope : ProfileTypeBytecodePutToScope, &m_ident);
1820         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1821     }
1822     return returnResult;
1823 }
1824
1825 // ------------------------------ AssignResolveNode -----------------------------------
1826
1827 RegisterID* AssignResolveNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1828 {
1829     Variable var = generator.variable(m_ident);
1830     if (RegisterID* local = var.local()) {
1831         RegisterID* result = nullptr;
1832         if (m_assignmentContext == AssignmentContext::AssignmentExpression)
1833             generator.emitTDZCheckIfNecessary(var, local, nullptr);
1834         if (var.isReadOnly()) {
1835             generator.emitReadOnlyExceptionIfNeeded();
1836             result = generator.emitNode(dst, m_right);
1837         } else if (var.isSpecial() || generator.vm()->typeProfiler()) {
1838             RefPtr<RegisterID> tempDst = generator.tempDestination(dst);
1839             generator.emitNode(tempDst.get(), m_right);
1840             generator.emitMove(local, tempDst.get());
1841             generator.invalidateForInContextForLocal(local);
1842             if (generator.vm()->typeProfiler())
1843                 generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1844             result = generator.moveToDestinationIfNeeded(dst, tempDst.get());
1845         } else {
1846             RegisterID* right = generator.emitNode(local, m_right);
1847             generator.invalidateForInContextForLocal(local);
1848             result = generator.moveToDestinationIfNeeded(dst, right);
1849         }
1850
1851         if (m_assignmentContext == AssignmentContext::DeclarationStatement)
1852             generator.liftTDZCheckIfPossible(var);
1853         return result;
1854     }
1855
1856     if (generator.isStrictMode())
1857         generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1858     RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
1859     if (m_assignmentContext == AssignmentContext::AssignmentExpression)
1860         generator.emitTDZCheckIfNecessary(var, nullptr, scope.get());
1861     if (dst == generator.ignoredResult())
1862         dst = 0;
1863     RefPtr<RegisterID> result = generator.emitNode(dst, m_right);
1864     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1865     RegisterID* returnResult = generator.emitPutToScope(scope.get(), var, result.get(), generator.isStrictMode() ? ThrowIfNotFound : DoNotThrowIfNotFound);
1866     if (generator.vm()->typeProfiler()) {
1867         generator.emitProfileType(result.get(), var.isResolved() ? ProfileTypeBytecodePutToLocalScope : ProfileTypeBytecodePutToScope, &m_ident);
1868         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1869     }
1870
1871     if (m_assignmentContext == AssignmentContext::DeclarationStatement)
1872         generator.liftTDZCheckIfPossible(var);
1873     return returnResult;
1874 }
1875
1876 // ------------------------------ AssignDotNode -----------------------------------
1877
1878 RegisterID* AssignDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1879 {
1880     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_rightHasAssignments, m_right->isPure(generator));
1881     RefPtr<RegisterID> value = generator.destinationForAssignResult(dst);
1882     RefPtr<RegisterID> result = generator.emitNode(value.get(), m_right);
1883     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1884     RegisterID* forwardResult = (dst == generator.ignoredResult()) ? result.get() : generator.moveToDestinationIfNeeded(generator.tempDestination(result.get()), result.get());
1885     generator.emitPutById(base.get(), m_ident, forwardResult);
1886     if (generator.vm()->typeProfiler()) {
1887         generator.emitProfileType(forwardResult, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1888         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1889     }
1890     return generator.moveToDestinationIfNeeded(dst, forwardResult);
1891 }
1892
1893 // ------------------------------ ReadModifyDotNode -----------------------------------
1894
1895 RegisterID* ReadModifyDotNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1896 {
1897     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_rightHasAssignments, m_right->isPure(generator));
1898
1899     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
1900     RefPtr<RegisterID> value = generator.emitGetById(generator.tempDestination(dst), base.get(), m_ident);
1901     RegisterID* updatedValue = emitReadModifyAssignment(generator, generator.finalDestination(dst, value.get()), value.get(), m_right, static_cast<JSC::Operator>(m_operator), OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
1902
1903     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1904     RegisterID* ret = generator.emitPutById(base.get(), m_ident, updatedValue);
1905     if (generator.vm()->typeProfiler()) {
1906         generator.emitProfileType(updatedValue, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1907         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1908     }
1909     return ret;
1910 }
1911
1912 // ------------------------------ AssignErrorNode -----------------------------------
1913
1914 RegisterID* AssignErrorNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
1915 {
1916     return emitThrowReferenceError(generator, ASCIILiteral("Left side of assignment is not a reference."));
1917 }
1918
1919 // ------------------------------ AssignBracketNode -----------------------------------
1920
1921 RegisterID* AssignBracketNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1922 {
1923     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_subscriptHasAssignments || m_rightHasAssignments, m_subscript->isPure(generator) && m_right->isPure(generator));
1924     RefPtr<RegisterID> property = generator.emitNodeForLeftHandSide(m_subscript, m_rightHasAssignments, m_right->isPure(generator));
1925     RefPtr<RegisterID> value = generator.destinationForAssignResult(dst);
1926     RefPtr<RegisterID> result = generator.emitNode(value.get(), m_right);
1927
1928     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1929     RegisterID* forwardResult = (dst == generator.ignoredResult()) ? result.get() : generator.moveToDestinationIfNeeded(generator.tempDestination(result.get()), result.get());
1930
1931     if (m_subscript->isString())
1932         generator.emitPutById(base.get(), static_cast<StringNode*>(m_subscript)->value(), forwardResult);
1933     else
1934         generator.emitPutByVal(base.get(), property.get(), forwardResult);
1935
1936     if (generator.vm()->typeProfiler()) {
1937         generator.emitProfileType(forwardResult, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1938         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1939     }
1940     return generator.moveToDestinationIfNeeded(dst, forwardResult);
1941 }
1942
1943 // ------------------------------ ReadModifyBracketNode -----------------------------------
1944
1945 RegisterID* ReadModifyBracketNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1946 {
1947     RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_subscriptHasAssignments || m_rightHasAssignments, m_subscript->isPure(generator) && m_right->isPure(generator));
1948     RefPtr<RegisterID> property = generator.emitNodeForLeftHandSide(m_subscript, m_rightHasAssignments, m_right->isPure(generator));
1949
1950     generator.emitExpressionInfo(subexpressionDivot(), subexpressionStart(), subexpressionEnd());
1951     RefPtr<RegisterID> value = generator.emitGetByVal(generator.tempDestination(dst), base.get(), property.get());
1952     RegisterID* updatedValue = emitReadModifyAssignment(generator, generator.finalDestination(dst, value.get()), value.get(), m_right, static_cast<JSC::Operator>(m_operator), OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
1953
1954     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
1955     generator.emitPutByVal(base.get(), property.get(), updatedValue);
1956     if (generator.vm()->typeProfiler()) {
1957         generator.emitProfileType(updatedValue, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
1958         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
1959     }
1960
1961     return updatedValue;
1962 }
1963
1964 // ------------------------------ CommaNode ------------------------------------
1965
1966 RegisterID* CommaNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
1967 {
1968     CommaNode* node = this;
1969     for (; node && node->next(); node = node->next())
1970         generator.emitNode(generator.ignoredResult(), node->m_expr);
1971     return generator.emitNode(dst, node->m_expr);
1972 }
1973
1974 // ------------------------------ ConstDeclNode ------------------------------------
1975
1976 RegisterID* ConstDeclNode::emitCodeSingle(BytecodeGenerator& generator)
1977 {
1978     // FIXME: This code does not match the behavior of const in Firefox.
1979     Variable var = generator.variable(m_ident);
1980     if (RegisterID* local = var.local()) {
1981         if (!m_init)
1982             return local;
1983
1984         // FIXME: Maybe call emitExpressionInfo here.
