2 * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 #include "LLIntSlowPaths.h"
29 #include "ArrayConstructor.h"
30 #include "CallFrame.h"
31 #include "CommonSlowPaths.h"
32 #include "CommonSlowPathsExceptions.h"
34 #include "ErrorHandlingScope.h"
35 #include "EvalCodeBlock.h"
36 #include "Exception.h"
37 #include "ExceptionFuzz.h"
38 #include "FrameTracers.h"
39 #include "FunctionCodeBlock.h"
40 #include "FunctionWhitelist.h"
41 #include "GetterSetter.h"
42 #include "HostCallReturnValue.h"
43 #include "InterpreterInlines.h"
44 #include "IteratorOperations.h"
46 #include "JITExceptions.h"
47 #include "JITWorklist.h"
48 #include "JSAsyncFunction.h"
49 #include "JSAsyncGeneratorFunction.h"
50 #include "JSCInlines.h"
51 #include "JSCJSValue.h"
52 #include "JSGeneratorFunction.h"
53 #include "JSGlobalObjectFunctions.h"
54 #include "JSLexicalEnvironment.h"
56 #include "JSWithScope.h"
57 #include "LLIntCommon.h"
58 #include "LLIntData.h"
59 #include "LLIntExceptions.h"
60 #include "LowLevelInterpreter.h"
61 #include "ModuleProgramCodeBlock.h"
62 #include "ObjectConstructor.h"
63 #include "ObjectPropertyConditionSet.h"
64 #include "ProgramCodeBlock.h"
65 #include "ProtoCallFrame.h"
66 #include "RegExpObject.h"
67 #include "ShadowChicken.h"
68 #include "StructureRareDataInlines.h"
69 #include "SuperSampler.h"
70 #include "VMInlines.h"
71 #include <wtf/NeverDestroyed.h>
72 #include <wtf/StringPrintStream.h>
74 namespace JSC { namespace LLInt {
76 #define LLINT_BEGIN_NO_SET_PC() \
77 VM& vm = exec->vm(); \
78 NativeCallFrameTracer tracer(&vm, exec); \
79 auto throwScope = DECLARE_THROW_SCOPE(vm)
82 #define LLINT_SET_PC_FOR_STUBS() do { \
83 exec->codeBlock()->bytecodeOffset(pc); \
84 exec->setCurrentVPC(pc); \
87 #define LLINT_SET_PC_FOR_STUBS() do { \
88 exec->setCurrentVPC(pc); \
92 #define LLINT_BEGIN() \
93 LLINT_BEGIN_NO_SET_PC(); \
94 LLINT_SET_PC_FOR_STUBS()
96 #define LLINT_OP(index) (exec->uncheckedR(pc[index].u.operand))
97 #define LLINT_OP_C(index) (exec->r(pc[index].u.operand))
99 #define LLINT_RETURN_TWO(first, second) do { \
100 return encodeResult(first, second); \
103 #define LLINT_END_IMPL() LLINT_RETURN_TWO(pc, 0)
105 #define LLINT_THROW(exceptionToThrow) do { \
106 throwException(exec, throwScope, exceptionToThrow); \
107 pc = returnToThrow(exec); \
111 #define LLINT_CHECK_EXCEPTION() do { \
112 doExceptionFuzzingIfEnabled(exec, throwScope, "LLIntSlowPaths", pc); \
113 if (UNLIKELY(throwScope.exception())) { \
114 pc = returnToThrow(exec); \
119 #define LLINT_END() do { \
120 LLINT_CHECK_EXCEPTION(); \
124 #define LLINT_BRANCH(opcode, condition) do { \
125 bool __b_condition = (condition); \
126 LLINT_CHECK_EXCEPTION(); \
128 pc += pc[OPCODE_LENGTH(opcode) - 1].u.operand; \
130 pc += OPCODE_LENGTH(opcode); \
134 #define LLINT_RETURN(value) do { \
135 JSValue __r_returnValue = (value); \
136 LLINT_CHECK_EXCEPTION(); \
137 LLINT_OP(1) = __r_returnValue; \
141 #define LLINT_RETURN_WITH_PC_ADJUSTMENT(value, pcAdjustment) do { \
142 JSValue __r_returnValue = (value); \
143 LLINT_CHECK_EXCEPTION(); \
144 LLINT_OP(1) = __r_returnValue; \
145 pc += (pcAdjustment); \
149 #define LLINT_RETURN_PROFILED(opcode, value) do { \
150 JSValue __rp_returnValue = (value); \
151 LLINT_CHECK_EXCEPTION(); \
152 LLINT_OP(1) = __rp_returnValue; \
153 LLINT_PROFILE_VALUE(opcode, __rp_returnValue); \
157 #define LLINT_PROFILE_VALUE(opcode, value) do { \
158 pc[OPCODE_LENGTH(opcode) - 1].u.profile->m_buckets[0] = \
159 JSValue::encode(value); \
162 #define LLINT_CALL_END_IMPL(exec, callTarget) LLINT_RETURN_TWO((callTarget), (exec))
164 #define LLINT_CALL_THROW(exec, exceptionToThrow) do { \
165 ExecState* __ct_exec = (exec); \
166 throwException(__ct_exec, throwScope, exceptionToThrow); \
167 LLINT_CALL_END_IMPL(0, callToThrow(__ct_exec)); \
170 #define LLINT_CALL_CHECK_EXCEPTION(exec, execCallee) do { \
171 ExecState* __cce_exec = (exec); \
172 ExecState* __cce_execCallee = (execCallee); \
173 doExceptionFuzzingIfEnabled(__cce_exec, throwScope, "LLIntSlowPaths/call", nullptr); \
174 if (UNLIKELY(throwScope.exception())) \
175 LLINT_CALL_END_IMPL(0, callToThrow(__cce_execCallee)); \
178 #define LLINT_CALL_RETURN(exec, execCallee, callTarget) do { \
179 ExecState* __cr_exec = (exec); \
180 ExecState* __cr_execCallee = (execCallee); \
181 void* __cr_callTarget = (callTarget); \
182 LLINT_CALL_CHECK_EXCEPTION(__cr_exec, __cr_execCallee); \
183 LLINT_CALL_END_IMPL(__cr_execCallee, __cr_callTarget); \
186 #define LLINT_RETURN_CALLEE_FRAME(execCallee) do { \
187 ExecState* __rcf_exec = (execCallee); \
188 LLINT_RETURN_TWO(pc, __rcf_exec); \
191 extern "C" SlowPathReturnType llint_trace_operand(ExecState* exec, Instruction* pc, int fromWhere, int operand)
194 dataLogF("<%p> %p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d\n",
198 static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
199 Interpreter::getOpcodeID(pc[0].u.opcode),
202 pc[operand].u.operand);
206 extern "C" SlowPathReturnType llint_trace_value(ExecState* exec, Instruction* pc, int fromWhere, int operand)
208 JSValue value = LLINT_OP_C(operand).jsValue();
214 EncodedJSValue asValue;
216 u.asValue = JSValue::encode(value);
218 "<%p> %p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d: %08x:%08x: %s\n",
222 static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
223 Interpreter::getOpcodeID(pc[0].u.opcode),
226 pc[operand].u.operand,
229 toCString(value).data());
233 LLINT_SLOW_PATH_DECL(trace_prologue)
235 dataLogF("<%p> %p / %p: in prologue of ", &Thread::current(), exec->codeBlock(), exec);
236 dataLog(*exec->codeBlock(), "\n");
240 static void traceFunctionPrologue(ExecState* exec, const char* comment, CodeSpecializationKind kind)
242 JSFunction* callee = jsCast<JSFunction*>(exec->jsCallee());
243 FunctionExecutable* executable = callee->jsExecutable();
244 CodeBlock* codeBlock = executable->codeBlockFor(kind);
245 dataLogF("<%p> %p / %p: in %s of ", &Thread::current(), codeBlock, exec, comment);
247 dataLogF(" function %p, executable %p; numVars = %u, numParameters = %u, numCalleeLocals = %u, caller = %p.\n",
248 callee, executable, codeBlock->m_numVars, codeBlock->numParameters(), codeBlock->m_numCalleeLocals, exec->callerFrame());
251 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_call)
253 traceFunctionPrologue(exec, "call prologue", CodeForCall);
257 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_construct)
259 traceFunctionPrologue(exec, "construct prologue", CodeForConstruct);
263 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_call)
265 traceFunctionPrologue(exec, "call arity check", CodeForCall);
269 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_construct)
271 traceFunctionPrologue(exec, "construct arity check", CodeForConstruct);
275 LLINT_SLOW_PATH_DECL(trace)
277 OpcodeID opcodeID = Interpreter::getOpcodeID(pc[0].u.opcode);
278 dataLogF("<%p> %p / %p: executing bc#%zu, %s, pc = %p\n",
