Hook up ShadowChicken to the debugger to show tail deleted frames
[WebKit-https.git] / Source / JavaScriptCore / llint / LLIntSlowPaths.cpp
1 /*
2  * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "LLIntSlowPaths.h"
28
29 #include "ArrayConstructor.h"
30 #include "CallFrame.h"
31 #include "CommonSlowPaths.h"
32 #include "CommonSlowPathsExceptions.h"
33 #include "Error.h"
34 #include "ErrorHandlingScope.h"
35 #include "Exception.h"
36 #include "ExceptionFuzz.h"
37 #include "FunctionWhitelist.h"
38 #include "GetterSetter.h"
39 #include "HostCallReturnValue.h"
40 #include "Interpreter.h"
41 #include "JIT.h"
42 #include "JITExceptions.h"
43 #include "JSLexicalEnvironment.h"
44 #include "JSCInlines.h"
45 #include "JSCJSValue.h"
46 #include "JSGeneratorFunction.h"
47 #include "JSGlobalObjectFunctions.h"
48 #include "JSStackInlines.h"
49 #include "JSString.h"
50 #include "JSWithScope.h"
51 #include "LLIntCommon.h"
52 #include "LLIntExceptions.h"
53 #include "LegacyProfiler.h"
54 #include "LowLevelInterpreter.h"
55 #include "ObjectConstructor.h"
56 #include "ProtoCallFrame.h"
57 #include "ShadowChicken.h"
58 #include "StructureRareDataInlines.h"
59 #include "VMInlines.h"
60 #include <wtf/NeverDestroyed.h>
61 #include <wtf/StringPrintStream.h>
62
63 namespace JSC { namespace LLInt {
64
65 #define LLINT_BEGIN_NO_SET_PC() \
66     VM& vm = exec->vm();      \
67     NativeCallFrameTracer tracer(&vm, exec)
68
69 #ifndef NDEBUG
70 #define LLINT_SET_PC_FOR_STUBS() do { \
71         exec->codeBlock()->bytecodeOffset(pc); \
72         exec->setCurrentVPC(pc); \
73     } while (false)
74 #else
75 #define LLINT_SET_PC_FOR_STUBS() do { \
76         exec->setCurrentVPC(pc); \
77     } while (false)
78 #endif
79
80 #define LLINT_BEGIN()                           \
81     LLINT_BEGIN_NO_SET_PC();                    \
82     LLINT_SET_PC_FOR_STUBS()
83
84 #define LLINT_OP(index) (exec->uncheckedR(pc[index].u.operand))
85 #define LLINT_OP_C(index) (exec->r(pc[index].u.operand))
86
87 #define LLINT_RETURN_TWO(first, second) do {       \
88         return encodeResult(first, second);        \
89     } while (false)
90
91 #define LLINT_END_IMPL() LLINT_RETURN_TWO(pc, 0)
92
93 #define LLINT_THROW(exceptionToThrow) do {                        \
94         vm.throwException(exec, exceptionToThrow);                \
95         pc = returnToThrow(exec);                                 \
96         LLINT_END_IMPL();                                         \
97     } while (false)
98
99 #define LLINT_CHECK_EXCEPTION() do {                    \
100         doExceptionFuzzingIfEnabled(exec, "LLIntSlowPaths", pc);    \
101         if (UNLIKELY(vm.exception())) {                 \
102             pc = returnToThrow(exec);                   \
103             LLINT_END_IMPL();                           \
104         }                                               \
105     } while (false)
106
107 #define LLINT_END() do {                        \
108         LLINT_CHECK_EXCEPTION();                \
109         LLINT_END_IMPL();                       \
110     } while (false)
111
112 #define LLINT_BRANCH(opcode, condition) do {                      \
113         bool __b_condition = (condition);                         \
114         LLINT_CHECK_EXCEPTION();                                  \
115         if (__b_condition)                                        \
116             pc += pc[OPCODE_LENGTH(opcode) - 1].u.operand;        \
117         else                                                      \
118             pc += OPCODE_LENGTH(opcode);                          \
119         LLINT_END_IMPL();                                         \
120     } while (false)
121
122 #define LLINT_RETURN(value) do {                \
123         JSValue __r_returnValue = (value);      \
124         LLINT_CHECK_EXCEPTION();                \
125         LLINT_OP(1) = __r_returnValue;          \
126         LLINT_END_IMPL();                       \
127     } while (false)
128
129 #define LLINT_RETURN_WITH_PC_ADJUSTMENT(value, pcAdjustment) do { \
130         JSValue __r_returnValue = (value);      \
131         LLINT_CHECK_EXCEPTION();                \
132         LLINT_OP(1) = __r_returnValue;          \
133         pc += (pcAdjustment);                   \
134         LLINT_END_IMPL();                       \
135     } while (false)
136
137 #define LLINT_RETURN_PROFILED(opcode, value) do {               \
138         JSValue __rp_returnValue = (value);                     \
139         LLINT_CHECK_EXCEPTION();                                \
140         LLINT_OP(1) = __rp_returnValue;                         \
141         LLINT_PROFILE_VALUE(opcode, __rp_returnValue);          \
142         LLINT_END_IMPL();                                       \
143     } while (false)
144
145 #define LLINT_PROFILE_VALUE(opcode, value) do { \
146         pc[OPCODE_LENGTH(opcode) - 1].u.profile->m_buckets[0] = \
147         JSValue::encode(value);                  \
148     } while (false)
149
150 #define LLINT_CALL_END_IMPL(exec, callTarget) LLINT_RETURN_TWO((callTarget), (exec))
151
152 #define LLINT_CALL_THROW(exec, exceptionToThrow) do {                   \
153         ExecState* __ct_exec = (exec);                                  \
154         vm.throwException(__ct_exec, exceptionToThrow);                 \
155         LLINT_CALL_END_IMPL(0, callToThrow(__ct_exec));                 \
156     } while (false)
157
158 #define LLINT_CALL_CHECK_EXCEPTION(exec, execCallee) do {               \
159         ExecState* __cce_exec = (exec);                                 \
160         ExecState* __cce_execCallee = (execCallee);                     \
161         doExceptionFuzzingIfEnabled(__cce_exec, "LLIntSlowPaths/call", nullptr); \
162         if (UNLIKELY(vm.exception()))                                   \
163             LLINT_CALL_END_IMPL(0, callToThrow(__cce_execCallee));      \
164     } while (false)
165
166 #define LLINT_CALL_RETURN(exec, execCallee, callTarget) do {            \
167         ExecState* __cr_exec = (exec);                                  \
168         ExecState* __cr_execCallee = (execCallee);                      \
169         void* __cr_callTarget = (callTarget);                           \
170         LLINT_CALL_CHECK_EXCEPTION(__cr_exec, __cr_execCallee);         \
171         LLINT_CALL_END_IMPL(__cr_execCallee, __cr_callTarget);          \
172     } while (false)
173
174 #define LLINT_RETURN_CALLEE_FRAME(execCallee) do {                      \
175         ExecState* __rcf_exec = (execCallee);                           \
176         LLINT_RETURN_TWO(pc, __rcf_exec);                               \
177     } while (false)
178     
179 extern "C" SlowPathReturnType llint_trace_operand(ExecState* exec, Instruction* pc, int fromWhere, int operand)
180 {
181     LLINT_BEGIN();
182     dataLogF("%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d\n",
183             exec->codeBlock(),
184             exec,
185             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
186             exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
187             fromWhere,
188             operand,
189             pc[operand].u.operand);
190     LLINT_END();
191 }
192
193 extern "C" SlowPathReturnType llint_trace_value(ExecState* exec, Instruction* pc, int fromWhere, int operand)
194 {
195     JSValue value = LLINT_OP_C(operand).jsValue();
196     union {
197         struct {
198             uint32_t tag;
199             uint32_t payload;
200         } bits;