1985         if (var.isSpecial() || generator.vm()->typeProfiler()) {
1986             RefPtr<RegisterID> tempDst = generator.newTemporary();
1987             generator.emitNode(tempDst.get(), m_init);
1988             return generator.emitMove(local, tempDst.get());
1989         }
1990         
1991         return generator.emitNode(local, m_init);
1992     }
1993
1994     RefPtr<RegisterID> value = m_init ? generator.emitNode(m_init) : generator.emitLoad(0, jsUndefined());
1995
1996     if (generator.codeType() == GlobalCode)
1997         return generator.emitInitGlobalConst(m_ident, value.get());
1998
1999     if (generator.codeType() != EvalCode) {
2000         // Do a special kind of resolution. If anything fails, then don't perform the assignment. This is
2001         // pretty shady - particularly how negligent it is with inteleaving scopes - but it's the
2002         // behavior that JSC has had for a long time.
2003         
2004         ASSERT(generator.codeType() == FunctionCode);
2005         
2006         var = generator.variablePerSymbolTable(m_ident);
2007         if (!var.isResolved())
2008             return value.get();
2009         
2010         RefPtr<RegisterID> scope = generator.emitResolveScope(generator.newTemporary(), var);
2011         return generator.emitPutToScope(scope.get(), var, value.get(), DoNotThrowIfNotFound);
2012     }
2013
2014     // FIXME: This will result in incorrect assignment if m_ident exists in an intervening with scope.
2015     RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
2016     return generator.emitPutToScope(scope.get(), var, value.get(), DoNotThrowIfNotFound);
2017 }
2018
2019 RegisterID* ConstDeclNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2020 {
2021     RegisterID* result = 0;
2022     for (ConstDeclNode* n = this; n; n = n->m_next)
2023         result = n->emitCodeSingle(generator);
2024
2025     return result;
2026 }
2027
2028 // ------------------------------ ConstStatementNode -----------------------------
2029
2030 void ConstStatementNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2031 {
2032     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2033     generator.emitNode(m_next);
2034 }
2035
2036 // ------------------------------ SourceElements -------------------------------
2037
2038
2039 inline StatementNode* SourceElements::lastStatement() const
2040 {
2041     return m_tail;
2042 }
2043
2044 inline void SourceElements::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2045 {
2046     for (StatementNode* statement = m_head; statement; statement = statement->next())
2047         generator.emitNode(dst, statement);
2048 }
2049
2050 // ------------------------------ BlockNode ------------------------------------
2051
2052 inline StatementNode* BlockNode::lastStatement() const
2053 {
2054     return m_statements ? m_statements->lastStatement() : 0;
2055 }
2056
2057 StatementNode* BlockNode::singleStatement() const
2058 {
2059     return m_statements ? m_statements->singleStatement() : 0;
2060 }
2061
2062 void BlockNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2063 {
2064     if (!m_statements)
2065         return;
2066     generator.pushLexicalScope(this, true);
2067     m_statements->emitBytecode(generator, dst);
2068     generator.popLexicalScope(this);
2069 }
2070
2071 // ------------------------------ EmptyStatementNode ---------------------------
2072
2073 void EmptyStatementNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2074 {
2075     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2076 }
2077
2078 // ------------------------------ DebuggerStatementNode ---------------------------
2079
2080 void DebuggerStatementNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2081 {
2082     generator.emitDebugHook(DidReachBreakpoint, lastLine(), startOffset(), lineStartOffset());
2083 }
2084
2085 // ------------------------------ ExprStatementNode ----------------------------
2086
2087 void ExprStatementNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2088 {
2089     ASSERT(m_expr);
2090     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2091     generator.emitNode(dst, m_expr);
2092 }
2093
2094 // ------------------------------ DeclarationStatement ----------------------------
2095
2096 void DeclarationStatement::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2097 {
2098     ASSERT(m_expr);
2099     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2100     generator.emitNode(m_expr);
2101 }
2102
2103 // ------------------------------ EmptyVarExpression ----------------------------
2104
2105 RegisterID* EmptyVarExpression::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2106 {
2107     // It's safe to return null here because this node will always be a child node of DeclarationStatement which ignores our return value.
2108     if (!generator.vm()->typeProfiler())
2109         return nullptr;
2110
2111     Variable var = generator.variable(m_ident);
2112     if (RegisterID* local = var.local())
2113         generator.emitProfileType(local, ProfileTypeBytecodeHasGlobalID, nullptr);
2114     else {
2115         RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
2116         RefPtr<RegisterID> value = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, DoNotThrowIfNotFound);
2117         generator.emitProfileType(value.get(), var.isResolved() ? ProfileTypeBytecodeGetFromLocalScope : ProfileTypeBytecodeGetFromScope, &m_ident);
2118     }
2119
2120     generator.emitTypeProfilerExpressionInfo(position(), JSTextPosition(-1, position().offset + m_ident.length(), -1));
2121
2122     return nullptr;
2123 }
2124
2125 // ------------------------------ EmptyLetExpression ----------------------------
2126
2127 RegisterID* EmptyLetExpression::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2128 {
2129     // Lexical declarations like 'let' must move undefined into their variables so we don't
2130     // get TDZ errors for situations like this: `let x; x;`
2131     Variable var = generator.variable(m_ident);
2132     if (RegisterID* local = var.local()) {
2133         generator.emitLoad(local, jsUndefined());
2134         if (generator.vm()->typeProfiler())
2135             generator.emitProfileType(local, ProfileTypeBytecodeHasGlobalID, nullptr);
2136     } else {
2137         RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
2138         RefPtr<RegisterID> value = generator.emitLoad(nullptr, jsUndefined());
2139         generator.emitPutToScope(scope.get(), var, value.get(), generator.isStrictMode() ? ThrowIfNotFound : DoNotThrowIfNotFound);
2140         if (generator.vm()->typeProfiler())
2141             generator.emitProfileType(value.get(), var.isResolved() ? ProfileTypeBytecodeGetFromLocalScope : ProfileTypeBytecodeGetFromScope, &m_ident);
2142     }
2143     if (generator.vm()->typeProfiler())
2144         generator.emitTypeProfilerExpressionInfo(position(), JSTextPosition(-1, position().offset + m_ident.length(), -1));
2145
2146     // It's safe to return null here because this node will always be a child node of DeclarationStatement which ignores our return value.