282 static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
283 opcodeNames[opcodeID], pc);
284 if (opcodeID == op_enter) {
285 dataLogF("Frame will eventually return to %p\n", exec->returnPC().value());
286 *bitwise_cast<volatile char*>(exec->returnPC().value());
288 if (opcodeID == op_ret) {
289 dataLogF("Will be returning to %p\n", exec->returnPC().value());
290 dataLogF("The new cfr will be %p\n", exec->callerFrame());
295 LLINT_SLOW_PATH_DECL(special_trace)
297 dataLogF("<%p> %p / %p: executing special case bc#%zu, op#%u, return PC is %p\n",
301 static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
302 Interpreter::getOpcodeID(pc[0].u.opcode),
303 exec->returnPC().value());
307 enum EntryKind { Prologue, ArityCheck };
310 static FunctionWhitelist& ensureGlobalJITWhitelist()
312 static LazyNeverDestroyed<FunctionWhitelist> baselineWhitelist;
313 static std::once_flag initializeWhitelistFlag;
314 std::call_once(initializeWhitelistFlag, [] {
315 const char* functionWhitelistFile = Options::jitWhitelist();
316 baselineWhitelist.construct(functionWhitelistFile);
318 return baselineWhitelist;
321 inline bool shouldJIT(CodeBlock* codeBlock)
323 if (!Options::bytecodeRangeToJITCompile().isInRange(codeBlock->instructionCount())
324 || !ensureGlobalJITWhitelist().contains(codeBlock))
327 return VM::canUseJIT() && Options::useBaselineJIT();
330 // Returns true if we should try to OSR.
331 inline bool jitCompileAndSetHeuristics(CodeBlock* codeBlock, ExecState* exec, unsigned loopOSREntryBytecodeOffset = 0)
334 DeferGCForAWhile deferGC(vm.heap); // My callers don't set top callframe, so we don't want to GC here at all.
336 codeBlock->updateAllValueProfilePredictions();
338 if (!codeBlock->checkIfJITThresholdReached()) {
339 CODEBLOCK_LOG_EVENT(codeBlock, "delayJITCompile", ("threshold not reached, counter = ", codeBlock->llintExecuteCounter()));
340 if (Options::verboseOSR())
341 dataLogF(" JIT threshold should be lifted.\n");
345 JITWorklist::instance()->poll(vm);
347 switch (codeBlock->jitType()) {
348 case JITCode::BaselineJIT: {
349 if (Options::verboseOSR())
350 dataLogF(" Code was already compiled.\n");
351 codeBlock->jitSoon();
354 case JITCode::InterpreterThunk: {
355 JITWorklist::instance()->compileLater(codeBlock, loopOSREntryBytecodeOffset);
356 return codeBlock->jitType() == JITCode::BaselineJIT;
359 dataLog("Unexpected code block in LLInt: ", *codeBlock, "\n");
360 RELEASE_ASSERT_NOT_REACHED();
365 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char *name, EntryKind kind)
367 if (Options::verboseOSR()) {
369 *codeBlock, ": Entered ", name, " with executeCounter = ",
370 codeBlock->llintExecuteCounter(), "\n");
373 if (!shouldJIT(codeBlock)) {
374 codeBlock->dontJITAnytimeSoon();
375 LLINT_RETURN_TWO(0, 0);
377 if (!jitCompileAndSetHeuristics(codeBlock, exec))
378 LLINT_RETURN_TWO(0, 0);
380 CODEBLOCK_LOG_EVENT(codeBlock, "OSR entry", ("in prologue"));
382 if (kind == Prologue)
383 LLINT_RETURN_TWO(codeBlock->jitCode()->executableAddress(), 0);
384 ASSERT(kind == ArityCheck);
385 LLINT_RETURN_TWO(codeBlock->jitCode()->addressForCall(MustCheckArity).executableAddress(), 0);
388 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char*, EntryKind)
390 codeBlock->dontJITAnytimeSoon();
391 LLINT_RETURN_TWO(0, exec);
393 #endif // ENABLE(JIT)
395 LLINT_SLOW_PATH_DECL(entry_osr)
397 return entryOSR(exec, pc, exec->codeBlock(), "entry_osr", Prologue);
400 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call)
402 return entryOSR(exec, pc, jsCast<JSFunction*>(exec->jsCallee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call", Prologue);
405 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct)
407 return entryOSR(exec, pc, jsCast<JSFunction*>(exec->jsCallee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct", Prologue);
410 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call_arityCheck)
412 return entryOSR(exec, pc, jsCast<JSFunction*>(exec->jsCallee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call_arityCheck", ArityCheck);
415 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct_arityCheck)
417 return entryOSR(exec, pc, jsCast<JSFunction*>(exec->jsCallee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct_arityCheck", ArityCheck);
420 LLINT_SLOW_PATH_DECL(loop_osr)
422 CodeBlock* codeBlock = exec->codeBlock();
425 if (Options::verboseOSR()) {
427 *codeBlock, ": Entered loop_osr with executeCounter = ",
428 codeBlock->llintExecuteCounter(), "\n");
431 unsigned loopOSREntryBytecodeOffset = pc - codeBlock->instructions().begin();
433 if (!shouldJIT(codeBlock)) {
434 codeBlock->dontJITAnytimeSoon();
435 LLINT_RETURN_TWO(0, 0);
438 if (!jitCompileAndSetHeuristics(codeBlock, exec, loopOSREntryBytecodeOffset))
439 LLINT_RETURN_TWO(0, 0);
441 CODEBLOCK_LOG_EVENT(codeBlock, "osrEntry", ("at bc#", pc - codeBlock->instructions().begin()));
443 ASSERT(codeBlock->jitType() == JITCode::BaselineJIT);
445 Vector<BytecodeAndMachineOffset> map;
446 codeBlock->jitCodeMap()->decode(map);
447 BytecodeAndMachineOffset* mapping = binarySearch<BytecodeAndMachineOffset, unsigned>(map, map.size(), pc - codeBlock->instructions().begin(), BytecodeAndMachineOffset::getBytecodeIndex);
449 ASSERT(mapping->m_bytecodeIndex == static_cast<unsigned>(pc - codeBlock->instructions().begin()));
451 void* jumpTarget = codeBlock->jitCode()->executableAddressAtOffset(mapping->m_machineCodeOffset);
454 LLINT_RETURN_TWO(jumpTarget, exec->topOfFrame());
457 codeBlock->dontJITAnytimeSoon();
458 LLINT_RETURN_TWO(0, 0);
459 #endif // ENABLE(JIT)
462 LLINT_SLOW_PATH_DECL(replace)
464 CodeBlock* codeBlock = exec->codeBlock();
467 if (Options::verboseOSR()) {
469 *codeBlock, ": Entered replace with executeCounter = ",
470 codeBlock->llintExecuteCounter(), "\n");
473 if (shouldJIT(codeBlock))
474 jitCompileAndSetHeuristics(codeBlock, exec);
476 codeBlock->dontJITAnytimeSoon();
479 codeBlock->dontJITAnytimeSoon();
481 #endif // ENABLE(JIT)
484 LLINT_SLOW_PATH_DECL(stack_check)
487 auto throwScope = DECLARE_THROW_SCOPE(vm);
489 EntryFrame* topEntryFrame = vm.topEntryFrame;
490 CallFrame* callerFrame = exec->callerFrame(topEntryFrame);
493 topEntryFrame = vm.topEntryFrame;
495 NativeCallFrameTracerWithRestore tracer(&vm, topEntryFrame, callerFrame);
497 LLINT_SET_PC_FOR_STUBS();
499 #if LLINT_SLOW_PATH_TRACING
500 dataLogF("Checking stack height with exec = %p.\n", exec);
501 dataLog("CodeBlock = ", *exec->codeBlock(), "\n");
502 dataLogF("Num callee registers = %u.\n", exec->codeBlock()->m_numCalleeLocals);
503 dataLogF("Num vars = %u.\n", exec->codeBlock()->m_numVars);
505 dataLogF("Current OS stack end is at %p.\n", vm.softStackLimit());
507 dataLogF("Current C Loop stack end is at %p.\n", vm.cloopStackLimit());
511 // If the stack check succeeds and we don't need to throw the error, then
512 // we'll return 0 instead. The prologue will check for a non-zero value
513 // when determining whether to set the callFrame or not.