201         EncodedJSValue asValue;
202     } u;
203     u.asValue = JSValue::encode(value);
204     dataLogF(
205         "%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d: %08x:%08x: %s\n",
206         exec->codeBlock(),
207         exec,
208         static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
209         exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
210         fromWhere,
211         operand,
212         pc[operand].u.operand,
213         u.bits.tag,
214         u.bits.payload,
215         toCString(value).data());
216     LLINT_END_IMPL();
217 }
218
219 LLINT_SLOW_PATH_DECL(trace_prologue)
220 {
221     dataLogF("%p / %p: in prologue.\n", exec->codeBlock(), exec);
222     LLINT_END_IMPL();
223 }
224
225 static void traceFunctionPrologue(ExecState* exec, const char* comment, CodeSpecializationKind kind)
226 {
227     JSFunction* callee = jsCast<JSFunction*>(exec->callee());
228     FunctionExecutable* executable = callee->jsExecutable();
229     CodeBlock* codeBlock = executable->codeBlockFor(kind);
230     dataLogF("%p / %p: in %s of function %p, executable %p; numVars = %u, numParameters = %u, numCalleeLocals = %u, caller = %p.\n",
231             codeBlock, exec, comment, callee, executable,
232             codeBlock->m_numVars, codeBlock->numParameters(), codeBlock->m_numCalleeLocals,
233             exec->callerFrame());
234 }
235
236 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_call)
237 {
238     traceFunctionPrologue(exec, "call prologue", CodeForCall);
239     LLINT_END_IMPL();
240 }
241
242 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_construct)
243 {
244     traceFunctionPrologue(exec, "construct prologue", CodeForConstruct);
245     LLINT_END_IMPL();
246 }
247
248 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_call)
249 {
250     traceFunctionPrologue(exec, "call arity check", CodeForCall);
251     LLINT_END_IMPL();
252 }
253
254 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_construct)
255 {
256     traceFunctionPrologue(exec, "construct arity check", CodeForConstruct);
257     LLINT_END_IMPL();
258 }
259
260 LLINT_SLOW_PATH_DECL(trace)
261 {
262     dataLogF("%p / %p: executing bc#%zu, %s, pc = %p\n",
263             exec->codeBlock(),
264             exec,
265             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
266             opcodeNames[exec->vm().interpreter->getOpcodeID(pc[0].u.opcode)], pc);
267     if (exec->vm().interpreter->getOpcodeID(pc[0].u.opcode) == op_enter) {
268         dataLogF("Frame will eventually return to %p\n", exec->returnPC().value());
269         *bitwise_cast<volatile char*>(exec->returnPC().value());
270     }
271     if (exec->vm().interpreter->getOpcodeID(pc[0].u.opcode) == op_ret) {
272         dataLogF("Will be returning to %p\n", exec->returnPC().value());
273         dataLogF("The new cfr will be %p\n", exec->callerFrame());
274     }
275     LLINT_END_IMPL();
276 }
277
278 LLINT_SLOW_PATH_DECL(special_trace)
279 {
280     dataLogF("%p / %p: executing special case bc#%zu, op#%u, return PC is %p\n",
281             exec->codeBlock(),
282             exec,
283             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
284             exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
285             exec->returnPC().value());
286     LLINT_END_IMPL();
287 }
288
289 enum EntryKind { Prologue, ArityCheck };
290
291 #if ENABLE(JIT)
292 static FunctionWhitelist& ensureGlobalJITWhitelist()
293 {
294     static LazyNeverDestroyed<FunctionWhitelist> baselineWhitelist;
295     static std::once_flag initializeWhitelistFlag;
296     std::call_once(initializeWhitelistFlag, [] {
297         const char* functionWhitelistFile = Options::jitWhitelist();
298         baselineWhitelist.construct(functionWhitelistFile);
299     });
300     return baselineWhitelist;
301 }
302
303 inline bool shouldJIT(ExecState* exec, CodeBlock* codeBlock)
304 {
305     if (!Options::bytecodeRangeToJITCompile().isInRange(codeBlock->instructionCount())
306         || !ensureGlobalJITWhitelist().contains(codeBlock))
307         return false;
308
309     // You can modify this to turn off JITting without rebuilding the world.
310     return exec->vm().canUseJIT();
311 }
312
313 // Returns true if we should try to OSR.
314 inline bool jitCompileAndSetHeuristics(CodeBlock* codeBlock, ExecState* exec)
315 {
316     VM& vm = exec->vm();
317     DeferGCForAWhile deferGC(vm.heap); // My callers don't set top callframe, so we don't want to GC here at all.
318     
319     codeBlock->updateAllValueProfilePredictions();
320
321     if (!codeBlock->checkIfJITThresholdReached()) {
322         CODEBLOCK_LOG_EVENT(codeBlock, "delayJITCompile", ("threshold not reached, counter = ", codeBlock->llintExecuteCounter()));
323         if (Options::verboseOSR())
324             dataLogF("    JIT threshold should be lifted.\n");
325         return false;
326     }
327     
328     switch (codeBlock->jitType()) {
329     case JITCode::BaselineJIT: {
330         if (Options::verboseOSR())
331             dataLogF("    Code was already compiled.\n");
332         codeBlock->jitSoon();
333         return true;
334     }
335     case JITCode::InterpreterThunk: {
336         CompilationResult result = JIT::compile(&vm, codeBlock, JITCompilationCanFail);
337         switch (result) {
338         case CompilationFailed:
339             CODEBLOCK_LOG_EVENT(codeBlock, "delayJITCompile", ("compilation failed"));
340             if (Options::verboseOSR())
341                 dataLogF("    JIT compilation failed.\n");
342             codeBlock->dontJITAnytimeSoon();
343             return false;
344         case CompilationSuccessful:
345             if (Options::verboseOSR())
346                 dataLogF("    JIT compilation successful.\n");
347             codeBlock->ownerScriptExecutable()->installCode(codeBlock);
348             codeBlock->jitSoon();
349             return true;
350         default:
351             RELEASE_ASSERT_NOT_REACHED();
352             return false;
353         }
354     }
355     default:
356         dataLog("Unexpected code block in LLInt: ", *codeBlock, "\n");
357         RELEASE_ASSERT_NOT_REACHED();
358         return false;
359     }
360 }
361
362 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char *name, EntryKind kind)
363 {
364     if (Options::verboseOSR()) {
365         dataLog(
366             *codeBlock, ": Entered ", name, " with executeCounter = ",
367             codeBlock->llintExecuteCounter(), "\n");
368     }
369     
370     if (!shouldJIT(exec, codeBlock)) {
371         codeBlock->dontJITAnytimeSoon();
372         LLINT_RETURN_TWO(0, 0);
373     }
374     if (!jitCompileAndSetHeuristics(codeBlock, exec))
375         LLINT_RETURN_TWO(0, 0);
376     
377     CODEBLOCK_LOG_EVENT(codeBlock, "OSR entry", ("in prologue"));
378     
379     if (kind == Prologue)
380         LLINT_RETURN_TWO(codeBlock->jitCode()->executableAddress(), 0);
381     ASSERT(kind == ArityCheck);
382     LLINT_RETURN_TWO(codeBlock->jitCode()->addressForCall(MustCheckArity).executableAddress(), 0);
383 }
384 #else // ENABLE(JIT)
385 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char*, EntryKind)
386 {
387     codeBlock->dontJITAnytimeSoon();
388     LLINT_RETURN_TWO(0, exec);
389 }
390 #endif // ENABLE(JIT)
391
392 LLINT_SLOW_PATH_DECL(entry_osr)
393 {
394     return entryOSR(exec, pc, exec->codeBlock(), "entry_osr", Prologue);
395 }
396
397 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call)
398 {
399     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call", Prologue);