2147     return nullptr;
2148 }
2149
2150 // ------------------------------ IfElseNode ---------------------------------------
2151
2152 static inline StatementNode* singleStatement(StatementNode* statementNode)
2153 {
2154     if (statementNode->isBlock())
2155         return static_cast<BlockNode*>(statementNode)->singleStatement();
2156     return statementNode;
2157 }
2158
2159 bool IfElseNode::tryFoldBreakAndContinue(BytecodeGenerator& generator, StatementNode* ifBlock,
2160     Label*& trueTarget, FallThroughMode& fallThroughMode)
2161 {
2162     StatementNode* singleStatement = JSC::singleStatement(ifBlock);
2163     if (!singleStatement)
2164         return false;
2165
2166     if (singleStatement->isBreak()) {
2167         BreakNode* breakNode = static_cast<BreakNode*>(singleStatement);
2168         Label* target = breakNode->trivialTarget(generator);
2169         if (!target)
2170             return false;
2171         trueTarget = target;
2172         fallThroughMode = FallThroughMeansFalse;
2173         return true;
2174     }
2175
2176     if (singleStatement->isContinue()) {
2177         ContinueNode* continueNode = static_cast<ContinueNode*>(singleStatement);
2178         Label* target = continueNode->trivialTarget(generator);
2179         if (!target)
2180             return false;
2181         trueTarget = target;
2182         fallThroughMode = FallThroughMeansFalse;
2183         return true;
2184     }
2185
2186     return false;
2187 }
2188
2189 void IfElseNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2190 {
2191     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2192     
2193     RefPtr<Label> beforeThen = generator.newLabel();
2194     RefPtr<Label> beforeElse = generator.newLabel();
2195     RefPtr<Label> afterElse = generator.newLabel();
2196
2197     Label* trueTarget = beforeThen.get();
2198     Label* falseTarget = beforeElse.get();
2199     FallThroughMode fallThroughMode = FallThroughMeansTrue;
2200     bool didFoldIfBlock = tryFoldBreakAndContinue(generator, m_ifBlock, trueTarget, fallThroughMode);
2201
2202     generator.emitNodeInConditionContext(m_condition, trueTarget, falseTarget, fallThroughMode);
2203     generator.emitLabel(beforeThen.get());
2204     generator.emitProfileControlFlow(m_ifBlock->startOffset());
2205
2206     if (!didFoldIfBlock) {
2207         generator.emitNode(dst, m_ifBlock);
2208         if (m_elseBlock)
2209             generator.emitJump(afterElse.get());
2210     }
2211
2212     generator.emitLabel(beforeElse.get());
2213
2214     if (m_elseBlock) {
2215         generator.emitProfileControlFlow(m_ifBlock->endOffset() + (m_ifBlock->isBlock() ? 1 : 0));
2216         generator.emitNode(dst, m_elseBlock);
2217     }
2218
2219     generator.emitLabel(afterElse.get());
2220     StatementNode* endingBlock = m_elseBlock ? m_elseBlock : m_ifBlock;
2221     generator.emitProfileControlFlow(endingBlock->endOffset() + (endingBlock->isBlock() ? 1 : 0));
2222 }
2223
2224 // ------------------------------ DoWhileNode ----------------------------------
2225
2226 void DoWhileNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2227 {
2228     LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
2229
2230     RefPtr<Label> topOfLoop = generator.newLabel();
2231     generator.emitLabel(topOfLoop.get());
2232     generator.emitLoopHint();
2233     generator.emitDebugHook(WillExecuteStatement, lastLine(), startOffset(), lineStartOffset());
2234
2235     generator.emitNode(dst, m_statement);
2236
2237     generator.emitLabel(scope->continueTarget());
2238     generator.emitDebugHook(WillExecuteStatement, lastLine(), startOffset(), lineStartOffset());
2239     generator.emitNodeInConditionContext(m_expr, topOfLoop.get(), scope->breakTarget(), FallThroughMeansFalse);
2240
2241     generator.emitLabel(scope->breakTarget());
2242 }
2243
2244 // ------------------------------ WhileNode ------------------------------------
2245
2246 void WhileNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2247 {
2248     LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
2249     RefPtr<Label> topOfLoop = generator.newLabel();
2250
2251     generator.emitDebugHook(WillExecuteStatement, m_expr->firstLine(), m_expr->startOffset(), m_expr->lineStartOffset());
2252     generator.emitNodeInConditionContext(m_expr, topOfLoop.get(), scope->breakTarget(), FallThroughMeansTrue);
2253
2254     generator.emitLabel(topOfLoop.get());
2255     generator.emitLoopHint();
2256     
2257     generator.emitProfileControlFlow(m_statement->startOffset());
2258     generator.emitNode(dst, m_statement);
2259
2260     generator.emitLabel(scope->continueTarget());
2261     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2262
2263     generator.emitNodeInConditionContext(m_expr, topOfLoop.get(), scope->breakTarget(), FallThroughMeansFalse);
2264
2265     generator.emitLabel(scope->breakTarget());
2266
2267     generator.emitProfileControlFlow(m_statement->endOffset() + (m_statement->isBlock() ? 1 : 0));
2268 }
2269
2270 // ------------------------------ ForNode --------------------------------------
2271
2272 void ForNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2273 {
2274     LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
2275
2276     RegisterID* forLoopSymbolTable = nullptr;
2277     generator.pushLexicalScope(this, true, &forLoopSymbolTable);
2278
2279     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2280
2281     if (m_expr1)
2282         generator.emitNode(generator.ignoredResult(), m_expr1);
2283     
2284     RefPtr<Label> topOfLoop = generator.newLabel();
2285     if (m_expr2)
2286         generator.emitNodeInConditionContext(m_expr2, topOfLoop.get(), scope->breakTarget(), FallThroughMeansTrue);
2287
2288     generator.emitLabel(topOfLoop.get());
2289     generator.emitLoopHint();
2290     generator.emitProfileControlFlow(m_statement->startOffset());
2291
2292     generator.emitNode(dst, m_statement);
2293
2294     generator.emitLabel(scope->continueTarget());
2295     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2296     generator.prepareLexicalScopeForNextForLoopIteration(this, forLoopSymbolTable);
2297     if (m_expr3)
2298         generator.emitNode(generator.ignoredResult(), m_expr3);
2299
2300     if (m_expr2)
2301         generator.emitNodeInConditionContext(m_expr2, topOfLoop.get(), scope->breakTarget(), FallThroughMeansFalse);
2302     else
2303         generator.emitJump(topOfLoop.get());
2304
2305     generator.emitLabel(scope->breakTarget());
2306     generator.popLexicalScope(this);
2307     generator.emitProfileControlFlow(m_statement->endOffset() + (m_statement->isBlock() ? 1 : 0));
2308 }
2309
2310 // ------------------------------ ForInNode ------------------------------------
2311
2312 RegisterID* ForInNode::tryGetBoundLocal(BytecodeGenerator& generator)
2313 {
2314     if (m_lexpr->isResolveNode()) {
2315         const Identifier& ident = static_cast<ResolveNode*>(m_lexpr)->identifier();
2316         return generator.variable(ident).local();
2317     }
2318
2319     if (m_lexpr->isDestructuringNode()) {
2320         DestructuringAssignmentNode* assignNode = static_cast<DestructuringAssignmentNode*>(m_lexpr);
2321         auto binding = assignNode->bindings();
2322         if (!binding->isBindingNode())
2323             return nullptr;
2324
2325         auto simpleBinding = static_cast<BindingNode*>(binding);
2326         const Identifier& ident = simpleBinding->boundProperty();
2327         Variable var = generator.variable(ident);
2328         if (var.isSpecial())
2329             return nullptr;
2330         return var.local();
2331     }
2332
2333     return nullptr;
2334 }
2335
2336 void ForInNode::emitLoopHeader(BytecodeGenerator& generator, RegisterID* propertyName)
2337 {
2338     if (m_lexpr->isResolveNode()) {
2339         const Identifier& ident = static_cast<ResolveNode*>(m_lexpr)->identifier();
2340         Variable var = generator.variable(ident);
2341         if (RegisterID* local = var.local())
2342             generator.emitMove(local, propertyName);
2343         else {
2344             if (generator.isStrictMode())
2345                 generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
2346             RegisterID* scope = generator.emitResolveScope(nullptr, var);