515 // For JIT enabled builds which uses the C stack, the stack is not growable.
516 // Hence, if we get here, then we know a stack overflow is imminent. So, just
517 // throw the StackOverflowError unconditionally.
519 Register* topOfFrame = exec->topOfFrame();
520 if (LIKELY(topOfFrame < reinterpret_cast<Register*>(exec))) {
521 ASSERT(!vm.interpreter->cloopStack().containsAddress(topOfFrame));
522 if (LIKELY(vm.ensureStackCapacityFor(topOfFrame)))
523 LLINT_RETURN_TWO(pc, 0);
527 ErrorHandlingScope errorScope(vm);
528 throwStackOverflowError(callerFrame, throwScope);
529 pc = returnToThrow(callerFrame);
530 LLINT_RETURN_TWO(pc, exec);
533 LLINT_SLOW_PATH_DECL(slow_path_new_object)
536 LLINT_RETURN(constructEmptyObject(exec, pc[3].u.objectAllocationProfile->structure()));
539 LLINT_SLOW_PATH_DECL(slow_path_new_array)
542 LLINT_RETURN(constructArrayNegativeIndexed(exec, pc[4].u.arrayAllocationProfile, bitwise_cast<JSValue*>(&LLINT_OP(2)), pc[3].u.operand));
545 LLINT_SLOW_PATH_DECL(slow_path_new_array_with_size)
548 LLINT_RETURN(constructArrayWithSizeQuirk(exec, pc[3].u.arrayAllocationProfile, exec->lexicalGlobalObject(), LLINT_OP_C(2).jsValue()));
551 LLINT_SLOW_PATH_DECL(slow_path_new_regexp)
554 RegExp* regExp = exec->codeBlock()->regexp(pc[2].u.operand);
555 ASSERT(regExp->isValid());
556 LLINT_RETURN(RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regExp));
559 LLINT_SLOW_PATH_DECL(slow_path_instanceof)
562 JSValue value = LLINT_OP_C(2).jsValue();
563 JSValue proto = LLINT_OP_C(3).jsValue();
564 LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
567 LLINT_SLOW_PATH_DECL(slow_path_instanceof_custom)
571 JSValue value = LLINT_OP_C(2).jsValue();
572 JSValue constructor = LLINT_OP_C(3).jsValue();
573 JSValue hasInstanceValue = LLINT_OP_C(4).jsValue();
575 ASSERT(constructor.isObject());
576 ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor.getObject()->structure()->typeInfo().implementsDefaultHasInstance());
578 JSValue result = jsBoolean(constructor.getObject()->hasInstance(exec, value, hasInstanceValue));
579 LLINT_RETURN(result);
582 LLINT_SLOW_PATH_DECL(slow_path_try_get_by_id)
585 CodeBlock* codeBlock = exec->codeBlock();
586 const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
587 JSValue baseValue = LLINT_OP_C(2).jsValue();
588 PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::VMInquiry);
590 baseValue.getPropertySlot(exec, ident, slot);
591 JSValue result = slot.getPureResult();
593 LLINT_RETURN_PROFILED(op_try_get_by_id, result);
596 static void setupGetByIdPrototypeCache(ExecState* exec, VM& vm, Instruction* pc, JSCell* baseCell, PropertySlot& slot, const Identifier& ident)
598 CodeBlock* codeBlock = exec->codeBlock();
599 Structure* structure = baseCell->structure();
601 if (structure->typeInfo().prohibitsPropertyCaching())
604 if (structure->needImpurePropertyWatchpoint())
607 if (structure->isDictionary()) {
608 if (structure->hasBeenFlattenedBefore())
610 structure->flattenDictionaryStructure(vm, jsCast<JSObject*>(baseCell));
613 ObjectPropertyConditionSet conditions;
615 conditions = generateConditionsForPropertyMiss(vm, codeBlock, exec, structure, ident.impl());
617 conditions = generateConditionsForPrototypePropertyHit(vm, codeBlock, exec, structure, slot.slotBase(), ident.impl());
619 if (!conditions.isValid())
622 PropertyOffset offset = invalidOffset;
623 CodeBlock::StructureWatchpointMap& watchpointMap = codeBlock->llintGetByIdWatchpointMap();
624 auto result = watchpointMap.add(structure, Bag<LLIntPrototypeLoadAdaptiveStructureWatchpoint>());
625 for (ObjectPropertyCondition condition : conditions) {
626 if (!condition.isWatchable())
628 if (condition.condition().kind() == PropertyCondition::Presence)
629 offset = condition.condition().offset();
630 result.iterator->value.add(condition, pc)->install();
632 ASSERT((offset == invalidOffset) == slot.isUnset());
634 ConcurrentJSLocker locker(codeBlock->m_lock);
636 if (slot.isUnset()) {
637 pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_unset);
638 pc[4].u.structureID = structure->id();
641 ASSERT(slot.isValue());
643 pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_proto_load);
644 pc[4].u.structureID = structure->id();
645 pc[5].u.operand = offset;
646 // We know that this pointer will remain valid because it will be cleared by either a watchpoint fire or
647 // during GC when we clear the LLInt caches.
648 pc[6].u.pointer = slot.slotBase();
652 LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
655 CodeBlock* codeBlock = exec->codeBlock();
656 const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
657 JSValue baseValue = LLINT_OP_C(2).jsValue();
658 PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::Get);
660 JSValue result = baseValue.get(exec, ident, slot);
661 LLINT_CHECK_EXCEPTION();
662 LLINT_OP(1) = result;
664 if (!LLINT_ALWAYS_ACCESS_SLOW
665 && baseValue.isCell()
666 && slot.isCacheable()) {
669 StructureID oldStructureID = pc[4].u.structureID;
670 if (oldStructureID) {
671 auto opcode = Interpreter::getOpcodeID(pc[0]);
672 if (opcode == op_get_by_id
673 || opcode == op_get_by_id_unset
674 || opcode == op_get_by_id_proto_load) {
675 Structure* a = vm.heap.structureIDTable().get(oldStructureID);
676 Structure* b = baseValue.asCell()->structure(vm);
678 if (Structure::shouldConvertToPolyProto(a, b)) {
679 ASSERT(a->rareData()->sharedPolyProtoWatchpoint().get() == b->rareData()->sharedPolyProtoWatchpoint().get());
680 a->rareData()->sharedPolyProtoWatchpoint()->invalidate(vm, StringFireDetail("Detected poly proto opportunity."));
686 JSCell* baseCell = baseValue.asCell();
687 Structure* structure = baseCell->structure();
688 if (slot.isValue() && slot.slotBase() == baseValue) {
689 // Start out by clearing out the old cache.