400 }
401
402 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct)
403 {
404     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct", Prologue);
405 }
406
407 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call_arityCheck)
408 {
409     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call_arityCheck", ArityCheck);
410 }
411
412 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct_arityCheck)
413 {
414     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct_arityCheck", ArityCheck);
415 }
416
417 LLINT_SLOW_PATH_DECL(loop_osr)
418 {
419     CodeBlock* codeBlock = exec->codeBlock();
420
421 #if ENABLE(JIT)
422     if (Options::verboseOSR()) {
423         dataLog(
424             *codeBlock, ": Entered loop_osr with executeCounter = ",
425             codeBlock->llintExecuteCounter(), "\n");
426     }
427     
428     if (!shouldJIT(exec, codeBlock)) {
429         codeBlock->dontJITAnytimeSoon();
430         LLINT_RETURN_TWO(0, 0);
431     }
432     
433     if (!jitCompileAndSetHeuristics(codeBlock, exec))
434         LLINT_RETURN_TWO(0, 0);
435     
436     CODEBLOCK_LOG_EVENT(codeBlock, "osrEntry", ("at bc#", pc - codeBlock->instructions().begin()));
437
438     ASSERT(codeBlock->jitType() == JITCode::BaselineJIT);
439     
440     Vector<BytecodeAndMachineOffset> map;
441     codeBlock->jitCodeMap()->decode(map);
442     BytecodeAndMachineOffset* mapping = binarySearch<BytecodeAndMachineOffset, unsigned>(map, map.size(), pc - codeBlock->instructions().begin(), BytecodeAndMachineOffset::getBytecodeIndex);
443     ASSERT(mapping);
444     ASSERT(mapping->m_bytecodeIndex == static_cast<unsigned>(pc - codeBlock->instructions().begin()));
445     
446     void* jumpTarget = codeBlock->jitCode()->executableAddressAtOffset(mapping->m_machineCodeOffset);
447     ASSERT(jumpTarget);
448     
449     LLINT_RETURN_TWO(jumpTarget, exec->topOfFrame());
450 #else // ENABLE(JIT)
451     UNUSED_PARAM(pc);
452     codeBlock->dontJITAnytimeSoon();
453     LLINT_RETURN_TWO(0, 0);
454 #endif // ENABLE(JIT)
455 }
456
457 LLINT_SLOW_PATH_DECL(replace)
458 {
459     CodeBlock* codeBlock = exec->codeBlock();
460
461 #if ENABLE(JIT)
462     if (Options::verboseOSR()) {
463         dataLog(
464             *codeBlock, ": Entered replace with executeCounter = ",
465             codeBlock->llintExecuteCounter(), "\n");
466     }
467     
468     if (shouldJIT(exec, codeBlock))
469         jitCompileAndSetHeuristics(codeBlock, exec);
470     else
471         codeBlock->dontJITAnytimeSoon();
472     LLINT_END_IMPL();
473 #else // ENABLE(JIT)
474     codeBlock->dontJITAnytimeSoon();
475     LLINT_END_IMPL();
476 #endif // ENABLE(JIT)
477 }
478
479 LLINT_SLOW_PATH_DECL(stack_check)
480 {
481     LLINT_BEGIN();
482 #if LLINT_SLOW_PATH_TRACING
483     dataLogF("Checking stack height with exec = %p.\n", exec);
484     dataLogF("CodeBlock = %p.\n", exec->codeBlock());
485     dataLogF("Num callee registers = %u.\n", exec->codeBlock()->m_numCalleeLocals);
486     dataLogF("Num vars = %u.\n", exec->codeBlock()->m_numVars);
487
488 #if ENABLE(JIT)
489     dataLogF("Current end is at %p.\n", exec->vm().stackLimit());
490 #else
491     dataLogF("Current end is at %p.\n", exec->vm().jsStackLimit());
492 #endif
493
494 #endif
495     // If the stack check succeeds and we don't need to throw the error, then
496     // we'll return 0 instead. The prologue will check for a non-zero value
497     // when determining whether to set the callFrame or not.
498
499     // For JIT enabled builds which uses the C stack, the stack is not growable.
500     // Hence, if we get here, then we know a stack overflow is imminent. So, just
501     // throw the StackOverflowError unconditionally.
502 #if !ENABLE(JIT)
503     ASSERT(!vm.interpreter->stack().containsAddress(exec->topOfFrame()));
504     if (LIKELY(vm.interpreter->stack().ensureCapacityFor(exec->topOfFrame())))
505         LLINT_RETURN_TWO(pc, 0);
506 #endif
507
508     vm.topCallFrame = exec;
509     ErrorHandlingScope errorScope(vm);
510     vm.throwException(exec, createStackOverflowError(exec));
511     pc = returnToThrow(exec);
512     LLINT_RETURN_TWO(pc, exec);
513 }
514
515 LLINT_SLOW_PATH_DECL(slow_path_new_object)
516 {
517     LLINT_BEGIN();
518     LLINT_RETURN(constructEmptyObject(exec, pc[3].u.objectAllocationProfile->structure()));
519 }
520
521 LLINT_SLOW_PATH_DECL(slow_path_new_array)
522 {
523     LLINT_BEGIN();
524     LLINT_RETURN(constructArrayNegativeIndexed(exec, pc[4].u.arrayAllocationProfile, bitwise_cast<JSValue*>(&LLINT_OP(2)), pc[3].u.operand));
525 }
526
527 LLINT_SLOW_PATH_DECL(slow_path_new_array_with_size)
528 {
529     LLINT_BEGIN();
530     LLINT_RETURN(constructArrayWithSizeQuirk(exec, pc[3].u.arrayAllocationProfile, exec->lexicalGlobalObject(), LLINT_OP_C(2).jsValue()));
531 }
532
533 LLINT_SLOW_PATH_DECL(slow_path_new_array_buffer)
534 {
535     LLINT_BEGIN();
536     LLINT_RETURN(constructArray(exec, pc[4].u.arrayAllocationProfile, exec->codeBlock()->constantBuffer(pc[2].u.operand), pc[3].u.operand));
537 }
538
539 LLINT_SLOW_PATH_DECL(slow_path_new_regexp)
540 {
541     LLINT_BEGIN();
542     RegExp* regExp = exec->codeBlock()->regexp(pc[2].u.operand);
543     if (!regExp->isValid())
544         LLINT_THROW(createSyntaxError(exec, "Invalid flag supplied to RegExp constructor."));
545     LLINT_RETURN(RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regExp));
546 }
547
548 LLINT_SLOW_PATH_DECL(slow_path_instanceof)
549 {
550     LLINT_BEGIN();
551     JSValue value = LLINT_OP_C(2).jsValue();
552     JSValue proto = LLINT_OP_C(3).jsValue();
553     LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
554 }
555
556 LLINT_SLOW_PATH_DECL(slow_path_instanceof_custom)
557 {
558     LLINT_BEGIN();
559
560     JSValue value = LLINT_OP_C(2).jsValue();
561     JSValue constructor = LLINT_OP_C(3).jsValue();
562     JSValue hasInstanceValue = LLINT_OP_C(4).jsValue();
563
564     ASSERT(constructor.isObject());
565     ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor.getObject()->structure()->typeInfo().implementsDefaultHasInstance());
566
567     JSValue result = jsBoolean(constructor.getObject()->hasInstance(exec, value, hasInstanceValue));
568     LLINT_RETURN(result);
569 }
570
571 LLINT_SLOW_PATH_DECL(slow_path_try_get_by_id)
572 {
573     LLINT_BEGIN();
574     CodeBlock* codeBlock = exec->codeBlock();
575     const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
576     JSValue baseValue = LLINT_OP_C(2).jsValue();
577     PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::VMInquiry);
578
579     baseValue.getPropertySlot(exec, ident, slot);
580
581     LLINT_RETURN(slot.getPureResult());
582 }
583
584 LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
585 {
586     LLINT_BEGIN();
587     CodeBlock* codeBlock = exec->codeBlock();
588     const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
589     JSValue baseValue = LLINT_OP_C(2).jsValue();
590     PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::Get);
591
592     JSValue result = baseValue.get(exec, ident, slot);
593     LLINT_CHECK_EXCEPTION();
594     LLINT_OP(1) = result;
595     
596     if (!LLINT_ALWAYS_ACCESS_SLOW
597         && baseValue.isCell()
598         && slot.isCacheable()
599         && slot.slotBase() == baseValue
600         && slot.isCacheableValue()) {
601         
602         JSCell* baseCell = baseValue.asCell();
603         Structure* structure = baseCell->structure();
604         
605         // Start out by clearing out the old cache.