2347             generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
2348             generator.emitPutToScope(scope, var, propertyName, generator.isStrictMode() ? ThrowIfNotFound : DoNotThrowIfNotFound);
2349             if (generator.vm()->typeProfiler())
2350                 generator.emitProfileType(propertyName, var.isResolved() ? ProfileTypeBytecodePutToLocalScope : ProfileTypeBytecodePutToScope, &ident);
2351         }
2352         if (generator.vm()->typeProfiler())
2353             generator.emitTypeProfilerExpressionInfo(m_lexpr->position(), JSTextPosition(-1, m_lexpr->position().offset + ident.length(), -1));
2354         return;
2355     }
2356     if (m_lexpr->isDotAccessorNode()) {
2357         DotAccessorNode* assignNode = static_cast<DotAccessorNode*>(m_lexpr);
2358         const Identifier& ident = assignNode->identifier();
2359         RegisterID* base = generator.emitNode(assignNode->base());
2360         generator.emitExpressionInfo(assignNode->divot(), assignNode->divotStart(), assignNode->divotEnd());
2361         generator.emitPutById(base, ident, propertyName);
2362         if (generator.vm()->typeProfiler()) {
2363             generator.emitProfileType(propertyName, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
2364             generator.emitTypeProfilerExpressionInfo(assignNode->divotStart(), assignNode->divotEnd());
2365         }
2366         return;
2367     }
2368     if (m_lexpr->isBracketAccessorNode()) {
2369         BracketAccessorNode* assignNode = static_cast<BracketAccessorNode*>(m_lexpr);
2370         RefPtr<RegisterID> base = generator.emitNode(assignNode->base());
2371         RegisterID* subscript = generator.emitNode(assignNode->subscript());
2372         generator.emitExpressionInfo(assignNode->divot(), assignNode->divotStart(), assignNode->divotEnd());
2373         generator.emitPutByVal(base.get(), subscript, propertyName);
2374         if (generator.vm()->typeProfiler()) {
2375             generator.emitProfileType(propertyName, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
2376             generator.emitTypeProfilerExpressionInfo(assignNode->divotStart(), assignNode->divotEnd());
2377         }
2378         return;
2379     }
2380
2381     if (m_lexpr->isDestructuringNode()) {
2382         DestructuringAssignmentNode* assignNode = static_cast<DestructuringAssignmentNode*>(m_lexpr);
2383         auto binding = assignNode->bindings();
2384         if (!binding->isBindingNode()) {
2385             assignNode->bindings()->bindValue(generator, propertyName);
2386             return;
2387         }
2388
2389         auto simpleBinding = static_cast<BindingNode*>(binding);
2390         const Identifier& ident = simpleBinding->boundProperty();
2391         Variable var = generator.variable(ident);
2392         if (!var.local() || var.isSpecial()) {
2393             assignNode->bindings()->bindValue(generator, propertyName);
2394             return;
2395         }
2396         generator.emitMove(var.local(), propertyName);
2397         if (generator.vm()->typeProfiler())
2398             generator.emitTypeProfilerExpressionInfo(simpleBinding->divotStart(), simpleBinding->divotEnd());
2399         return;
2400     }
2401
2402     RELEASE_ASSERT_NOT_REACHED();
2403 }
2404
2405 void ForInNode::emitMultiLoopBytecode(BytecodeGenerator& generator, RegisterID* dst)
2406 {
2407     if (!m_lexpr->isAssignmentLocation()) {
2408         emitThrowReferenceError(generator, ASCIILiteral("Left side of for-in statement is not a reference."));
2409         return;
2410     }
2411
2412     RefPtr<Label> end = generator.newLabel();
2413
2414     RegisterID* forLoopSymbolTable = nullptr;
2415     generator.pushLexicalScope(this, true, &forLoopSymbolTable);
2416
2417     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2418
2419     RefPtr<RegisterID> base = generator.newTemporary();
2420     RefPtr<RegisterID> length;
2421     RefPtr<RegisterID> enumerator;
2422     generator.emitNode(base.get(), m_expr);
2423     RefPtr<RegisterID> local = this->tryGetBoundLocal(generator);
2424     RefPtr<RegisterID> enumeratorIndex;
2425
2426     int profilerStartOffset = m_statement->startOffset();
2427     int profilerEndOffset = m_statement->endOffset() + (m_statement->isBlock() ? 1 : 0);
2428
2429     enumerator = generator.emitGetPropertyEnumerator(generator.newTemporary(), base.get());
2430
2431     // Indexed property loop.
2432     {
2433         LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
2434         RefPtr<Label> loopStart = generator.newLabel();
2435         RefPtr<Label> loopEnd = generator.newLabel();
2436
2437         length = generator.emitGetEnumerableLength(generator.newTemporary(), enumerator.get());
2438         RefPtr<RegisterID> i = generator.emitLoad(generator.newTemporary(), jsNumber(0));
2439         RefPtr<RegisterID> propertyName = generator.newTemporary();
2440
2441         generator.emitLabel(loopStart.get());
2442         generator.emitLoopHint();
2443
2444         RefPtr<RegisterID> result = generator.emitEqualityOp(op_less, generator.newTemporary(), i.get(), length.get());
2445         generator.emitJumpIfFalse(result.get(), loopEnd.get());
2446         generator.emitHasIndexedProperty(result.get(), base.get(), i.get());
2447         generator.emitJumpIfFalse(result.get(), scope->continueTarget());
2448
2449         generator.emitToIndexString(propertyName.get(), i.get());
2450         this->emitLoopHeader(generator, propertyName.get());
2451
2452         generator.emitProfileControlFlow(profilerStartOffset);
2453
2454         generator.pushIndexedForInScope(local.get(), i.get());
2455         generator.emitNode(dst, m_statement);
2456         generator.popIndexedForInScope(local.get());
2457
2458         generator.emitProfileControlFlow(profilerEndOffset);
2459
2460         generator.emitLabel(scope->continueTarget());
2461         generator.prepareLexicalScopeForNextForLoopIteration(this, forLoopSymbolTable);
2462         generator.emitInc(i.get());
2463         generator.emitJump(loopStart.get());
2464
2465         generator.emitLabel(scope->breakTarget());
2466         generator.emitJump(end.get());
2467         generator.emitLabel(loopEnd.get());
2468     }
2469
2470     // Structure property loop.
2471     {
2472         LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
2473         RefPtr<Label> loopStart = generator.newLabel();
2474         RefPtr<Label> loopEnd = generator.newLabel();
2475
2476         enumeratorIndex = generator.emitLoad(generator.newTemporary(), jsNumber(0));
2477         RefPtr<RegisterID> propertyName = generator.newTemporary();
2478         generator.emitEnumeratorStructurePropertyName(propertyName.get(), enumerator.get(), enumeratorIndex.get());
2479
2480         generator.emitLabel(loopStart.get());
2481         generator.emitLoopHint();
2482
2483         RefPtr<RegisterID> result = generator.emitUnaryOp(op_eq_null, generator.newTemporary(), propertyName.get());
2484         generator.emitJumpIfTrue(result.get(), loopEnd.get());
2485         generator.emitHasStructureProperty(result.get(), base.get(), propertyName.get(), enumerator.get());
2486         generator.emitJumpIfFalse(result.get(), scope->continueTarget());
2487
2488         this->emitLoopHeader(generator, propertyName.get());
2489
2490         generator.emitProfileControlFlow(profilerStartOffset);
2491
2492         generator.pushStructureForInScope(local.get(), enumeratorIndex.get(), propertyName.get(), enumerator.get());
2493         generator.emitNode(dst, m_statement);
2494         generator.popStructureForInScope(local.get());
2495
2496         generator.emitProfileControlFlow(profilerEndOffset);
2497
2498         generator.emitLabel(scope->continueTarget());
2499         generator.prepareLexicalScopeForNextForLoopIteration(this, forLoopSymbolTable);
2500         generator.emitInc(enumeratorIndex.get());
2501         generator.emitEnumeratorStructurePropertyName(propertyName.get(), enumerator.get(), enumeratorIndex.get());
2502         generator.emitJump(loopStart.get());
2503         
2504         generator.emitLabel(scope->breakTarget());
2505         generator.emitJump(end.get());
2506         generator.emitLabel(loopEnd.get());
2507     }
2508
2509     // Generic property loop.