690 pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
691 pc[4].u.pointer = nullptr; // old structure
692 pc[5].u.pointer = nullptr; // offset
694 // Prevent the prototype cache from ever happening.
697 if (structure->propertyAccessesAreCacheable()
698 && !structure->needImpurePropertyWatchpoint()) {
699 vm.heap.writeBarrier(codeBlock);
701 ConcurrentJSLocker locker(codeBlock->m_lock);
703 pc[4].u.structureID = structure->id();
704 pc[5].u.operand = slot.cachedOffset();
706 } else if (UNLIKELY(pc[7].u.operand && (slot.isValue() || slot.isUnset()))) {
707 ASSERT(slot.slotBase() != baseValue);
709 if (!(--pc[7].u.operand))
710 setupGetByIdPrototypeCache(exec, vm, pc, baseCell, slot, ident);
712 } else if (!LLINT_ALWAYS_ACCESS_SLOW
713 && isJSArray(baseValue)
714 && ident == vm.propertyNames->length) {
715 pc[0].u.opcode = LLInt::getOpcode(op_get_array_length);
716 ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(pc - codeBlock->instructions().begin());
717 arrayProfile->observeStructure(baseValue.asCell()->structure());
718 pc[4].u.arrayProfile = arrayProfile;
720 // Prevent the prototype cache from ever happening.
724 pc[OPCODE_LENGTH(op_get_by_id) - 1].u.profile->m_buckets[0] = JSValue::encode(result);
728 LLINT_SLOW_PATH_DECL(slow_path_get_arguments_length)
731 CodeBlock* codeBlock = exec->codeBlock();
732 const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
733 JSValue baseValue = LLINT_OP(2).jsValue();
734 PropertySlot slot(baseValue, PropertySlot::InternalMethodType::Get);
735 LLINT_RETURN(baseValue.get(exec, ident, slot));
738 LLINT_SLOW_PATH_DECL(slow_path_put_by_id)
741 CodeBlock* codeBlock = exec->codeBlock();
742 const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
744 JSValue baseValue = LLINT_OP_C(1).jsValue();
745 PutPropertySlot slot(baseValue, codeBlock->isStrictMode(), codeBlock->putByIdContext());
746 if (pc[8].u.putByIdFlags & PutByIdIsDirect)
747 asObject(baseValue)->putDirect(vm, ident, LLINT_OP_C(3).jsValue(), slot);
749 baseValue.putInline(exec, ident, LLINT_OP_C(3).jsValue(), slot);
750 LLINT_CHECK_EXCEPTION();
752 if (!LLINT_ALWAYS_ACCESS_SLOW
753 && baseValue.isCell()
754 && slot.isCacheablePut()) {
758 StructureID oldStructureID = pc[4].u.structureID;
759 if (oldStructureID) {
760 Structure* a = vm.heap.structureIDTable().get(oldStructureID);
761 Structure* b = baseValue.asCell()->structure(vm);
762 if (slot.type() == PutPropertySlot::NewProperty)
765 if (Structure::shouldConvertToPolyProto(a, b)) {
766 a->rareData()->sharedPolyProtoWatchpoint()->invalidate(vm, StringFireDetail("Detected poly proto opportunity."));
767 b->rareData()->sharedPolyProtoWatchpoint()->invalidate(vm, StringFireDetail("Detected poly proto opportunity."));
772 // Start out by clearing out the old cache.
773 pc[4].u.pointer = nullptr; // old structure
774 pc[5].u.pointer = nullptr; // offset
775 pc[6].u.pointer = nullptr; // new structure
776 pc[7].u.pointer = nullptr; // structure chain
777 pc[8].u.putByIdFlags =
778 static_cast<PutByIdFlags>(pc[8].u.putByIdFlags & PutByIdPersistentFlagsMask);
780 JSCell* baseCell = baseValue.asCell();
781 Structure* structure = baseCell->structure();
783 if (!structure->isUncacheableDictionary()
784 && !structure->typeInfo().prohibitsPropertyCaching()
785 && baseCell == slot.base()) {
787 vm.heap.writeBarrier(codeBlock);
789 if (slot.type() == PutPropertySlot::NewProperty) {
790 GCSafeConcurrentJSLocker locker(codeBlock->m_lock, vm.heap);
792 if (!structure->isDictionary() && structure->previousID()->outOfLineCapacity() == structure->outOfLineCapacity()) {
793 ASSERT(structure->previousID()->transitionWatchpointSetHasBeenInvalidated());
795 bool sawPolyProto = false;
796 auto result = normalizePrototypeChain(exec, baseCell, sawPolyProto);
797 if (result != InvalidPrototypeChain && !sawPolyProto) {
798 ASSERT(structure->previousID()->isObject());
799 pc[4].u.structureID = structure->previousID()->id();
800 pc[5].u.operand = slot.cachedOffset();
801 pc[6].u.structureID = structure->id();
802 if (!(pc[8].u.putByIdFlags & PutByIdIsDirect)) {
803 StructureChain* chain = structure->prototypeChain(exec, asObject(baseCell));
805 pc[7].u.structureChain.set(vm, codeBlock, chain);
807 pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
808 pc[8].u.putByIdFlags |
809 structure->inferredTypeDescriptorFor(ident.impl()).putByIdFlags());
813 structure->didCachePropertyReplacement(vm, slot.cachedOffset());
814 pc[4].u.structureID = structure->id();
815 pc[5].u.operand = slot.cachedOffset();
816 pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
817 pc[8].u.putByIdFlags |
818 structure->inferredTypeDescriptorFor(ident.impl()).putByIdFlags());
826 LLINT_SLOW_PATH_DECL(slow_path_del_by_id)
829 CodeBlock* codeBlock = exec->codeBlock();
830 JSObject* baseObject = LLINT_OP_C(2).jsValue().toObject(exec);
831 LLINT_CHECK_EXCEPTION();
832 bool couldDelete = baseObject->methodTable(vm)->deleteProperty(baseObject, exec, codeBlock->identifier(pc[3].u.operand));
833 LLINT_CHECK_EXCEPTION();
834 if (!couldDelete && codeBlock->isStrictMode())
835 LLINT_THROW(createTypeError(exec, UnableToDeletePropertyError));
836 LLINT_RETURN(jsBoolean(couldDelete));
839 static ALWAYS_INLINE JSValue getByVal(VM& vm, ExecState* exec, JSValue baseValue, JSValue subscript)
841 auto scope = DECLARE_THROW_SCOPE(vm);
843 if (LIKELY(baseValue.isCell() && subscript.isString())) {
844 Structure& structure = *baseValue.asCell()->structure(vm);
845 if (JSCell::canUseFastGetOwnProperty(structure)) {
846 if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
847 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
853 if (subscript.isUInt32()) {
854 uint32_t i = subscript.asUInt32();
855 if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i)) {
857 return asString(baseValue)->getIndex(exec, i);
860 return baseValue.get(exec, i);
863 baseValue.requireObjectCoercible(exec);
864 RETURN_IF_EXCEPTION(scope, JSValue());
865 auto property = subscript.toPropertyKey(exec);
866 RETURN_IF_EXCEPTION(scope, JSValue());
868 return baseValue.get(exec, property);
871 LLINT_SLOW_PATH_DECL(slow_path_get_by_val)
874 LLINT_RETURN_PROFILED(op_get_by_val, getByVal(vm, exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(3).jsValue()));
877 LLINT_SLOW_PATH_DECL(slow_path_put_by_val)
881 JSValue baseValue = LLINT_OP_C(1).jsValue();
882 JSValue subscript = LLINT_OP_C(2).jsValue();
883 JSValue value = LLINT_OP_C(3).jsValue();
884 bool isStrictMode = exec->codeBlock()->isStrictMode();
886 if (LIKELY(subscript.isUInt32())) {
887 uint32_t i = subscript.asUInt32();
888 if (baseValue.isObject()) {
889 JSObject* object = asObject(baseValue);
890 if (object->canSetIndexQuickly(i))
891 object->setIndexQuickly(vm, i, value);
893 object->methodTable(vm)->putByIndex(object, exec, i, value, isStrictMode);
896 baseValue.putByIndex(exec, i, value, isStrictMode);
900 auto property = subscript.toPropertyKey(exec);
901 LLINT_CHECK_EXCEPTION();
902 PutPropertySlot slot(baseValue, isStrictMode);
903 baseValue.put(exec, property, value, slot);
907 LLINT_SLOW_PATH_DECL(slow_path_put_by_val_direct)
911 JSValue baseValue = LLINT_OP_C(1).jsValue();
912 JSValue subscript = LLINT_OP_C(2).jsValue();
913 JSValue value = LLINT_OP_C(3).jsValue();
914 RELEASE_ASSERT(baseValue.isObject());
915 JSObject* baseObject = asObject(baseValue);
916 bool isStrictMode = exec->codeBlock()->isStrictMode();
917 if (LIKELY(subscript.isUInt32())) {
918 // Despite its name, JSValue::isUInt32 will return true only for positive boxed int32_t; all those values are valid array indices.