606         pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
607         pc[4].u.pointer = nullptr; // old structure
608         pc[5].u.pointer = nullptr; // offset
609         
610         if (!structure->isUncacheableDictionary()
611             && !structure->typeInfo().prohibitsPropertyCaching()
612             && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
613             vm.heap.writeBarrier(codeBlock);
614             
615             ConcurrentJITLocker locker(codeBlock->m_lock);
616
617             pc[4].u.structureID = structure->id();
618             pc[5].u.operand = slot.cachedOffset();
619         }
620     }
621
622     if (!LLINT_ALWAYS_ACCESS_SLOW
623         && isJSArray(baseValue)
624         && ident == exec->propertyNames().length) {
625         pc[0].u.opcode = LLInt::getOpcode(op_get_array_length);
626         ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(pc - codeBlock->instructions().begin());
627         arrayProfile->observeStructure(baseValue.asCell()->structure());
628         pc[4].u.arrayProfile = arrayProfile;
629     }
630
631     pc[OPCODE_LENGTH(op_get_by_id) - 1].u.profile->m_buckets[0] = JSValue::encode(result);
632     LLINT_END();
633 }
634
635 LLINT_SLOW_PATH_DECL(slow_path_get_arguments_length)
636 {
637     LLINT_BEGIN();
638     CodeBlock* codeBlock = exec->codeBlock();
639     const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
640     JSValue baseValue = LLINT_OP(2).jsValue();
641     PropertySlot slot(baseValue, PropertySlot::InternalMethodType::Get);
642     LLINT_RETURN(baseValue.get(exec, ident, slot));
643 }
644
645 LLINT_SLOW_PATH_DECL(slow_path_put_by_id)
646 {
647     LLINT_BEGIN();
648     CodeBlock* codeBlock = exec->codeBlock();
649     const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
650     
651     JSValue baseValue = LLINT_OP_C(1).jsValue();
652     PutPropertySlot slot(baseValue, codeBlock->isStrictMode(), codeBlock->putByIdContext());
653     if (pc[8].u.putByIdFlags & PutByIdIsDirect)
654         asObject(baseValue)->putDirect(vm, ident, LLINT_OP_C(3).jsValue(), slot);
655     else
656         baseValue.putInline(exec, ident, LLINT_OP_C(3).jsValue(), slot);
657     LLINT_CHECK_EXCEPTION();
658     
659     if (!LLINT_ALWAYS_ACCESS_SLOW
660         && baseValue.isCell()
661         && slot.isCacheablePut()) {
662
663         // Start out by clearing out the old cache.
664         pc[4].u.pointer = nullptr; // old structure
665         pc[5].u.pointer = nullptr; // offset
666         pc[6].u.pointer = nullptr; // new structure
667         pc[7].u.pointer = nullptr; // structure chain
668         pc[8].u.putByIdFlags =
669             static_cast<PutByIdFlags>(pc[8].u.putByIdFlags & PutByIdPersistentFlagsMask);
670         
671         JSCell* baseCell = baseValue.asCell();
672         Structure* structure = baseCell->structure();
673         
674         if (!structure->isUncacheableDictionary()
675             && !structure->typeInfo().prohibitsPropertyCaching()
676             && baseCell == slot.base()) {
677
678             vm.heap.writeBarrier(codeBlock);
679             
680             if (slot.type() == PutPropertySlot::NewProperty) {
681                 GCSafeConcurrentJITLocker locker(codeBlock->m_lock, vm.heap);
682             
683                 if (!structure->isDictionary() && structure->previousID()->outOfLineCapacity() == structure->outOfLineCapacity()) {
684                     ASSERT(structure->previousID()->transitionWatchpointSetHasBeenInvalidated());
685
686                     if (normalizePrototypeChain(exec, structure) != InvalidPrototypeChain) {
687                         ASSERT(structure->previousID()->isObject());
688                         pc[4].u.structureID = structure->previousID()->id();
689                         pc[5].u.operand = slot.cachedOffset();
690                         pc[6].u.structureID = structure->id();
691                         if (!(pc[8].u.putByIdFlags & PutByIdIsDirect)) {
692                             StructureChain* chain = structure->prototypeChain(exec);
693                             ASSERT(chain);
694                             pc[7].u.structureChain.set(
695                                 vm, codeBlock, chain);
696                         }
697                         pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
698                             pc[8].u.putByIdFlags |
699                             structure->inferredTypeDescriptorFor(ident.impl()).putByIdFlags());
700                     }
701                 }
702             } else {
703                 structure->didCachePropertyReplacement(vm, slot.cachedOffset());
704                 pc[4].u.structureID = structure->id();
705                 pc[5].u.operand = slot.cachedOffset();
706                 pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
707                     pc[8].u.putByIdFlags |
708                     structure->inferredTypeDescriptorFor(ident.impl()).putByIdFlags());
709             }
710         }
711     }
712     
713     LLINT_END();
714 }
715
716 LLINT_SLOW_PATH_DECL(slow_path_del_by_id)
717 {
718     LLINT_BEGIN();
719     CodeBlock* codeBlock = exec->codeBlock();
720     JSObject* baseObject = LLINT_OP_C(2).jsValue().toObject(exec);
721     LLINT_CHECK_EXCEPTION();
722     bool couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, codeBlock->identifier(pc[3].u.operand));
723     LLINT_CHECK_EXCEPTION();
724     if (!couldDelete && codeBlock->isStrictMode())
725         LLINT_THROW(createTypeError(exec, "Unable to delete property."));
726     LLINT_RETURN(jsBoolean(couldDelete));
727 }
728
729 inline JSValue getByVal(ExecState* exec, JSValue baseValue, JSValue subscript)
730 {
731     if (LIKELY(baseValue.isCell() && subscript.isString())) {
732         VM& vm = exec->vm();
733         Structure& structure = *baseValue.asCell()->structure(vm);
734         if (JSCell::canUseFastGetOwnProperty(structure)) {
735             if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
736                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
737                     return result;
738             }
739         }
740     }
741     
742     if (subscript.isUInt32()) {
743         uint32_t i = subscript.asUInt32();
744         if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
745             return asString(baseValue)->getIndex(exec, i);
746         
747         return baseValue.get(exec, i);
748     }
749
750     baseValue.requireObjectCoercible(exec);
751     if (exec->hadException())
752         return jsUndefined();
753     auto property = subscript.toPropertyKey(exec);
754     if (exec->hadException())
755         return jsUndefined();
756     return baseValue.get(exec, property);
757 }
758
759 LLINT_SLOW_PATH_DECL(slow_path_get_by_val)
760 {
761     LLINT_BEGIN();
762     LLINT_RETURN_PROFILED(op_get_by_val, getByVal(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(3).jsValue()));
763 }
764
765 LLINT_SLOW_PATH_DECL(slow_path_put_by_val)
766 {
767     LLINT_BEGIN();
768     
769     JSValue baseValue = LLINT_OP_C(1).jsValue();
770     JSValue subscript = LLINT_OP_C(2).jsValue();
771     JSValue value = LLINT_OP_C(3).jsValue();
772     
773     if (LIKELY(subscript.isUInt32())) {
774         uint32_t i = subscript.asUInt32();
775         if (baseValue.isObject()) {
776             JSObject* object = asObject(baseValue);
777             if (object->canSetIndexQuickly(i))
778                 object->setIndexQuickly(vm, i, value);
779             else
780                 object->methodTable()->putByIndex(object, exec, i, value, exec->codeBlock()->isStrictMode());
781             LLINT_END();
782         }
783         baseValue.putByIndex(exec, i, value, exec->codeBlock()->isStrictMode());
784         LLINT_END();
785     }
786
787     auto property = subscript.toPropertyKey(exec);
788     LLINT_CHECK_EXCEPTION();
789     PutPropertySlot slot(baseValue, exec->codeBlock()->isStrictMode());
790     baseValue.put(exec, property, value, slot);
791     LLINT_END();
792 }
793
794 LLINT_SLOW_PATH_DECL(slow_path_put_by_val_direct)
795 {
796     LLINT_BEGIN();
797     
798     JSValue baseValue = LLINT_OP_C(1).jsValue();
799     JSValue subscript = LLINT_OP_C(2).jsValue();
800     JSValue value = LLINT_OP_C(3).jsValue();
801     RELEASE_ASSERT(baseValue.isObject());
802     JSObject* baseObject = asObject(baseValue);
803     bool isStrictMode = exec->codeBlock()->isStrictMode();
804     if (LIKELY(subscript.isUInt32())) {
805         // Despite its name, JSValue::isUInt32 will return true only for positive boxed int32_t; all those values are valid array indices.