2510     {
2511         LabelScopePtr scope = generator.newLabelScope(LabelScope::Loop);
2512         RefPtr<Label> loopStart = generator.newLabel();
2513         RefPtr<Label> loopEnd = generator.newLabel();
2514
2515         RefPtr<RegisterID> propertyName = generator.newTemporary();
2516
2517         generator.emitEnumeratorGenericPropertyName(propertyName.get(), enumerator.get(), enumeratorIndex.get());
2518
2519         generator.emitLabel(loopStart.get());
2520         generator.emitLoopHint();
2521
2522         RefPtr<RegisterID> result = generator.emitUnaryOp(op_eq_null, generator.newTemporary(), propertyName.get());
2523         generator.emitJumpIfTrue(result.get(), loopEnd.get());
2524
2525         generator.emitHasGenericProperty(result.get(), base.get(), propertyName.get());
2526         generator.emitJumpIfFalse(result.get(), scope->continueTarget());
2527
2528         this->emitLoopHeader(generator, propertyName.get());
2529
2530         generator.emitProfileControlFlow(profilerStartOffset);
2531
2532         generator.emitNode(dst, m_statement);
2533
2534         generator.emitLabel(scope->continueTarget());
2535         generator.prepareLexicalScopeForNextForLoopIteration(this, forLoopSymbolTable);
2536         generator.emitInc(enumeratorIndex.get());
2537         generator.emitEnumeratorGenericPropertyName(propertyName.get(), enumerator.get(), enumeratorIndex.get());
2538         generator.emitJump(loopStart.get());
2539
2540         generator.emitLabel(scope->breakTarget());
2541         generator.emitJump(end.get());
2542         generator.emitLabel(loopEnd.get());
2543     }
2544
2545     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2546     generator.emitLabel(end.get());
2547     generator.popLexicalScope(this);
2548     generator.emitProfileControlFlow(profilerEndOffset);
2549 }
2550
2551 void ForInNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2552 {
2553     this->emitMultiLoopBytecode(generator, dst);
2554 }
2555
2556 // ------------------------------ ForOfNode ------------------------------------
2557 void ForOfNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2558 {
2559     if (!m_lexpr->isAssignmentLocation()) {
2560         emitThrowReferenceError(generator, ASCIILiteral("Left side of for-of statement is not a reference."));
2561         return;
2562     }
2563
2564     RegisterID* forLoopSymbolTable = nullptr;
2565     generator.pushLexicalScope(this, true, &forLoopSymbolTable);
2566     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2567     auto extractor = [this, dst](BytecodeGenerator& generator, RegisterID* value)
2568     {
2569         if (m_lexpr->isResolveNode()) {
2570             const Identifier& ident = static_cast<ResolveNode*>(m_lexpr)->identifier();
2571             Variable var = generator.variable(ident);
2572             if (RegisterID* local = var.local())
2573                 generator.emitMove(local, value);
2574             else {
2575                 if (generator.isStrictMode())
2576                     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
2577                 RegisterID* scope = generator.emitResolveScope(nullptr, var);
2578                 generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
2579                 generator.emitPutToScope(scope, var, value, generator.isStrictMode() ? ThrowIfNotFound : DoNotThrowIfNotFound);
2580                 if (generator.vm()->typeProfiler())
2581                     generator.emitProfileType(value, var.isResolved() ? ProfileTypeBytecodePutToLocalScope : ProfileTypeBytecodePutToScope, &ident);
2582             }
2583             if (generator.vm()->typeProfiler())
2584                 generator.emitTypeProfilerExpressionInfo(m_lexpr->position(), JSTextPosition(-1, m_lexpr->position().offset + ident.length(), -1));
2585         } else if (m_lexpr->isDotAccessorNode()) {
2586             DotAccessorNode* assignNode = static_cast<DotAccessorNode*>(m_lexpr);
2587             const Identifier& ident = assignNode->identifier();
2588             RefPtr<RegisterID> base = generator.emitNode(assignNode->base());
2589             
2590             generator.emitExpressionInfo(assignNode->divot(), assignNode->divotStart(), assignNode->divotEnd());
2591             generator.emitPutById(base.get(), ident, value);
2592             if (generator.vm()->typeProfiler()) {
2593                 generator.emitProfileType(value, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
2594                 generator.emitTypeProfilerExpressionInfo(assignNode->divotStart(), assignNode->divotEnd());
2595             }
2596         } else if (m_lexpr->isBracketAccessorNode()) {
2597             BracketAccessorNode* assignNode = static_cast<BracketAccessorNode*>(m_lexpr);
2598             RefPtr<RegisterID> base = generator.emitNode(assignNode->base());
2599             RegisterID* subscript = generator.emitNode(assignNode->subscript());
2600             
2601             generator.emitExpressionInfo(assignNode->divot(), assignNode->divotStart(), assignNode->divotEnd());
2602             generator.emitPutByVal(base.get(), subscript, value);
2603             if (generator.vm()->typeProfiler()) {
2604                 generator.emitProfileType(value, ProfileTypeBytecodeDoesNotHaveGlobalID, nullptr);
2605                 generator.emitTypeProfilerExpressionInfo(assignNode->divotStart(), assignNode->divotEnd());
2606             }
2607         } else {
2608             ASSERT(m_lexpr->isDestructuringNode());
2609             DestructuringAssignmentNode* assignNode = static_cast<DestructuringAssignmentNode*>(m_lexpr);
2610             assignNode->bindings()->bindValue(generator, value);
2611         }
2612         generator.emitProfileControlFlow(m_statement->startOffset());
2613         generator.emitNode(dst, m_statement);
2614     };
2615     generator.emitEnumeration(this, m_expr, extractor, this, forLoopSymbolTable);
2616     generator.popLexicalScope(this);
2617     generator.emitProfileControlFlow(m_statement->endOffset() + (m_statement->isBlock() ? 1 : 0));
2618 }
2619
2620 // ------------------------------ ContinueNode ---------------------------------
2621
2622 Label* ContinueNode::trivialTarget(BytecodeGenerator& generator)
2623 {
2624     if (generator.shouldEmitDebugHooks())
2625         return 0;
2626
2627     LabelScopePtr scope = generator.continueTarget(m_ident);
2628     ASSERT(scope);
2629
2630     if (generator.scopeDepth() != scope->scopeDepth())
2631         return 0;
2632
2633     return scope->continueTarget();
2634 }
2635
2636 void ContinueNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2637 {
2638     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2639     
2640     LabelScopePtr scope = generator.continueTarget(m_ident);
2641     ASSERT(scope);
2642
2643     generator.emitPopScopes(generator.scopeRegister(), scope->scopeDepth());
2644     generator.emitJump(scope->continueTarget());
2645
2646     generator.emitProfileControlFlow(endOffset());
2647 }
2648
2649 // ------------------------------ BreakNode ------------------------------------
2650
2651 Label* BreakNode::trivialTarget(BytecodeGenerator& generator)
2652 {
2653     if (generator.shouldEmitDebugHooks())
2654         return 0;
2655
2656     LabelScopePtr scope = generator.breakTarget(m_ident);
2657     ASSERT(scope);
2658
2659     if (generator.scopeDepth() != scope->scopeDepth())
2660         return 0;
2661
2662     return scope->breakTarget();
2663 }
2664
2665 void BreakNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
2666 {
2667     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2668     
2669     LabelScopePtr scope = generator.breakTarget(m_ident);
2670     ASSERT(scope);
2671
2672     generator.emitPopScopes(generator.scopeRegister(), scope->scopeDepth());
2673     generator.emitJump(scope->breakTarget());
2674
2675     generator.emitProfileControlFlow(endOffset());
2676 }
2677
2678 // ------------------------------ ReturnNode -----------------------------------
2679
2680 void ReturnNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2681 {
2682     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2683     ASSERT(generator.codeType() == FunctionCode);
2684
2685     if (dst == generator.ignoredResult())
2686         dst = 0;
2687
2688     RefPtr<RegisterID> returnRegister = m_value ? generator.emitNode(dst, m_value) : generator.emitLoad(dst, jsUndefined());
2689     if (generator.vm()->typeProfiler()) {
2690         generator.emitProfileType(returnRegister.get(), ProfileTypeBytecodeFunctionReturnStatement, nullptr);
2691         generator.emitTypeProfilerExpressionInfo(divotStart(), divotEnd());
2692     }
2693     if (generator.scopeDepth()) {
2694         returnRegister = generator.emitMove(generator.newTemporary(), returnRegister.get());
2695         generator.emitPopScopes(generator.scopeRegister(), 0);
2696     }
2697
2698     generator.emitDebugHook(WillLeaveCallFrame, lastLine(), startOffset(), lineStartOffset());
2699     generator.emitReturn(returnRegister.get());
2700     generator.emitProfileControlFlow(endOffset()); 
2701     // Emitting an unreachable return here is needed in case this op_profile_control_flow is the 
2702     // last opcode in a CodeBlock because a CodeBlock's instructions must end with a terminal opcode.