919 ASSERT(isIndex(subscript.asUInt32()));
920 baseObject->putDirectIndex(exec, subscript.asUInt32(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
924 if (subscript.isDouble()) {
925 double subscriptAsDouble = subscript.asDouble();
926 uint32_t subscriptAsUInt32 = static_cast<uint32_t>(subscriptAsDouble);
927 if (subscriptAsDouble == subscriptAsUInt32 && isIndex(subscriptAsUInt32)) {
928 baseObject->putDirectIndex(exec, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
933 // Don't put to an object if toString threw an exception.
934 auto property = subscript.toPropertyKey(exec);
935 if (UNLIKELY(throwScope.exception()))
938 if (std::optional<uint32_t> index = parseIndex(property))
939 baseObject->putDirectIndex(exec, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
941 PutPropertySlot slot(baseObject, isStrictMode);
942 baseObject->putDirect(vm, property, value, slot);
947 LLINT_SLOW_PATH_DECL(slow_path_del_by_val)
950 JSValue baseValue = LLINT_OP_C(2).jsValue();
951 JSObject* baseObject = baseValue.toObject(exec);
952 LLINT_CHECK_EXCEPTION();
954 JSValue subscript = LLINT_OP_C(3).jsValue();
959 if (subscript.getUInt32(i))
960 couldDelete = baseObject->methodTable(vm)->deletePropertyByIndex(baseObject, exec, i);
962 LLINT_CHECK_EXCEPTION();
963 auto property = subscript.toPropertyKey(exec);
964 LLINT_CHECK_EXCEPTION();
965 couldDelete = baseObject->methodTable(vm)->deleteProperty(baseObject, exec, property);
967 LLINT_CHECK_EXCEPTION();
969 if (!couldDelete && exec->codeBlock()->isStrictMode())
970 LLINT_THROW(createTypeError(exec, UnableToDeletePropertyError));
972 LLINT_RETURN(jsBoolean(couldDelete));
975 LLINT_SLOW_PATH_DECL(slow_path_put_by_index)
978 JSValue arrayValue = LLINT_OP_C(1).jsValue();
979 ASSERT(isJSArray(arrayValue));
980 asArray(arrayValue)->putDirectIndex(exec, pc[2].u.operand, LLINT_OP_C(3).jsValue());
984 LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_id)
987 ASSERT(LLINT_OP(1).jsValue().isObject());
988 JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
990 unsigned options = pc[3].u.operand;
992 JSValue getter = LLINT_OP(4).jsValue();
993 ASSERT(getter.isObject());
995 baseObj->putGetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(getter), options);
999 LLINT_SLOW_PATH_DECL(slow_path_put_setter_by_id)
1002 ASSERT(LLINT_OP(1).jsValue().isObject());
1003 JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
1005 unsigned options = pc[3].u.operand;
1007 JSValue setter = LLINT_OP(4).jsValue();
1008 ASSERT(setter.isObject());
1010 baseObj->putSetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(setter), options);
1014 LLINT_SLOW_PATH_DECL(slow_path_put_getter_setter_by_id)
1017 ASSERT(LLINT_OP(1).jsValue().isObject());
1018 JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
1020 GetterSetter* accessor = GetterSetter::create(vm, exec->lexicalGlobalObject());
1021 LLINT_CHECK_EXCEPTION();
1023 JSValue getter = LLINT_OP(4).jsValue();
1024 JSValue setter = LLINT_OP(5).jsValue();
1025 ASSERT(getter.isObject() || getter.isUndefined());
1026 ASSERT(setter.isObject() || setter.isUndefined());
1027 ASSERT(getter.isObject() || setter.isObject());
1029 if (!getter.isUndefined())
1030 accessor->setGetter(vm, exec->lexicalGlobalObject(), asObject(getter));
1031 if (!setter.isUndefined())
1032 accessor->setSetter(vm, exec->lexicalGlobalObject(), asObject(setter));
1033 baseObj->putDirectAccessor(
1035 exec->codeBlock()->identifier(pc[2].u.operand),
1036 accessor, pc[3].u.operand);
1040 LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_val)
1043 ASSERT(LLINT_OP(1).jsValue().isObject());
1044 JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
1045 JSValue subscript = LLINT_OP_C(2).jsValue();
1047 unsigned options = pc[3].u.operand;
1049 JSValue getter = LLINT_OP(4).jsValue();
1050 ASSERT(getter.isObject());
1052 auto property = subscript.toPropertyKey(exec);
1053 LLINT_CHECK_EXCEPTION();
1055 baseObj->putGetter(exec, property, asObject(getter), options);
1059 LLINT_SLOW_PATH_DECL(slow_path_put_setter_by_val)
1062 ASSERT(LLINT_OP(1).jsValue().isObject());
1063 JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
1064 JSValue subscript = LLINT_OP_C(2).jsValue();
1066 unsigned options = pc[3].u.operand;
1068 JSValue setter = LLINT_OP(4).jsValue();
1069 ASSERT(setter.isObject());
1071 auto property = subscript.toPropertyKey(exec);
1072 LLINT_CHECK_EXCEPTION();
1074 baseObj->putSetter(exec, property, asObject(setter), options);
1078 LLINT_SLOW_PATH_DECL(slow_path_jtrue)
1081 LLINT_BRANCH(op_jtrue, LLINT_OP_C(1).jsValue().toBoolean(exec));
1084 LLINT_SLOW_PATH_DECL(slow_path_jfalse)
1087 LLINT_BRANCH(op_jfalse, !LLINT_OP_C(1).jsValue().toBoolean(exec));
1090 LLINT_SLOW_PATH_DECL(slow_path_jless)
1093 LLINT_BRANCH(op_jless, jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
1096 LLINT_SLOW_PATH_DECL(slow_path_jnless)
1099 LLINT_BRANCH(op_jnless, !jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
1102 LLINT_SLOW_PATH_DECL(slow_path_jgreater)
1105 LLINT_BRANCH(op_jgreater, jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
1108 LLINT_SLOW_PATH_DECL(slow_path_jngreater)
1111 LLINT_BRANCH(op_jngreater, !jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
1114 LLINT_SLOW_PATH_DECL(slow_path_jlesseq)
1117 LLINT_BRANCH(op_jlesseq, jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
1120 LLINT_SLOW_PATH_DECL(slow_path_jnlesseq)
1123 LLINT_BRANCH(op_jnlesseq, !jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
1126 LLINT_SLOW_PATH_DECL(slow_path_jgreatereq)
1129 LLINT_BRANCH(op_jgreatereq, jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
1132 LLINT_SLOW_PATH_DECL(slow_path_jngreatereq)
1135 LLINT_BRANCH(op_jngreatereq, !jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
1138 LLINT_SLOW_PATH_DECL(slow_path_switch_imm)
1141 JSValue scrutinee = LLINT_OP_C(3).jsValue();
1142 ASSERT(scrutinee.isDouble());
1143 double value = scrutinee.asDouble();
1144 int32_t intValue = static_cast<int32_t>(value);
1145 int defaultOffset = pc[2].u.operand;
1146 if (value == intValue) {
1147 CodeBlock* codeBlock = exec->codeBlock();
1148 pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue(intValue, defaultOffset);
1150 pc += defaultOffset;
1154 LLINT_SLOW_PATH_DECL(slow_path_switch_char)
1157 JSValue scrutinee = LLINT_OP_C(3).jsValue();
1158 ASSERT(scrutinee.isString());
1159 JSString* string = asString(scrutinee);
1160 ASSERT(string->length() == 1);
1161 int defaultOffset = pc[2].u.operand;
1162 StringImpl* impl = string->value(exec).impl();
1163 CodeBlock* codeBlock = exec->codeBlock();
1164 pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue((*impl)[0], defaultOffset);
1168 LLINT_SLOW_PATH_DECL(slow_path_switch_string)
1171 JSValue scrutinee = LLINT_OP_C(3).jsValue();
1172 int defaultOffset = pc[2].u.operand;
1173 if (!scrutinee.isString())
1174 pc += defaultOffset;
1176 CodeBlock* codeBlock = exec->codeBlock();
1177 pc += codeBlock->stringSwitchJumpTable(pc[1].u.operand).offsetForValue(asString(scrutinee)->value(exec).impl(), defaultOffset);
1182 LLINT_SLOW_PATH_DECL(slow_path_new_func)
1185 CodeBlock* codeBlock = exec->codeBlock();
1186 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1187 #if LLINT_SLOW_PATH_TRACING
1188 dataLogF("Creating function!\n");
1190 LLINT_RETURN(JSFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1193 LLINT_SLOW_PATH_DECL(slow_path_new_generator_func)
1196 CodeBlock* codeBlock = exec->codeBlock();