806         ASSERT(isIndex(subscript.asUInt32()));
807         baseObject->putDirectIndex(exec, subscript.asUInt32(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
808         LLINT_END();
809     }
810
811     if (subscript.isDouble()) {
812         double subscriptAsDouble = subscript.asDouble();
813         uint32_t subscriptAsUInt32 = static_cast<uint32_t>(subscriptAsDouble);
814         if (subscriptAsDouble == subscriptAsUInt32 && isIndex(subscriptAsUInt32)) {
815             baseObject->putDirectIndex(exec, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
816             LLINT_END();
817         }
818     }
819
820     // Don't put to an object if toString threw an exception.
821     auto property = subscript.toPropertyKey(exec);
822     if (exec->vm().exception())
823         LLINT_END();
824
825     if (Optional<uint32_t> index = parseIndex(property))
826         baseObject->putDirectIndex(exec, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
827     else {
828         PutPropertySlot slot(baseObject, isStrictMode);
829         baseObject->putDirect(exec->vm(), property, value, slot);
830     }
831     LLINT_END();
832 }
833
834 LLINT_SLOW_PATH_DECL(slow_path_del_by_val)
835 {
836     LLINT_BEGIN();
837     JSValue baseValue = LLINT_OP_C(2).jsValue();
838     JSObject* baseObject = baseValue.toObject(exec);
839     LLINT_CHECK_EXCEPTION();
840
841     JSValue subscript = LLINT_OP_C(3).jsValue();
842     
843     bool couldDelete;
844     
845     uint32_t i;
846     if (subscript.getUInt32(i))
847         couldDelete = baseObject->methodTable()->deletePropertyByIndex(baseObject, exec, i);
848     else {
849         LLINT_CHECK_EXCEPTION();
850         auto property = subscript.toPropertyKey(exec);
851         LLINT_CHECK_EXCEPTION();
852         couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, property);
853     }
854     
855     if (!couldDelete && exec->codeBlock()->isStrictMode())
856         LLINT_THROW(createTypeError(exec, "Unable to delete property."));
857     
858     LLINT_RETURN(jsBoolean(couldDelete));
859 }
860
861 LLINT_SLOW_PATH_DECL(slow_path_put_by_index)
862 {
863     LLINT_BEGIN();
864     JSValue arrayValue = LLINT_OP_C(1).jsValue();
865     ASSERT(isJSArray(arrayValue));
866     asArray(arrayValue)->putDirectIndex(exec, pc[2].u.operand, LLINT_OP_C(3).jsValue());
867     LLINT_END();
868 }
869
870 LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_id)
871 {
872     LLINT_BEGIN();
873     ASSERT(LLINT_OP(1).jsValue().isObject());
874     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
875
876     unsigned options = pc[3].u.operand;
877
878     JSValue getter = LLINT_OP(4).jsValue();
879     ASSERT(getter.isObject());
880
881     baseObj->putGetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(getter), options);
882     LLINT_END();
883 }
884
885 LLINT_SLOW_PATH_DECL(slow_path_put_setter_by_id)
886 {
887     LLINT_BEGIN();
888     ASSERT(LLINT_OP(1).jsValue().isObject());
889     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
890
891     unsigned options = pc[3].u.operand;
892
893     JSValue setter = LLINT_OP(4).jsValue();
894     ASSERT(setter.isObject());
895
896     baseObj->putSetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(setter), options);
897     LLINT_END();
898 }
899
900 LLINT_SLOW_PATH_DECL(slow_path_put_getter_setter_by_id)
901 {
902     LLINT_BEGIN();
903     ASSERT(LLINT_OP(1).jsValue().isObject());
904     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
905     
906     GetterSetter* accessor = GetterSetter::create(vm, exec->lexicalGlobalObject());
907     LLINT_CHECK_EXCEPTION();
908
909     JSValue getter = LLINT_OP(4).jsValue();
910     JSValue setter = LLINT_OP(5).jsValue();
911     ASSERT(getter.isObject() || getter.isUndefined());
912     ASSERT(setter.isObject() || setter.isUndefined());
913     ASSERT(getter.isObject() || setter.isObject());
914     
915     if (!getter.isUndefined())
916         accessor->setGetter(vm, exec->lexicalGlobalObject(), asObject(getter));
917     if (!setter.isUndefined())
918         accessor->setSetter(vm, exec->lexicalGlobalObject(), asObject(setter));
919     baseObj->putDirectAccessor(
920         exec,
921         exec->codeBlock()->identifier(pc[2].u.operand),
922         accessor, pc[3].u.operand);
923     LLINT_END();
924 }
925
926 LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_val)
927 {
928     LLINT_BEGIN();
929     ASSERT(LLINT_OP(1).jsValue().isObject());
930     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
931     JSValue subscript = LLINT_OP_C(2).jsValue();
932
933     unsigned options = pc[3].u.operand;
934
935     JSValue getter = LLINT_OP(4).jsValue();
936     ASSERT(getter.isObject());
937
938     auto property = subscript.toPropertyKey(exec);
939     LLINT_CHECK_EXCEPTION();
940
941     baseObj->putGetter(exec, property, asObject(getter), options);
942     LLINT_END();
943 }
944
945 LLINT_SLOW_PATH_DECL(slow_path_put_setter_by_val)
946 {
947     LLINT_BEGIN();
948     ASSERT(LLINT_OP(1).jsValue().isObject());
949     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
950     JSValue subscript = LLINT_OP_C(2).jsValue();
951
952     unsigned options = pc[3].u.operand;
953
954     JSValue setter = LLINT_OP(4).jsValue();
955     ASSERT(setter.isObject());
956
957     auto property = subscript.toPropertyKey(exec);
958     LLINT_CHECK_EXCEPTION();
959
960     baseObj->putSetter(exec, property, asObject(setter), options);
961     LLINT_END();
962 }
963
964 LLINT_SLOW_PATH_DECL(slow_path_jtrue)
965 {
966     LLINT_BEGIN();
967     LLINT_BRANCH(op_jtrue, LLINT_OP_C(1).jsValue().toBoolean(exec));
968 }
969
970 LLINT_SLOW_PATH_DECL(slow_path_jfalse)
971 {
972     LLINT_BEGIN();
973     LLINT_BRANCH(op_jfalse, !LLINT_OP_C(1).jsValue().toBoolean(exec));
974 }
975
976 LLINT_SLOW_PATH_DECL(slow_path_jless)
977 {
978     LLINT_BEGIN();
979     LLINT_BRANCH(op_jless, jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
980 }
981
982 LLINT_SLOW_PATH_DECL(slow_path_jnless)
983 {
984     LLINT_BEGIN();
985     LLINT_BRANCH(op_jnless, !jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
986 }
987
988 LLINT_SLOW_PATH_DECL(slow_path_jgreater)
989 {
990     LLINT_BEGIN();
991     LLINT_BRANCH(op_jgreater, jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
992 }
993
994 LLINT_SLOW_PATH_DECL(slow_path_jngreater)
995 {
996     LLINT_BEGIN();
997     LLINT_BRANCH(op_jngreater, !jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
998 }
999
1000 LLINT_SLOW_PATH_DECL(slow_path_jlesseq)
1001 {
1002     LLINT_BEGIN();
1003     LLINT_BRANCH(op_jlesseq, jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
1004 }
1005
1006 LLINT_SLOW_PATH_DECL(slow_path_jnlesseq)
1007 {
1008     LLINT_BEGIN();
1009     LLINT_BRANCH(op_jnlesseq, !jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
1010 }
1011
1012 LLINT_SLOW_PATH_DECL(slow_path_jgreatereq)
1013 {
1014     LLINT_BEGIN();
1015     LLINT_BRANCH(op_jgreatereq, jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
1016 }
1017
1018 LLINT_SLOW_PATH_DECL(slow_path_jngreatereq)
1019 {
1020     LLINT_BEGIN();
1021     LLINT_BRANCH(op_jngreatereq, !jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
1022 }
1023
1024 LLINT_SLOW_PATH_DECL(slow_path_switch_imm)
1025 {
1026     LLINT_BEGIN();
1027     JSValue scrutinee = LLINT_OP_C(3).jsValue();
1028     ASSERT(scrutinee.isDouble());
1029     double value = scrutinee.asDouble();
1030     int32_t intValue = static_cast<int32_t>(value);
1031     int defaultOffset = pc[2].u.operand;
1032     if (value == intValue) {
1033         CodeBlock* codeBlock = exec->codeBlock();
1034         pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue(intValue, defaultOffset);
1035     } else
1036         pc += defaultOffset;
1037     LLINT_END();
1038 }
1039
1040 LLINT_SLOW_PATH_DECL(slow_path_switch_char)
1041 {
1042     LLINT_BEGIN();
1043     JSValue scrutinee = LLINT_OP_C(3).jsValue();
1044     ASSERT(scrutinee.isString());
1045     JSString* string = asString(scrutinee);
1046     ASSERT(string->length() == 1);
1047     int defaultOffset = pc[2].u.operand;
1048     StringImpl* impl = string->value(exec).impl();
1049     CodeBlock* codeBlock = exec->codeBlock();
1050     pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue((*impl)[0], defaultOffset);
1051     LLINT_END();
1052 }
1053