2703     if (generator.vm()->controlFlowProfiler())
2704         generator.emitReturn(generator.emitLoad(nullptr, jsUndefined()));
2705 }
2706
2707 // ------------------------------ WithNode -------------------------------------
2708
2709 void WithNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2710 {
2711     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2712
2713     RefPtr<RegisterID> scope = generator.emitNode(m_expr);
2714     generator.emitExpressionInfo(m_divot, m_divot - m_expressionLength, m_divot);
2715     generator.emitPushWithScope(generator.scopeRegister(), scope.get());
2716     generator.emitNode(dst, m_statement);
2717     generator.emitPopScope(generator.scopeRegister());
2718 }
2719
2720 // ------------------------------ CaseClauseNode --------------------------------
2721
2722 inline void CaseClauseNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2723 {
2724     generator.emitProfileControlFlow(m_startOffset);
2725     if (!m_statements)
2726         return;
2727     m_statements->emitBytecode(generator, dst);
2728 }
2729
2730 // ------------------------------ CaseBlockNode --------------------------------
2731
2732 enum SwitchKind { 
2733     SwitchUnset = 0,
2734     SwitchNumber = 1, 
2735     SwitchString = 2, 
2736     SwitchNeither = 3 
2737 };
2738
2739 static void processClauseList(ClauseListNode* list, Vector<ExpressionNode*, 8>& literalVector, SwitchKind& typeForTable, bool& singleCharacterSwitch, int32_t& min_num, int32_t& max_num)
2740 {
2741     for (; list; list = list->getNext()) {
2742         ExpressionNode* clauseExpression = list->getClause()->expr();
2743         literalVector.append(clauseExpression);
2744         if (clauseExpression->isNumber()) {
2745             double value = static_cast<NumberNode*>(clauseExpression)->value();
2746             int32_t intVal = static_cast<int32_t>(value);
2747             if ((typeForTable & ~SwitchNumber) || (intVal != value)) {
2748                 typeForTable = SwitchNeither;
2749                 break;
2750             }
2751             if (intVal < min_num)
2752                 min_num = intVal;
2753             if (intVal > max_num)
2754                 max_num = intVal;
2755             typeForTable = SwitchNumber;
2756             continue;
2757         }
2758         if (clauseExpression->isString()) {
2759             if (typeForTable & ~SwitchString) {
2760                 typeForTable = SwitchNeither;
2761                 break;
2762             }
2763             const String& value = static_cast<StringNode*>(clauseExpression)->value().string();
2764             if (singleCharacterSwitch &= value.length() == 1) {
2765                 int32_t intVal = value[0];
2766                 if (intVal < min_num)
2767                     min_num = intVal;
2768                 if (intVal > max_num)
2769                     max_num = intVal;
2770             }
2771             typeForTable = SwitchString;
2772             continue;
2773         }
2774         typeForTable = SwitchNeither;
2775         break;        
2776     }
2777 }
2778
2779 static inline size_t length(ClauseListNode* list1, ClauseListNode* list2)
2780 {
2781     size_t length = 0;
2782     for (ClauseListNode* node = list1; node; node = node->getNext())
2783         ++length;
2784     for (ClauseListNode* node = list2; node; node = node->getNext())
2785         ++length;
2786     return length;
2787 }
2788
2789 SwitchInfo::SwitchType CaseBlockNode::tryTableSwitch(Vector<ExpressionNode*, 8>& literalVector, int32_t& min_num, int32_t& max_num)
2790 {
2791     if (length(m_list1, m_list2) < s_tableSwitchMinimum)
2792         return SwitchInfo::SwitchNone;
2793
2794     SwitchKind typeForTable = SwitchUnset;
2795     bool singleCharacterSwitch = true;
2796     
2797     processClauseList(m_list1, literalVector, typeForTable, singleCharacterSwitch, min_num, max_num);
2798     processClauseList(m_list2, literalVector, typeForTable, singleCharacterSwitch, min_num, max_num);
2799     
2800     if (typeForTable == SwitchUnset || typeForTable == SwitchNeither)
2801         return SwitchInfo::SwitchNone;
2802     
2803     if (typeForTable == SwitchNumber) {
2804         int32_t range = max_num - min_num;
2805         if (min_num <= max_num && range <= 1000 && (range / literalVector.size()) < 10)
2806             return SwitchInfo::SwitchImmediate;
2807         return SwitchInfo::SwitchNone;
2808     } 
2809     
2810     ASSERT(typeForTable == SwitchString);
2811     
2812     if (singleCharacterSwitch) {
2813         int32_t range = max_num - min_num;
2814         if (min_num <= max_num && range <= 1000 && (range / literalVector.size()) < 10)
2815             return SwitchInfo::SwitchCharacter;
2816     }
2817
2818     return SwitchInfo::SwitchString;
2819 }
2820
2821 void CaseBlockNode::emitBytecodeForBlock(BytecodeGenerator& generator, RegisterID* switchExpression, RegisterID* dst)
2822 {
2823     RefPtr<Label> defaultLabel;
2824     Vector<RefPtr<Label>, 8> labelVector;
2825     Vector<ExpressionNode*, 8> literalVector;
2826     int32_t min_num = std::numeric_limits<int32_t>::max();
2827     int32_t max_num = std::numeric_limits<int32_t>::min();
2828     SwitchInfo::SwitchType switchType = tryTableSwitch(literalVector, min_num, max_num);
2829
2830     if (switchType != SwitchInfo::SwitchNone) {
2831         // Prepare the various labels
2832         for (uint32_t i = 0; i < literalVector.size(); i++)
2833             labelVector.append(generator.newLabel());
2834         defaultLabel = generator.newLabel();
2835         generator.beginSwitch(switchExpression, switchType);
2836     } else {
2837         // Setup jumps
2838         for (ClauseListNode* list = m_list1; list; list = list->getNext()) {
2839             RefPtr<RegisterID> clauseVal = generator.newTemporary();
2840             generator.emitNode(clauseVal.get(), list->getClause()->expr());
2841             generator.emitBinaryOp(op_stricteq, clauseVal.get(), clauseVal.get(), switchExpression, OperandTypes());
2842             labelVector.append(generator.newLabel());
2843             generator.emitJumpIfTrue(clauseVal.get(), labelVector[labelVector.size() - 1].get());
2844         }
2845         
2846         for (ClauseListNode* list = m_list2; list; list = list->getNext()) {
2847             RefPtr<RegisterID> clauseVal = generator.newTemporary();
2848             generator.emitNode(clauseVal.get(), list->getClause()->expr());
2849             generator.emitBinaryOp(op_stricteq, clauseVal.get(), clauseVal.get(), switchExpression, OperandTypes());
2850             labelVector.append(generator.newLabel());
2851             generator.emitJumpIfTrue(clauseVal.get(), labelVector[labelVector.size() - 1].get());
2852         }
2853         defaultLabel = generator.newLabel();
2854         generator.emitJump(defaultLabel.get());
2855     }
2856
2857     size_t i = 0;
2858     for (ClauseListNode* list = m_list1; list; list = list->getNext()) {
2859         generator.emitLabel(labelVector[i++].get());
2860         list->getClause()->emitBytecode(generator, dst);
2861     }
2862
2863     if (m_defaultClause) {
2864         generator.emitLabel(defaultLabel.get());
2865         m_defaultClause->emitBytecode(generator, dst);
2866     }
2867
2868     for (ClauseListNode* list = m_list2; list; list = list->getNext()) {
2869         generator.emitLabel(labelVector[i++].get());
2870         list->getClause()->emitBytecode(generator, dst);
2871     }
2872     if (!m_defaultClause)
2873         generator.emitLabel(defaultLabel.get());
2874
2875     ASSERT(i == labelVector.size());
2876     if (switchType != SwitchInfo::SwitchNone) {
2877         ASSERT(labelVector.size() == literalVector.size());
2878         generator.endSwitch(labelVector.size(), labelVector.data(), literalVector.data(), defaultLabel.get(), min_num, max_num);
2879     }
2880 }
2881
2882 // ------------------------------ SwitchNode -----------------------------------
2883
2884 void SwitchNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2885 {
2886     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2887     
2888     LabelScopePtr scope = generator.newLabelScope(LabelScope::Switch);
2889
2890     RefPtr<RegisterID> r0 = generator.emitNode(m_expr);
2891
2892     generator.pushLexicalScope(this, false);
2893     m_block->emitBytecodeForBlock(generator, r0.get(), dst);
2894     generator.popLexicalScope(this);
2895
2896     generator.emitLabel(scope->breakTarget());
2897     generator.emitProfileControlFlow(endOffset());
2898 }
2899
2900 // ------------------------------ LabelNode ------------------------------------
2901
2902 void LabelNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2903 {
2904     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2905
2906     ASSERT(!generator.breakTarget(m_name));
2907
2908     LabelScopePtr scope = generator.newLabelScope(LabelScope::NamedLabel, &m_name);
2909     generator.emitNode(dst, m_statement);
2910
2911     generator.emitLabel(scope->breakTarget());
2912 }
2913
2914 // ------------------------------ ThrowNode ------------------------------------
2915
2916 void ThrowNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2917 {
2918     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2919
2920     if (dst == generator.ignoredResult())
2921         dst = 0;
2922     RefPtr<RegisterID> expr = generator.emitNode(m_expr);
2923     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
2924     generator.emitThrow(expr.get());
2925
2926     generator.emitProfileControlFlow(endOffset()); 
2927 }
2928
2929 // ------------------------------ TryNode --------------------------------------
2930
2931 void TryNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
2932 {
2933     // NOTE: The catch and finally blocks must be labeled explicitly, so the
2934     // optimizer knows they may be jumped to from anywhere.