1197 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1198 #if LLINT_SLOW_PATH_TRACING
1199 dataLogF("Creating function!\n");
1201 LLINT_RETURN(JSGeneratorFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1204 LLINT_SLOW_PATH_DECL(slow_path_new_async_func)
1207 CodeBlock* codeBlock = exec->codeBlock();
1208 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1209 #if LLINT_SLOW_PATH_TRACING
1210 dataLogF("Creating async function!\n");
1212 LLINT_RETURN(JSAsyncFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1215 LLINT_SLOW_PATH_DECL(slow_path_new_async_generator_func)
1218 CodeBlock* codeBlock = exec->codeBlock();
1219 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1220 #if LLINT_SLOW_PATH_TRACING
1221 dataLogF("Creating async generator function!\n");
1223 LLINT_RETURN(JSAsyncGeneratorFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1226 LLINT_SLOW_PATH_DECL(slow_path_new_func_exp)
1230 CodeBlock* codeBlock = exec->codeBlock();
1231 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1232 FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1234 LLINT_RETURN(JSFunction::create(vm, executable, scope));
1237 LLINT_SLOW_PATH_DECL(slow_path_new_generator_func_exp)
1241 CodeBlock* codeBlock = exec->codeBlock();
1242 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1243 FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1245 LLINT_RETURN(JSGeneratorFunction::create(vm, executable, scope));
1248 LLINT_SLOW_PATH_DECL(slow_path_new_async_func_exp)
1252 CodeBlock* codeBlock = exec->codeBlock();
1253 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1254 FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1256 LLINT_RETURN(JSAsyncFunction::create(vm, executable, scope));
1259 LLINT_SLOW_PATH_DECL(slow_path_new_async_generator_func_exp)
1263 CodeBlock* codeBlock = exec->codeBlock();
1264 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1265 FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1267 LLINT_RETURN(JSAsyncGeneratorFunction::create(vm, executable, scope));
1270 LLINT_SLOW_PATH_DECL(slow_path_set_function_name)
1273 JSFunction* func = jsCast<JSFunction*>(LLINT_OP(1).Register::unboxedCell());
1274 JSValue name = LLINT_OP_C(2).Register::jsValue();
1275 func->setFunctionName(exec, name);
1279 static SlowPathReturnType handleHostCall(ExecState* execCallee, Instruction* pc, JSValue callee, CodeSpecializationKind kind)
1283 #if LLINT_SLOW_PATH_TRACING
1284 dataLog("Performing host call.\n");
1287 ExecState* exec = execCallee->callerFrame();
1288 VM& vm = exec->vm();
1289 auto throwScope = DECLARE_THROW_SCOPE(vm);
1291 execCallee->setCodeBlock(0);
1292 execCallee->clearReturnPC();
1294 if (kind == CodeForCall) {
1296 CallType callType = getCallData(callee, callData);
1298 ASSERT(callType != CallType::JS);
1300 if (callType == CallType::Host) {
1301 NativeCallFrameTracer tracer(&vm, execCallee);
1302 execCallee->setCallee(asObject(callee));
1303 vm.hostCallReturnValue = JSValue::decode(callData.native.function(execCallee));
1305 PoisonedMasmPtr::assertIsNotPoisoned(LLInt::getCodePtr(getHostCallReturnValue));
1306 LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1309 #if LLINT_SLOW_PATH_TRACING
1310 dataLog("Call callee is not a function: ", callee, "\n");
1313 ASSERT(callType == CallType::None);
1314 LLINT_CALL_THROW(exec, createNotAFunctionError(exec, callee));
1317 ASSERT(kind == CodeForConstruct);
1319 ConstructData constructData;
1320 ConstructType constructType = getConstructData(callee, constructData);
1322 ASSERT(constructType != ConstructType::JS);
1324 if (constructType == ConstructType::Host) {
1325 NativeCallFrameTracer tracer(&vm, execCallee);
1326 execCallee->setCallee(asObject(callee));
1327 vm.hostCallReturnValue = JSValue::decode(constructData.native.function(execCallee));
1329 PoisonedMasmPtr::assertIsNotPoisoned(LLInt::getCodePtr(getHostCallReturnValue));
1330 LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1333 #if LLINT_SLOW_PATH_TRACING
1334 dataLog("Constructor callee is not a function: ", callee, "\n");
1337 ASSERT(constructType == ConstructType::None);
1338 LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1341 inline SlowPathReturnType setUpCall(ExecState* execCallee, Instruction* pc, CodeSpecializationKind kind, JSValue calleeAsValue, LLIntCallLinkInfo* callLinkInfo = 0)
1343 ExecState* exec = execCallee->callerFrame();
1344 VM& vm = exec->vm();
1345 auto throwScope = DECLARE_THROW_SCOPE(vm);
1347 #if LLINT_SLOW_PATH_TRACING
1348 dataLogF("Performing call with recorded PC = %p\n", exec->currentVPC());
1351 JSCell* calleeAsFunctionCell = getJSFunction(calleeAsValue);
1352 if (!calleeAsFunctionCell) {
1353 if (calleeAsValue.isCell() && calleeAsValue.asCell()->type() == InternalFunctionType) {
1354 auto* internalFunction = jsCast<InternalFunction*>(calleeAsValue.asCell());
1355 MacroAssemblerCodePtr codePtr = vm.getCTIInternalFunctionTrampolineFor(kind);
1358 if (!LLINT_ALWAYS_ACCESS_SLOW && callLinkInfo) {
1359 CodeBlock* callerCodeBlock = exec->codeBlock();
1361 ConcurrentJSLocker locker(callerCodeBlock->m_lock);
1363 if (callLinkInfo->isOnList())
1364 callLinkInfo->remove();
1365 callLinkInfo->callee.set(vm, callerCodeBlock, internalFunction);
1366 callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock, internalFunction);
1367 callLinkInfo->machineCodeTarget = codePtr;
1370 PoisonedMasmPtr::assertIsNotPoisoned(codePtr.executableAddress());
1371 LLINT_CALL_RETURN(exec, execCallee, codePtr.executableAddress());
1373 throwScope.release();
1374 return handleHostCall(execCallee, pc, calleeAsValue, kind);
1376 JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
1377 JSScope* scope = callee->scopeUnchecked();
1378 ExecutableBase* executable = callee->executable();
1380 MacroAssemblerCodePtr codePtr;
1381 CodeBlock* codeBlock = 0;
1382 if (executable->isHostFunction()) {
1383 codePtr = executable->entrypointFor(kind, MustCheckArity);
1385 FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
1387 if (!isCall(kind) && functionExecutable->constructAbility() == ConstructAbility::CannotConstruct)
1388 LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1390 CodeBlock** codeBlockSlot = execCallee->addressOfCodeBlock();
1391 JSObject* error = functionExecutable->prepareForExecution<FunctionExecutable>(vm, callee, scope, kind, *codeBlockSlot);
1392 EXCEPTION_ASSERT(throwScope.exception() == error);
1393 if (UNLIKELY(error))
1394 LLINT_CALL_THROW(exec, error);
1395 codeBlock = *codeBlockSlot;
1397 ArityCheckMode arity;
1398 if (execCallee->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->numParameters()))
1399 arity = MustCheckArity;
1401 arity = ArityCheckNotRequired;
1402 codePtr = functionExecutable->entrypointFor(kind, arity);
1407 if (!LLINT_ALWAYS_ACCESS_SLOW && callLinkInfo) {
1408 CodeBlock* callerCodeBlock = exec->codeBlock();
1410 ConcurrentJSLocker locker(callerCodeBlock->m_lock);
1412 if (callLinkInfo->isOnList())
1413 callLinkInfo->remove();
1414 callLinkInfo->callee.set(vm, callerCodeBlock, callee);
1415 callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock, callee);
1416 callLinkInfo->machineCodeTarget = codePtr;
1418 codeBlock->linkIncomingCall(exec, callLinkInfo);
1421 PoisonedMasmPtr::assertIsNotPoisoned(codePtr.executableAddress());
1422 LLINT_CALL_RETURN(exec, execCallee, codePtr.executableAddress());
1425 inline SlowPathReturnType genericCall(ExecState* exec, Instruction* pc, CodeSpecializationKind kind)
1428 // - Set up a call frame.