1054 LLINT_SLOW_PATH_DECL(slow_path_switch_string)
1055 {
1056     LLINT_BEGIN();
1057     JSValue scrutinee = LLINT_OP_C(3).jsValue();
1058     int defaultOffset = pc[2].u.operand;
1059     if (!scrutinee.isString())
1060         pc += defaultOffset;
1061     else {
1062         CodeBlock* codeBlock = exec->codeBlock();
1063         pc += codeBlock->stringSwitchJumpTable(pc[1].u.operand).offsetForValue(asString(scrutinee)->value(exec).impl(), defaultOffset);
1064     }
1065     LLINT_END();
1066 }
1067
1068 LLINT_SLOW_PATH_DECL(slow_path_new_func)
1069 {
1070     LLINT_BEGIN();
1071     CodeBlock* codeBlock = exec->codeBlock();
1072     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1073 #if LLINT_SLOW_PATH_TRACING
1074     dataLogF("Creating function!\n");
1075 #endif
1076     LLINT_RETURN(JSFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1077 }
1078
1079 LLINT_SLOW_PATH_DECL(slow_path_new_generator_func)
1080 {
1081     LLINT_BEGIN();
1082     CodeBlock* codeBlock = exec->codeBlock();
1083     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1084 #if LLINT_SLOW_PATH_TRACING
1085     dataLogF("Creating function!\n");
1086 #endif
1087     LLINT_RETURN(JSGeneratorFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1088 }
1089
1090 LLINT_SLOW_PATH_DECL(slow_path_new_func_exp)
1091 {
1092     LLINT_BEGIN();
1093     
1094     CodeBlock* codeBlock = exec->codeBlock();
1095     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1096     FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1097     
1098     LLINT_RETURN(JSFunction::create(vm, executable, scope));
1099 }
1100
1101 LLINT_SLOW_PATH_DECL(slow_path_new_generator_func_exp)
1102 {
1103     LLINT_BEGIN();
1104
1105     CodeBlock* codeBlock = exec->codeBlock();
1106     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1107     FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1108
1109     LLINT_RETURN(JSGeneratorFunction::create(vm, executable, scope));
1110 }
1111
1112 LLINT_SLOW_PATH_DECL(slow_path_new_arrow_func_exp)
1113 {
1114     LLINT_BEGIN();
1115     
1116     CodeBlock* codeBlock = exec->codeBlock();
1117     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1118     FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1119     
1120     LLINT_RETURN(JSFunction::create(vm, executable, scope));
1121 }
1122
1123 LLINT_SLOW_PATH_DECL(slow_path_set_function_name)
1124 {
1125     LLINT_BEGIN();
1126     JSFunction* func = jsCast<JSFunction*>(LLINT_OP(1).Register::unboxedCell());
1127     JSValue name = LLINT_OP_C(2).Register::jsValue();
1128     func->setFunctionName(exec, name);
1129     LLINT_END();
1130 }
1131
1132 static SlowPathReturnType handleHostCall(ExecState* execCallee, Instruction* pc, JSValue callee, CodeSpecializationKind kind)
1133 {
1134     UNUSED_PARAM(pc);
1135
1136 #if LLINT_SLOW_PATH_TRACING
1137     dataLog("Performing host call.\n");
1138 #endif
1139     
1140     ExecState* exec = execCallee->callerFrame();
1141     VM& vm = exec->vm();
1142
1143     execCallee->setCodeBlock(0);
1144     execCallee->clearReturnPC();
1145
1146     if (kind == CodeForCall) {
1147         CallData callData;
1148         CallType callType = getCallData(callee, callData);
1149     
1150         ASSERT(callType != CallType::JS);
1151     
1152         if (callType == CallType::Host) {
1153             NativeCallFrameTracer tracer(&vm, execCallee);
1154             execCallee->setCallee(asObject(callee));
1155             vm.hostCallReturnValue = JSValue::decode(callData.native.function(execCallee));
1156             
1157             LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1158         }
1159         
1160 #if LLINT_SLOW_PATH_TRACING
1161         dataLog("Call callee is not a function: ", callee, "\n");
1162 #endif
1163
1164         ASSERT(callType == CallType::None);
1165         LLINT_CALL_THROW(exec, createNotAFunctionError(exec, callee));
1166     }
1167
1168     ASSERT(kind == CodeForConstruct);
1169     
1170     ConstructData constructData;
1171     ConstructType constructType = getConstructData(callee, constructData);
1172     
1173     ASSERT(constructType != ConstructType::JS);
1174     
1175     if (constructType == ConstructType::Host) {
1176         NativeCallFrameTracer tracer(&vm, execCallee);
1177         execCallee->setCallee(asObject(callee));
1178         vm.hostCallReturnValue = JSValue::decode(constructData.native.function(execCallee));
1179
1180         LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1181     }
1182     
1183 #if LLINT_SLOW_PATH_TRACING
1184     dataLog("Constructor callee is not a function: ", callee, "\n");
1185 #endif
1186
1187     ASSERT(constructType == ConstructType::None);
1188     LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1189 }
1190
1191 inline SlowPathReturnType setUpCall(ExecState* execCallee, Instruction* pc, CodeSpecializationKind kind, JSValue calleeAsValue, LLIntCallLinkInfo* callLinkInfo = 0)
1192 {
1193     ExecState* exec = execCallee->callerFrame();
1194
1195 #if LLINT_SLOW_PATH_TRACING
1196     dataLogF("Performing call with recorded PC = %p\n", exec->currentVPC());
1197 #endif
1198     
1199     JSCell* calleeAsFunctionCell = getJSFunction(calleeAsValue);
1200     if (!calleeAsFunctionCell)
1201         return handleHostCall(execCallee, pc, calleeAsValue, kind);
1202     
1203     JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
1204     JSScope* scope = callee->scopeUnchecked();
1205     VM& vm = *scope->vm();
1206     ExecutableBase* executable = callee->executable();
1207
1208     MacroAssemblerCodePtr codePtr;
1209     CodeBlock* codeBlock = 0;
1210     bool isWebAssemblyExecutable = false;
1211 #if ENABLE(WEBASSEMBLY)
1212     isWebAssemblyExecutable = executable->isWebAssemblyExecutable();
1213 #endif
1214
1215     if (executable->isHostFunction()) {
1216         codePtr = executable->entrypointFor(kind, MustCheckArity);
1217     } else if (!isWebAssemblyExecutable) {
1218         FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
1219
1220         if (!isCall(kind) && functionExecutable->constructAbility() == ConstructAbility::CannotConstruct)
1221             LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1222
1223         JSObject* error = functionExecutable->prepareForExecution(execCallee, callee, scope, kind);
1224         if (error)
1225             LLINT_CALL_THROW(exec, error);
1226         codeBlock = functionExecutable->codeBlockFor(kind);
1227         ASSERT(codeBlock);
1228         ArityCheckMode arity;
1229         if (execCallee->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->numParameters()))
1230             arity = MustCheckArity;
1231         else
1232             arity = ArityCheckNotRequired;
1233         codePtr = functionExecutable->entrypointFor(kind, arity);
1234     } else {
1235 #if ENABLE(WEBASSEMBLY)
1236         WebAssemblyExecutable* webAssemblyExecutable = static_cast<WebAssemblyExecutable*>(executable);
1237         webAssemblyExecutable->prepareForExecution(execCallee);
1238         codeBlock = webAssemblyExecutable->codeBlockForCall();
1239         ASSERT(codeBlock);
1240         ArityCheckMode arity;
1241         if (execCallee->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->numParameters()))
1242             arity = MustCheckArity;
1243         else
1244             arity = ArityCheckNotRequired;
1245         codePtr = webAssemblyExecutable->entrypointFor(kind, arity);
1246 #endif
1247     }
1248     
1249     ASSERT(!!codePtr);
1250     
1251     if (!LLINT_ALWAYS_ACCESS_SLOW && callLinkInfo) {
1252         CodeBlock* callerCodeBlock = exec->codeBlock();
1253
1254         ConcurrentJITLocker locker(callerCodeBlock->m_lock);
1255         
1256         if (callLinkInfo->isOnList())
1257             callLinkInfo->remove();
1258         callLinkInfo->callee.set(vm, callerCodeBlock, callee);
1259         callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock, callee);
1260         callLinkInfo->machineCodeTarget = codePtr;
1261         if (codeBlock)
1262             codeBlock->linkIncomingCall(exec, callLinkInfo);
1263     }
1264
1265     LLINT_CALL_RETURN(exec, execCallee, codePtr.executableAddress());
1266 }
1267
1268 inline SlowPathReturnType genericCall(ExecState* exec, Instruction* pc, CodeSpecializationKind kind)
1269 {
1270     // This needs to:
1271     // - Set up a call frame.