2935
2936     generator.emitDebugHook(WillExecuteStatement, firstLine(), startOffset(), lineStartOffset());
2937
2938     ASSERT(m_catchBlock || m_finallyBlock);
2939
2940     RefPtr<Label> tryStartLabel = generator.newLabel();
2941     generator.emitLabel(tryStartLabel.get());
2942     
2943     if (m_finallyBlock)
2944         generator.pushFinallyContext(m_finallyBlock);
2945     TryData* tryData = generator.pushTry(tryStartLabel.get());
2946
2947     generator.emitNode(dst, m_tryBlock);
2948
2949     if (m_catchBlock) {
2950         RefPtr<Label> catchEndLabel = generator.newLabel();
2951         
2952         // Normal path: jump over the catch block.
2953         generator.emitJump(catchEndLabel.get());
2954
2955         // Uncaught exception path: the catch block.
2956         RefPtr<Label> here = generator.emitLabel(generator.newLabel().get());
2957         RefPtr<RegisterID> exceptionRegister = generator.newTemporary();
2958         RefPtr<RegisterID> thrownValueRegister = generator.newTemporary();
2959         generator.popTryAndEmitCatch(tryData, exceptionRegister.get(), thrownValueRegister.get(), here.get(), HandlerType::Catch);
2960         
2961         if (m_finallyBlock) {
2962             // If the catch block throws an exception and we have a finally block, then the finally
2963             // block should "catch" that exception.
2964             tryData = generator.pushTry(here.get());
2965         }
2966
2967         generator.emitPushCatchScope(generator.scopeRegister(), m_thrownValueIdent, thrownValueRegister.get(), DontDelete);
2968         generator.emitProfileControlFlow(m_tryBlock->endOffset() + 1);
2969         generator.emitNode(dst, m_catchBlock);
2970         generator.emitPopScope(generator.scopeRegister());
2971         generator.emitLabel(catchEndLabel.get());
2972     }
2973
2974     if (m_finallyBlock) {
2975         RefPtr<Label> preFinallyLabel = generator.emitLabel(generator.newLabel().get());
2976         
2977         generator.popFinallyContext();
2978
2979         RefPtr<Label> finallyEndLabel = generator.newLabel();
2980
2981         int finallyStartOffset = m_catchBlock ? m_catchBlock->endOffset() + 1 : m_tryBlock->endOffset() + 1;
2982
2983         // Normal path: run the finally code, and jump to the end.
2984         generator.emitProfileControlFlow(finallyStartOffset);
2985         generator.emitNode(dst, m_finallyBlock);
2986         generator.emitProfileControlFlow(m_finallyBlock->endOffset() + 1);
2987         generator.emitJump(finallyEndLabel.get());
2988
2989         // Uncaught exception path: invoke the finally block, then re-throw the exception.
2990         RefPtr<RegisterID> exceptionRegister = generator.newTemporary();
2991         RefPtr<RegisterID> thrownValueRegister = generator.newTemporary();
2992         generator.popTryAndEmitCatch(tryData, exceptionRegister.get(), thrownValueRegister.get(), preFinallyLabel.get(), HandlerType::Finally);
2993         generator.emitProfileControlFlow(finallyStartOffset);
2994         generator.emitNode(dst, m_finallyBlock);
2995         generator.emitThrow(exceptionRegister.get());
2996
2997         generator.emitLabel(finallyEndLabel.get());
2998         generator.emitProfileControlFlow(m_finallyBlock->endOffset() + 1);
2999     } else
3000         generator.emitProfileControlFlow(m_catchBlock->endOffset() + 1);
3001
3002 }
3003
3004 // ------------------------------ ScopeNode -----------------------------
3005
3006 inline void ScopeNode::emitStatementsBytecode(BytecodeGenerator& generator, RegisterID* dst)
3007 {
3008     if (!m_statements)
3009         return;
3010     m_statements->emitBytecode(generator, dst);
3011 }
3012
3013 // ------------------------------ ProgramNode -----------------------------
3014
3015 void ProgramNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
3016 {
3017     generator.emitDebugHook(WillExecuteProgram, startLine(), startStartOffset(), startLineStartOffset());
3018
3019     RefPtr<RegisterID> dstRegister = generator.newTemporary();
3020     generator.emitLoad(dstRegister.get(), jsUndefined());
3021     generator.emitProfileControlFlow(startStartOffset());
3022     emitStatementsBytecode(generator, dstRegister.get());
3023
3024     generator.emitDebugHook(DidExecuteProgram, lastLine(), startOffset(), lineStartOffset());
3025     generator.emitEnd(dstRegister.get());
3026 }
3027
3028 // ------------------------------ EvalNode -----------------------------
3029
3030 void EvalNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
3031 {
3032     generator.emitDebugHook(WillExecuteProgram, startLine(), startStartOffset(), startLineStartOffset());
3033
3034     RefPtr<RegisterID> dstRegister = generator.newTemporary();
3035     generator.emitLoad(dstRegister.get(), jsUndefined());
3036     emitStatementsBytecode(generator, dstRegister.get());
3037
3038     generator.emitDebugHook(DidExecuteProgram, lastLine(), startOffset(), lineStartOffset());
3039     generator.emitEnd(dstRegister.get());
3040 }
3041
3042 // ------------------------------ FunctionBodyNode -----------------------------
3043
3044 void FunctionBodyNode::emitBytecode(BytecodeGenerator&, RegisterID*)
3045 {
3046 }
3047
3048 void FunctionNode::emitBytecode(BytecodeGenerator& generator, RegisterID*)
3049 {
3050     if (generator.vm()->typeProfiler()) {
3051         for (size_t i = 0; i < m_parameters->size(); i++) {
3052             // FIXME: Handle Destructuring assignments into arguments.
3053             if (!m_parameters->at(i)->isBindingNode())
3054                 continue;
3055             BindingNode* parameter = static_cast<BindingNode*>(m_parameters->at(i));
3056             RegisterID reg(CallFrame::argumentOffset(i));
3057             generator.emitProfileType(&reg, ProfileTypeBytecodeFunctionArgument, nullptr);
3058             generator.emitTypeProfilerExpressionInfo(parameter->divotStart(), parameter->divotEnd());
3059         }
3060     }
3061
3062     generator.emitProfileControlFlow(startStartOffset());
3063     generator.emitDebugHook(DidEnterCallFrame, startLine(), startStartOffset(), startLineStartOffset());
3064     emitStatementsBytecode(generator, generator.ignoredResult());
3065
3066     StatementNode* singleStatement = this->singleStatement();
3067     ReturnNode* returnNode = 0;
3068
3069     // Check for a return statement at the end of a function composed of a single block.