1429 // - Figure out what to call and compile it if necessary.
1430 // - If possible, link the call's inline cache.
1431 // - Return a tuple of machine code address to call and the new call frame.
1433 JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1435 ExecState* execCallee = exec - pc[4].u.operand;
1437 execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1438 execCallee->uncheckedR(CallFrameSlot::callee) = calleeAsValue;
1439 execCallee->setCallerFrame(exec);
1441 ASSERT(pc[5].u.callLinkInfo);
1442 return setUpCall(execCallee, pc, kind, calleeAsValue, pc[5].u.callLinkInfo);
1445 LLINT_SLOW_PATH_DECL(slow_path_call)
1447 LLINT_BEGIN_NO_SET_PC();
1448 throwScope.release();
1449 return genericCall(exec, pc, CodeForCall);
1452 LLINT_SLOW_PATH_DECL(slow_path_construct)
1454 LLINT_BEGIN_NO_SET_PC();
1455 throwScope.release();
1456 return genericCall(exec, pc, CodeForConstruct);
1459 LLINT_SLOW_PATH_DECL(slow_path_size_frame_for_varargs)
1463 // - Set up a call frame while respecting the variable arguments.
1465 unsigned numUsedStackSlots = -pc[5].u.operand;
1466 unsigned length = sizeFrameForVarargs(exec, vm,
1467 LLINT_OP_C(4).jsValue(), numUsedStackSlots, pc[6].u.operand);
1468 LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1470 ExecState* execCallee = calleeFrameForVarargs(exec, numUsedStackSlots, length + 1);
1471 vm.varargsLength = length;
1472 vm.newCallFrameReturnValue = execCallee;
1474 LLINT_RETURN_CALLEE_FRAME(execCallee);
1477 LLINT_SLOW_PATH_DECL(slow_path_size_frame_for_forward_arguments)
1481 // - Set up a call frame with the same arguments as the current frame.
1483 unsigned numUsedStackSlots = -pc[5].u.operand;
1485 unsigned arguments = sizeFrameForForwardArguments(exec, vm, numUsedStackSlots);
1486 LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1488 ExecState* execCallee = calleeFrameForVarargs(exec, numUsedStackSlots, arguments + 1);
1490 vm.varargsLength = arguments;
1491 vm.newCallFrameReturnValue = execCallee;
1493 LLINT_RETURN_CALLEE_FRAME(execCallee);
1496 enum class SetArgumentsWith {
1501 inline SlowPathReturnType varargsSetup(ExecState* exec, Instruction* pc, CodeSpecializationKind kind, SetArgumentsWith set)
1503 LLINT_BEGIN_NO_SET_PC();
1505 // - Figure out what to call and compile it if necessary.
1506 // - Return a tuple of machine code address to call and the new call frame.
1508 JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1510 ExecState* execCallee = vm.newCallFrameReturnValue;
1512 if (set == SetArgumentsWith::Object) {
1513 setupVarargsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand, vm.varargsLength);
1514 LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1516 setupForwardArgumentsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), vm.varargsLength);
1518 execCallee->setCallerFrame(exec);
1519 execCallee->uncheckedR(CallFrameSlot::callee) = calleeAsValue;
1520 exec->setCurrentVPC(pc);
1522 throwScope.release();
1523 return setUpCall(execCallee, pc, kind, calleeAsValue);
1526 LLINT_SLOW_PATH_DECL(slow_path_call_varargs)
1528 return varargsSetup(exec, pc, CodeForCall, SetArgumentsWith::Object);
1531 LLINT_SLOW_PATH_DECL(slow_path_tail_call_forward_arguments)
1533 return varargsSetup(exec, pc, CodeForCall, SetArgumentsWith::CurrentArguments);
1536 LLINT_SLOW_PATH_DECL(slow_path_construct_varargs)
1538 return varargsSetup(exec, pc, CodeForConstruct, SetArgumentsWith::Object);
1542 LLINT_SLOW_PATH_DECL(slow_path_call_eval)
1544 LLINT_BEGIN_NO_SET_PC();
1545 JSValue calleeAsValue = LLINT_OP(2).jsValue();
1547 ExecState* execCallee = exec - pc[4].u.operand;
1549 execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1550 execCallee->setCallerFrame(exec);
1551 execCallee->uncheckedR(CallFrameSlot::callee) = calleeAsValue;
1552 execCallee->setReturnPC(LLInt::getCodePtr(llint_generic_return_point));
1553 execCallee->setCodeBlock(0);
1554 exec->setCurrentVPC(pc);
1556 if (!isHostFunction(calleeAsValue, globalFuncEval)) {
1557 throwScope.release();
1558 return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
1561 vm.hostCallReturnValue = eval(execCallee);
1562 LLINT_CALL_RETURN(exec, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1565 LLINT_SLOW_PATH_DECL(slow_path_strcat)
1568 LLINT_RETURN(jsStringFromRegisterArray(exec, &LLINT_OP(2), pc[3].u.operand));
1571 LLINT_SLOW_PATH_DECL(slow_path_to_primitive)
1574 LLINT_RETURN(LLINT_OP_C(2).jsValue().toPrimitive(exec));
1577 LLINT_SLOW_PATH_DECL(slow_path_throw)
1580 LLINT_THROW(LLINT_OP_C(1).jsValue());
1583 LLINT_SLOW_PATH_DECL(slow_path_handle_traps)
1585 LLINT_BEGIN_NO_SET_PC();
1586 ASSERT(vm.needTrapHandling());
1587 vm.handleTraps(exec);
1589 LLINT_RETURN_TWO(throwScope.exception(), exec);
1592 LLINT_SLOW_PATH_DECL(slow_path_debug)
1595 int debugHookType = pc[1].u.operand;
1596 vm.interpreter->debug(exec, static_cast<DebugHookType>(debugHookType));
1601 LLINT_SLOW_PATH_DECL(slow_path_handle_exception)
1603 LLINT_BEGIN_NO_SET_PC();
1604 UNUSED_PARAM(throwScope);
1605 genericUnwind(&vm, exec);
1609 LLINT_SLOW_PATH_DECL(slow_path_get_from_scope)
1612 const Identifier& ident = exec->codeBlock()->identifier(pc[3].u.operand);
1613 JSObject* scope = jsCast<JSObject*>(LLINT_OP(2).jsValue());
1614 GetPutInfo getPutInfo(pc[4].u.operand);
1616 // ModuleVar is always converted to ClosureVar for get_from_scope.
1617 ASSERT(getPutInfo.resolveType() != ModuleVar);
1619 LLINT_RETURN(scope->getPropertySlot(exec, ident, [&] (bool found, PropertySlot& slot) -> JSValue {
1621 if (getPutInfo.resolveMode() == ThrowIfNotFound)
1622 return throwException(exec, throwScope, createUndefinedVariableError(exec, ident));
1623 return jsUndefined();
1626 JSValue result = JSValue();
1627 if (scope->isGlobalLexicalEnvironment()) {
1628 // When we can't statically prove we need a TDZ check, we must perform the check on the slow path.
1629 result = slot.getValue(exec, ident);
1630 if (result == jsTDZValue())
1631 return throwException(exec, throwScope, createTDZError(exec));
1634 CommonSlowPaths::tryCacheGetFromScopeGlobal(exec, vm, pc, scope, slot, ident);
1637 return slot.getValue(exec, ident);
1642 LLINT_SLOW_PATH_DECL(slow_path_put_to_scope)
1646 CodeBlock* codeBlock = exec->codeBlock();
1647 const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
1648 JSObject* scope = jsCast<JSObject*>(LLINT_OP(1).jsValue());
1649 JSValue value = LLINT_OP_C(3).jsValue();
1650 GetPutInfo getPutInfo = GetPutInfo(pc[4].u.operand);
1651 if (getPutInfo.resolveType() == LocalClosureVar) {
1652 JSLexicalEnvironment* environment = jsCast<JSLexicalEnvironment*>(scope);
1653 environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value);
1655 // Have to do this *after* the write, because if this puts the set into IsWatched, then we need
1656 // to have already changed the value of the variable. Otherwise we might watch and constant-fold
1657 // to the Undefined value from before the assignment.
1658 if (WatchpointSet* set = pc[5].u.watchpointSet)
1659 set->touch(vm, "Executed op_put_scope<LocalClosureVar>");
1663 bool hasProperty = scope->hasProperty(exec, ident);
1664 LLINT_CHECK_EXCEPTION();
1666 && scope->isGlobalLexicalEnvironment()
1667 && !isInitialization(getPutInfo.initializationMode())) {
1668 // When we can't statically prove we need a TDZ check, we must perform the check on the slow path.
1669 PropertySlot slot(scope, PropertySlot::InternalMethodType::Get);
1670 JSGlobalLexicalEnvironment::getOwnPropertySlot(scope, exec, ident, slot);
1671 if (slot.getValue(exec, ident) == jsTDZValue())
1672 LLINT_THROW(createTDZError(exec));
1675 if (getPutInfo.resolveMode() == ThrowIfNotFound && !hasProperty)
1676 LLINT_THROW(createUndefinedVariableError(exec, ident));
1678 PutPropertySlot slot(scope, codeBlock->isStrictMode(), PutPropertySlot::UnknownContext, isInitialization(getPutInfo.initializationMode()));
1679 scope->methodTable(vm)->put(scope, exec, ident, value, slot);
1681 CommonSlowPaths::tryCachePutToScopeGlobal(exec, codeBlock, pc, scope, getPutInfo, slot, ident);
1686 LLINT_SLOW_PATH_DECL(slow_path_check_if_exception_is_uncatchable_and_notify_profiler)
1689 RELEASE_ASSERT(!!throwScope.exception());
1691 if (isTerminatedExecutionException(vm, throwScope.exception()))
1692 LLINT_RETURN_TWO(pc, bitwise_cast<void*>(static_cast<uintptr_t>(1)));
1693 LLINT_RETURN_TWO(pc, 0);
1696 LLINT_SLOW_PATH_DECL(slow_path_log_shadow_chicken_prologue)
1700 JSScope* scope = exec->uncheckedR(pc[1].u.operand).Register::scope();
1701 vm.shadowChicken().log(vm, exec, ShadowChicken::Packet::prologue(exec->jsCallee(), exec, exec->callerFrame(), scope));
1706 LLINT_SLOW_PATH_DECL(slow_path_log_shadow_chicken_tail)
1710 JSValue thisValue = LLINT_OP(1).jsValue();
1711 JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1714 CallSiteIndex callSiteIndex(exec->codeBlock()->bytecodeOffset(pc));
1716 CallSiteIndex callSiteIndex(pc);
1718 vm.shadowChicken().log(vm, exec, ShadowChicken::Packet::tail(exec, thisValue, scope, exec->codeBlock(), callSiteIndex));
1723 LLINT_SLOW_PATH_DECL(slow_path_profile_catch)
1727 exec->codeBlock()->ensureCatchLivenessIsComputedForBytecodeOffset(exec->bytecodeOffset());
1729 ValueProfileAndOperandBuffer* buffer = static_cast<ValueProfileAndOperandBuffer*>(pc[3].u.pointer);
1730 buffer->forEach([&] (ValueProfileAndOperand& profile) {
1731 profile.m_profile.m_buckets[0] = JSValue::encode(exec->uncheckedR(profile.m_operand).jsValue());
1737 LLINT_SLOW_PATH_DECL(slow_path_super_sampler_begin)
1739 // FIXME: It seems like we should be able to do this in asm but llint doesn't seem to like global variables.
1740 // See: https://bugs.webkit.org/show_bug.cgi?id=179438
1742 g_superSamplerCount++;
1746 LLINT_SLOW_PATH_DECL(slow_path_super_sampler_end)
1748 // FIXME: It seems like we should be able to do this in asm but llint doesn't seem to like global variables.
1749 // See: https://bugs.webkit.org/show_bug.cgi?id=179438
1751 g_superSamplerCount--;
1755 extern "C" SlowPathReturnType llint_throw_stack_overflow_error(VM* vm, ProtoCallFrame* protoFrame)
1757 ExecState* exec = vm->topCallFrame;
1758 auto scope = DECLARE_THROW_SCOPE(*vm);
1761 exec = protoFrame->callee()->globalObject()->globalExec();
1762 throwStackOverflowError(exec, scope);
1763 return encodeResult(0, 0);
1767 extern "C" SlowPathReturnType llint_stack_check_at_vm_entry(VM* vm, Register* newTopOfStack)
1769 bool success = vm->ensureStackCapacityFor(newTopOfStack);
1770 return encodeResult(reinterpret_cast<void*>(success), 0);
1774 extern "C" void llint_write_barrier_slow(ExecState* exec, JSCell* cell)
1776 VM& vm = exec->vm();
1777 vm.heap.writeBarrier(cell);
1780 extern "C" NO_RETURN_DUE_TO_CRASH void llint_crash()
1785 #if ENABLE(LLINT_STATS)
1787 LLINT_SLOW_PATH_DECL(count_opcode)
1789 OpcodeID opcodeID = Interpreter::getOpcodeID(pc[0].u.opcode);
1790 Data::opcodeStats(opcodeID).count++;
1794 LLINT_SLOW_PATH_DECL(count_opcode_slow_path)
1796 OpcodeID opcodeID = Interpreter::getOpcodeID(pc[0].u.opcode);
1797 Data::opcodeStats(opcodeID).slowPathCount++;
1801 #endif // ENABLE(LLINT_STATS)
1803 } } // namespace JSC::LLInt
git://git.webkit.org / WebKit-https.git / blob