1272     // - Figure out what to call and compile it if necessary.
1273     // - If possible, link the call's inline cache.
1274     // - Return a tuple of machine code address to call and the new call frame.
1275     
1276     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1277     
1278     ExecState* execCallee = exec - pc[4].u.operand;
1279     
1280     execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1281     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1282     execCallee->setCallerFrame(exec);
1283     
1284     ASSERT(pc[5].u.callLinkInfo);
1285     return setUpCall(execCallee, pc, kind, calleeAsValue, pc[5].u.callLinkInfo);
1286 }
1287
1288 LLINT_SLOW_PATH_DECL(slow_path_call)
1289 {
1290     LLINT_BEGIN_NO_SET_PC();
1291     return genericCall(exec, pc, CodeForCall);
1292 }
1293
1294 LLINT_SLOW_PATH_DECL(slow_path_construct)
1295 {
1296     LLINT_BEGIN_NO_SET_PC();
1297     return genericCall(exec, pc, CodeForConstruct);
1298 }
1299
1300 LLINT_SLOW_PATH_DECL(slow_path_size_frame_for_varargs)
1301 {
1302     LLINT_BEGIN();
1303     // This needs to:
1304     // - Set up a call frame while respecting the variable arguments.
1305     
1306     unsigned numUsedStackSlots = -pc[5].u.operand;
1307     unsigned length = sizeFrameForVarargs(exec, &vm.interpreter->stack(),
1308         LLINT_OP_C(4).jsValue(), numUsedStackSlots, pc[6].u.operand);
1309     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1310     
1311     ExecState* execCallee = calleeFrameForVarargs(exec, numUsedStackSlots, length + 1);
1312     vm.varargsLength = length;
1313     vm.newCallFrameReturnValue = execCallee;
1314
1315     LLINT_RETURN_CALLEE_FRAME(execCallee);
1316 }
1317
1318 LLINT_SLOW_PATH_DECL(slow_path_call_varargs)
1319 {
1320     LLINT_BEGIN_NO_SET_PC();
1321     // This needs to:
1322     // - Figure out what to call and compile it if necessary.
1323     // - Return a tuple of machine code address to call and the new call frame.
1324     
1325     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1326     
1327     ExecState* execCallee = vm.newCallFrameReturnValue;
1328
1329     setupVarargsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand, vm.varargsLength);
1330     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1331     
1332     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1333     execCallee->setCallerFrame(exec);
1334     exec->setCurrentVPC(pc);
1335     
1336     return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
1337 }
1338     
1339 LLINT_SLOW_PATH_DECL(slow_path_construct_varargs)
1340 {
1341     LLINT_BEGIN_NO_SET_PC();
1342     // This needs to:
1343     // - Figure out what to call and compile it if necessary.
1344     // - Return a tuple of machine code address to call and the new call frame.
1345     
1346     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1347     
1348     ExecState* execCallee = vm.newCallFrameReturnValue;
1349     
1350     setupVarargsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand, vm.varargsLength);
1351     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1352     
1353     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1354     execCallee->setCallerFrame(exec);
1355     exec->setCurrentVPC(pc);
1356     
1357     return setUpCall(execCallee, pc, CodeForConstruct, calleeAsValue);
1358 }
1359     
1360 LLINT_SLOW_PATH_DECL(slow_path_call_eval)
1361 {
1362     LLINT_BEGIN_NO_SET_PC();
1363     JSValue calleeAsValue = LLINT_OP(2).jsValue();
1364     
1365     ExecState* execCallee = exec - pc[4].u.operand;
1366     
1367     execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1368     execCallee->setCallerFrame(exec);
1369     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1370     execCallee->setReturnPC(LLInt::getCodePtr(llint_generic_return_point));
1371     execCallee->setCodeBlock(0);
1372     exec->setCurrentVPC(pc);
1373     
1374     if (!isHostFunction(calleeAsValue, globalFuncEval))
1375         return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
1376     
1377     vm.hostCallReturnValue = eval(execCallee);
1378     LLINT_CALL_RETURN(exec, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1379 }
1380
1381 LLINT_SLOW_PATH_DECL(slow_path_strcat)
1382 {
1383     LLINT_BEGIN();
1384     LLINT_RETURN(jsStringFromRegisterArray(exec, &LLINT_OP(2), pc[3].u.operand));
1385 }
1386
1387 LLINT_SLOW_PATH_DECL(slow_path_to_primitive)
1388 {
1389     LLINT_BEGIN();
1390     LLINT_RETURN(LLINT_OP_C(2).jsValue().toPrimitive(exec));
1391 }
1392
1393 LLINT_SLOW_PATH_DECL(slow_path_throw)
1394 {
1395     LLINT_BEGIN();
1396     LLINT_THROW(LLINT_OP_C(1).jsValue());
1397 }
1398
1399 LLINT_SLOW_PATH_DECL(slow_path_throw_static_error)
1400 {
1401     LLINT_BEGIN();
1402     JSValue errorMessageValue = LLINT_OP_C(1).jsValue();
1403     RELEASE_ASSERT(errorMessageValue.isString());
1404     String errorMessage = asString(errorMessageValue)->value(exec);
1405     if (pc[2].u.operand)
1406         LLINT_THROW(createReferenceError(exec, errorMessage));
1407     else
1408         LLINT_THROW(createTypeError(exec, errorMessage));
1409 }
1410
1411 LLINT_SLOW_PATH_DECL(slow_path_handle_watchdog_timer)
1412 {
1413     LLINT_BEGIN_NO_SET_PC();
1414     ASSERT(vm.watchdog());
1415     if (UNLIKELY(vm.shouldTriggerTermination(exec)))
1416         LLINT_THROW(createTerminatedExecutionException(&vm));
1417     LLINT_RETURN_TWO(0, exec);
1418 }
1419
1420 LLINT_SLOW_PATH_DECL(slow_path_debug)
1421 {
1422     LLINT_BEGIN();
1423     int debugHookID = pc[1].u.operand;
1424     vm.interpreter->debug(exec, static_cast<DebugHookID>(debugHookID));
1425     
1426     LLINT_END();
1427 }
1428
1429 LLINT_SLOW_PATH_DECL(slow_path_profile_will_call)
1430 {
1431     LLINT_BEGIN();
1432     if (LegacyProfiler* profiler = vm.enabledProfiler())
1433         profiler->willExecute(exec, LLINT_OP(1).jsValue());
1434     LLINT_END();
1435 }
1436
1437 LLINT_SLOW_PATH_DECL(slow_path_profile_did_call)
1438 {
1439     LLINT_BEGIN();
1440     if (LegacyProfiler* profiler = vm.enabledProfiler())
1441         profiler->didExecute(exec, LLINT_OP(1).jsValue());
1442     LLINT_END();
1443 }
1444
1445 LLINT_SLOW_PATH_DECL(slow_path_handle_exception)
1446 {
1447     LLINT_BEGIN_NO_SET_PC();
1448     genericUnwind(&vm, exec);
1449     LLINT_END_IMPL();
1450 }
1451
1452 LLINT_SLOW_PATH_DECL(slow_path_get_from_scope)
1453 {
1454     LLINT_BEGIN();
1455
1456     const Identifier& ident = exec->codeBlock()->identifier(pc[3].u.operand);
1457     JSObject* scope = jsCast<JSObject*>(LLINT_OP(2).jsValue());
1458     GetPutInfo getPutInfo(pc[4].u.operand);
1459
1460     // ModuleVar is always converted to ClosureVar for get_from_scope.
1461     ASSERT(getPutInfo.resolveType() != ModuleVar);
1462
1463     PropertySlot slot(scope, PropertySlot::InternalMethodType::Get);
1464     if (!scope->getPropertySlot(exec, ident, slot)) {
1465         if (getPutInfo.resolveMode() == ThrowIfNotFound)
1466             LLINT_RETURN(exec->vm().throwException(exec, createUndefinedVariableError(exec, ident)));
1467         LLINT_RETURN(jsUndefined());
1468     }
1469
1470     JSValue result = JSValue();
1471     if (scope->isGlobalLexicalEnvironment()) {
1472         // When we can't statically prove we need a TDZ check, we must perform the check on the slow path.
1473         result = slot.getValue(exec, ident);
1474         if (result == jsTDZValue())
1475             LLINT_THROW(createTDZError(exec));
1476     }
1477
1478     CommonSlowPaths::tryCacheGetFromScopeGlobal(exec, vm, pc, scope, slot, ident);
1479
1480     if (!result)
1481         result = slot.getValue(exec, ident);
1482     LLINT_RETURN(result);
1483 }
1484
1485 LLINT_SLOW_PATH_DECL(slow_path_put_to_scope)
1486 {
1487     LLINT_BEGIN();
1488
1489     CodeBlock* codeBlock = exec->codeBlock();
1490     const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
1491     JSObject* scope = jsCast<JSObject*>(LLINT_OP(1).jsValue());
1492     JSValue value = LLINT_OP_C(3).jsValue();
1493     GetPutInfo getPutInfo = GetPutInfo(pc[4].u.operand);
1494     if (getPutInfo.resolveType() == LocalClosureVar) {
1495         JSLexicalEnvironment* environment = jsCast<JSLexicalEnvironment*>(scope);
1496         environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value);
1497         
1498         // Have to do this *after* the write, because if this puts the set into IsWatched, then we need
1499         // to have already changed the value of the variable. Otherwise we might watch and constant-fold
1500         // to the Undefined value from before the assignment.
1501         if (WatchpointSet* set = pc[5].u.watchpointSet)
1502             set->touch("Executed op_put_scope<LocalClosureVar>");
1503         LLINT_END();
1504     }
1505
1506     bool hasProperty = scope->hasProperty(exec, ident);
1507     if (hasProperty
1508         && scope->isGlobalLexicalEnvironment()
1509         && !isInitialization(getPutInfo.initializationMode())) {
1510         // When we can't statically prove we need a TDZ check, we must perform the check on the slow path.
1511         PropertySlot slot(scope, PropertySlot::InternalMethodType::Get);
1512         JSGlobalLexicalEnvironment::getOwnPropertySlot(scope, exec, ident, slot);
1513         if (slot.getValue(exec, ident) == jsTDZValue())
1514             LLINT_THROW(createTDZError(exec));
1515     }
1516
1517     if (getPutInfo.resolveMode() == ThrowIfNotFound && !hasProperty)
1518         LLINT_THROW(createUndefinedVariableError(exec, ident));
1519
1520     PutPropertySlot slot(scope, codeBlock->isStrictMode(), PutPropertySlot::UnknownContext, isInitialization(getPutInfo.initializationMode()));
1521     scope->methodTable()->put(scope, exec, ident, value, slot);
1522     
1523     CommonSlowPaths::tryCachePutToScopeGlobal(exec, codeBlock, pc, scope, getPutInfo, slot, ident);
1524
1525     LLINT_END();
1526 }
1527
1528 LLINT_SLOW_PATH_DECL(slow_path_check_if_exception_is_uncatchable_and_notify_profiler)
1529 {
1530     LLINT_BEGIN();
1531     RELEASE_ASSERT(!!vm.exception());
1532
1533     if (LegacyProfiler* profiler = vm.enabledProfiler())
1534         profiler->exceptionUnwind(exec);
1535
1536     if (isTerminatedExecutionException(vm.exception()))
1537         LLINT_RETURN_TWO(pc, bitwise_cast<void*>(static_cast<uintptr_t>(1)));
1538     LLINT_RETURN_TWO(pc, 0);
1539 }
1540
1541 LLINT_SLOW_PATH_DECL(slow_path_log_shadow_chicken_prologue)
1542 {
1543     LLINT_BEGIN();
1544     
1545     JSScope* scope = exec->uncheckedR(pc[1].u.operand).Register::scope();
1546     vm.shadowChicken().log(vm, exec, ShadowChicken::Packet::prologue(exec->callee(), exec, exec->callerFrame(), scope));
1547     
1548     LLINT_END();
1549 }
1550
1551 LLINT_SLOW_PATH_DECL(slow_path_log_shadow_chicken_tail)
1552 {
1553     LLINT_BEGIN();
1554
1555     JSValue thisValue = LLINT_OP(1).jsValue();
1556     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1557     
1558 #if USE(JSVALUE64)
1559     CallSiteIndex callSiteIndex(exec->codeBlock()->bytecodeOffset(pc));
1560 #else
1561     CallSiteIndex callSiteIndex(pc);
1562 #endif
1563     vm.shadowChicken().log(vm, exec, ShadowChicken::Packet::tail(exec, thisValue, scope, exec->codeBlock(), callSiteIndex));
1564     
1565     LLINT_END();
1566 }
1567
1568 extern "C" SlowPathReturnType llint_throw_stack_overflow_error(VM* vm, ProtoCallFrame* protoFrame)
1569 {
1570     ExecState* exec = vm->topCallFrame;
1571     if (!exec)
1572         exec = protoFrame->callee()->globalObject()->globalExec();
1573     throwStackOverflowError(exec);
1574     return encodeResult(0, 0);
1575 }
1576
1577 #if !ENABLE(JIT)
1578 extern "C" SlowPathReturnType llint_stack_check_at_vm_entry(VM* vm, Register* newTopOfStack)
1579 {
1580     bool success = vm->interpreter->stack().ensureCapacityFor(newTopOfStack);
1581     return encodeResult(reinterpret_cast<void*>(success), 0);
1582 }
1583 #endif
1584
1585 extern "C" void llint_write_barrier_slow(ExecState* exec, JSCell* cell)
1586 {
1587     VM& vm = exec->vm();
1588     vm.heap.writeBarrier(cell);
1589 }
1590
1591 extern "C" NO_RETURN_DUE_TO_CRASH void llint_crash()
1592 {
1593     CRASH();
1594 }
1595
1596 } } // namespace JSC::LLInt