3070     if (singleStatement && singleStatement->isBlock()) {
3071         StatementNode* lastStatementInBlock = static_cast<BlockNode*>(singleStatement)->lastStatement();
3072         if (lastStatementInBlock && lastStatementInBlock->isReturnNode())
3073             returnNode = static_cast<ReturnNode*>(lastStatementInBlock);
3074     }
3075
3076     // If there is no return we must automatically insert one.
3077     if (!returnNode) {
3078         RegisterID* r0 = generator.isConstructor() ? generator.thisRegister() : generator.emitLoad(0, jsUndefined());
3079         if (generator.vm()->typeProfiler())
3080             generator.emitProfileType(r0, ProfileTypeBytecodeFunctionReturnStatement, nullptr); // Do not emit expression info for this profile because it's not in the user's source code.
3081         ASSERT(startOffset() >= lineStartOffset());
3082         generator.emitDebugHook(WillLeaveCallFrame, lastLine(), startOffset(), lineStartOffset());
3083         generator.emitReturn(r0);
3084         return;
3085     }
3086 }
3087
3088 // ------------------------------ FuncDeclNode ---------------------------------
3089
3090 void FuncDeclNode::emitBytecode(BytecodeGenerator&, RegisterID*)
3091 {
3092 }
3093
3094 // ------------------------------ FuncExprNode ---------------------------------
3095
3096 RegisterID* FuncExprNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
3097 {
3098     return generator.emitNewFunctionExpression(generator.finalDestination(dst), this);
3099 }
3100
3101 #if ENABLE(ES6_CLASS_SYNTAX)
3102 // ------------------------------ ClassDeclNode ---------------------------------
3103
3104 void ClassDeclNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
3105 {
3106     generator.emitNode(dst, m_classDeclaration);
3107 }
3108
3109 // ------------------------------ ClassExprNode ---------------------------------
3110
3111 RegisterID* ClassExprNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
3112 {
3113     RefPtr<RegisterID> superclass;
3114     if (m_classHeritage) {
3115         superclass = generator.newTemporary();
3116         generator.emitNode(superclass.get(), m_classHeritage);
3117     }
3118
3119     RefPtr<RegisterID> constructor;
3120
3121     // FIXME: Make the prototype non-configurable & non-writable.
3122     if (m_constructorExpression)
3123         constructor = generator.emitNode(dst, m_constructorExpression);
3124     else {
3125         constructor = generator.emitNewDefaultConstructor(generator.finalDestination(dst),
3126             m_classHeritage ? ConstructorKind::Derived : ConstructorKind::Base, m_name);
3127     }
3128
3129     const auto& propertyNames = generator.propertyNames();
3130     RefPtr<RegisterID> prototype = generator.emitNewObject(generator.newTemporary());
3131
3132     if (superclass) {
3133         RefPtr<RegisterID> protoParent = generator.newTemporary();
3134         generator.emitLoad(protoParent.get(), jsNull());
3135
3136         RefPtr<RegisterID> tempRegister = generator.newTemporary();
3137
3138         // FIXME: Throw TypeError if it's a generator function.
3139         RefPtr<Label> superclassIsUndefinedLabel = generator.newLabel();
3140         generator.emitJumpIfTrue(generator.emitIsUndefined(tempRegister.get(), superclass.get()), superclassIsUndefinedLabel.get());
3141
3142         RefPtr<Label> superclassIsNullLabel = generator.newLabel();
3143         generator.emitJumpIfTrue(generator.emitUnaryOp(op_eq_null, tempRegister.get(), superclass.get()), superclassIsNullLabel.get());
3144
3145         RefPtr<Label> superclassIsObjectLabel = generator.newLabel();
3146         generator.emitJumpIfTrue(generator.emitIsObject(tempRegister.get(), superclass.get()), superclassIsObjectLabel.get());
3147         generator.emitLabel(superclassIsUndefinedLabel.get());
3148         generator.emitThrowTypeError(ASCIILiteral("The superclass is not an object."));
3149         generator.emitLabel(superclassIsObjectLabel.get());
3150         generator.emitGetById(protoParent.get(), superclass.get(), generator.propertyNames().prototype);
3151
3152         RefPtr<Label> protoParentIsObjectOrNullLabel = generator.newLabel();
3153         generator.emitJumpIfTrue(generator.emitUnaryOp(op_is_object_or_null, tempRegister.get(), protoParent.get()), protoParentIsObjectOrNullLabel.get());
3154         generator.emitThrowTypeError(ASCIILiteral("The superclass's prototype is not an object."));
3155         generator.emitLabel(protoParentIsObjectOrNullLabel.get());
3156
3157         generator.emitDirectPutById(constructor.get(), generator.propertyNames().underscoreProto, superclass.get(), PropertyNode::Unknown);
3158         generator.emitLabel(superclassIsNullLabel.get());
3159         generator.emitDirectPutById(prototype.get(), generator.propertyNames().underscoreProto, protoParent.get(), PropertyNode::Unknown);
3160
3161         emitPutHomeObject(generator, constructor.get(), prototype.get());
3162     }
3163
3164     RefPtr<RegisterID> constructorNameRegister = generator.emitLoad(generator.newTemporary(), propertyNames.constructor);
3165     generator.emitCallDefineProperty(prototype.get(), constructorNameRegister.get(), constructor.get(), nullptr, nullptr,
3166         BytecodeGenerator::PropertyConfigurable | BytecodeGenerator::PropertyWritable, m_position);
3167
3168     RefPtr<RegisterID> prototypeNameRegister = generator.emitLoad(generator.newTemporary(), propertyNames.prototype);
3169     generator.emitCallDefineProperty(constructor.get(), prototypeNameRegister.get(), prototype.get(), nullptr, nullptr, 0, m_position);
3170
3171     if (m_staticMethods)
3172         generator.emitNode(constructor.get(), m_staticMethods);
3173
3174     if (m_instanceMethods)
3175         generator.emitNode(prototype.get(), m_instanceMethods);
3176
3177     return generator.moveToDestinationIfNeeded(dst, constructor.get());
3178 }
3179 #endif
3180     
3181 // ------------------------------ DestructuringAssignmentNode -----------------
3182 RegisterID* DestructuringAssignmentNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
3183 {
3184     if (RegisterID* result = m_bindings->emitDirectBinding(generator, dst, m_initializer))
3185         return result;
3186     RefPtr<RegisterID> initializer = generator.tempDestination(dst);
3187     generator.emitNode(initializer.get(), m_initializer);
3188     m_bindings->bindValue(generator, initializer.get());
3189     return generator.moveToDestinationIfNeeded(dst, initializer.get());
3190 }
3191
3192 DestructuringPatternNode::~DestructuringPatternNode()
3193 {
3194 }
3195
3196 static void assignDefaultValueIfUndefined(BytecodeGenerator& generator, RegisterID* maybeUndefined, ExpressionNode* defaultValue)
3197 {
3198     ASSERT(defaultValue);
3199     RefPtr<Label> isNotUndefined = generator.newLabel();
3200     generator.emitJumpIfFalse(generator.emitIsUndefined(generator.newTemporary(), maybeUndefined), isNotUndefined.get());
3201     generator.emitNode(maybeUndefined, defaultValue);
3202     generator.emitLabel(isNotUndefined.get());
3203 }
3204
3205 void ArrayPatternNode::bindValue(BytecodeGenerator& generator, RegisterID* rhs) const
3206 {
3207     RefPtr<RegisterID> iterator = generator.newTemporary();
3208     {
3209         generator.emitGetById(iterator.get(), rhs, generator.propertyNames().iteratorSymbol);
3210         CallArguments args(generator, nullptr);
3211         generator.emitMove(args.thisRegister(), rhs);
3212         generator.emitCall(iterator.get(), iterator.get(), NoExpectedFunction, args, divot(), divotStart(), divotEnd());
3213     }
3214
3215     if (m_targetPatterns.isEmpty()) {
3216         generator.emitIteratorClose(iterator.get(), this);
3217         return;
3218     }
3219
3220     RefPtr<RegisterID> done;
3221     for (auto& target : m_targetPatterns) {
3222         switch (target.bindingType) {
3223         case BindingType::Elision: