finally blocks should not set the exception stack trace when re-throwing the exception.
[WebKit-https.git] / Source / JavaScriptCore / llint / LLIntSlowPaths.cpp
1 /*
2  * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "LLIntSlowPaths.h"
28
29 #include "ArrayConstructor.h"
30 #include "CallFrame.h"
31 #include "CommonSlowPaths.h"
32 #include "CommonSlowPathsExceptions.h"
33 #include "Error.h"
34 #include "ErrorHandlingScope.h"
35 #include "ExceptionFuzz.h"
36 #include "GetterSetter.h"
37 #include "HostCallReturnValue.h"
38 #include "Interpreter.h"
39 #include "JIT.h"
40 #include "JITExceptions.h"
41 #include "JSLexicalEnvironment.h"
42 #include "JSCInlines.h"
43 #include "JSCJSValue.h"
44 #include "JSGlobalObjectFunctions.h"
45 #include "JSNameScope.h"
46 #include "JSStackInlines.h"
47 #include "JSString.h"
48 #include "JSWithScope.h"
49 #include "LLIntCommon.h"
50 #include "LLIntExceptions.h"
51 #include "LegacyProfiler.h"
52 #include "LowLevelInterpreter.h"
53 #include "ObjectConstructor.h"
54 #include "ProtoCallFrame.h"
55 #include "StructureRareDataInlines.h"
56 #include <wtf/StringPrintStream.h>
57
58 namespace JSC { namespace LLInt {
59
60 #define LLINT_BEGIN_NO_SET_PC() \
61     VM& vm = exec->vm();      \
62     NativeCallFrameTracer tracer(&vm, exec)
63
64 #ifndef NDEBUG
65 #define LLINT_SET_PC_FOR_STUBS() do { \
66         exec->codeBlock()->bytecodeOffset(pc); \
67         exec->setCurrentVPC(pc + 1); \
68     } while (false)
69 #else
70 #define LLINT_SET_PC_FOR_STUBS() do { \
71         exec->setCurrentVPC(pc + 1); \
72     } while (false)
73 #endif
74
75 #define LLINT_BEGIN()                           \
76     LLINT_BEGIN_NO_SET_PC();                    \
77     LLINT_SET_PC_FOR_STUBS()
78
79 #define LLINT_OP(index) (exec->uncheckedR(pc[index].u.operand))
80 #define LLINT_OP_C(index) (exec->r(pc[index].u.operand))
81
82 #define LLINT_RETURN_TWO(first, second) do {       \
83         return encodeResult(first, second);        \
84     } while (false)
85
86 #define LLINT_END_IMPL() LLINT_RETURN_TWO(pc, 0)
87
88 #define LLINT_THROW(exceptionToThrow) do {                        \
89         vm.throwException(exec, exceptionToThrow);                \
90         pc = returnToThrow(exec);                                 \
91         LLINT_END_IMPL();                                         \
92     } while (false)
93
94 #define LLINT_CHECK_EXCEPTION() do {                    \
95         doExceptionFuzzingIfEnabled(exec, "LLIntSlowPaths", pc);    \
96         if (UNLIKELY(vm.exception())) {                 \
97             pc = returnToThrow(exec);                   \
98             LLINT_END_IMPL();                           \
99         }                                               \
100     } while (false)
101
102 #define LLINT_END() do {                        \
103         LLINT_CHECK_EXCEPTION();                \
104         LLINT_END_IMPL();                       \
105     } while (false)
106
107 #define LLINT_BRANCH(opcode, condition) do {                      \
108         bool __b_condition = (condition);                         \
109         LLINT_CHECK_EXCEPTION();                                  \
110         if (__b_condition)                                        \
111             pc += pc[OPCODE_LENGTH(opcode) - 1].u.operand;        \
112         else                                                      \
113             pc += OPCODE_LENGTH(opcode);                          \
114         LLINT_END_IMPL();                                         \
115     } while (false)
116
117 #define LLINT_RETURN(value) do {                \
118         JSValue __r_returnValue = (value);      \
119         LLINT_CHECK_EXCEPTION();                \
120         LLINT_OP(1) = __r_returnValue;          \
121         LLINT_END_IMPL();                       \
122     } while (false)
123
124 #define LLINT_RETURN_WITH_PC_ADJUSTMENT(value, pcAdjustment) do { \
125         JSValue __r_returnValue = (value);      \
126         LLINT_CHECK_EXCEPTION();                \
127         LLINT_OP(1) = __r_returnValue;          \
128         pc += (pcAdjustment);                   \
129         LLINT_END_IMPL();                       \
130     } while (false)
131
132 #define LLINT_RETURN_PROFILED(opcode, value) do {               \
133         JSValue __rp_returnValue = (value);                     \
134         LLINT_CHECK_EXCEPTION();                                \
135         LLINT_OP(1) = __rp_returnValue;                         \
136         LLINT_PROFILE_VALUE(opcode, __rp_returnValue);          \
137         LLINT_END_IMPL();                                       \
138     } while (false)
139
140 #define LLINT_PROFILE_VALUE(opcode, value) do { \
141         pc[OPCODE_LENGTH(opcode) - 1].u.profile->m_buckets[0] = \
142         JSValue::encode(value);                  \
143     } while (false)
144
145 #define LLINT_CALL_END_IMPL(exec, callTarget) LLINT_RETURN_TWO((callTarget), (exec))
146
147 #define LLINT_CALL_THROW(exec, exceptionToThrow) do {                   \
148         ExecState* __ct_exec = (exec);                                  \
149         vm.throwException(__ct_exec, exceptionToThrow);                 \
150         LLINT_CALL_END_IMPL(0, callToThrow(__ct_exec));                 \
151     } while (false)
152
153 #define LLINT_CALL_CHECK_EXCEPTION(exec, execCallee) do {               \
154         ExecState* __cce_exec = (exec);                                 \
155         ExecState* __cce_execCallee = (execCallee);                     \
156         doExceptionFuzzingIfEnabled(__cce_exec, "LLIntSlowPaths/call", nullptr); \
157         if (UNLIKELY(vm.exception()))                                   \
158             LLINT_CALL_END_IMPL(0, callToThrow(__cce_execCallee));      \
159     } while (false)
160
161 #define LLINT_CALL_RETURN(exec, execCallee, callTarget) do {            \
162         ExecState* __cr_exec = (exec);                                  \
163         ExecState* __cr_execCallee = (execCallee);                      \
164         void* __cr_callTarget = (callTarget);                           \
165         LLINT_CALL_CHECK_EXCEPTION(__cr_exec, __cr_execCallee);         \
166         LLINT_CALL_END_IMPL(__cr_execCallee, __cr_callTarget);          \
167     } while (false)
168
169 #define LLINT_RETURN_CALLEE_FRAME(execCallee) do {                      \
170         ExecState* __rcf_exec = (execCallee);                           \
171         LLINT_RETURN_TWO(pc, __rcf_exec);                               \
172     } while (false)
173
174 extern "C" SlowPathReturnType llint_trace_operand(ExecState* exec, Instruction* pc, int fromWhere, int operand)
175 {
176     LLINT_BEGIN();
177     dataLogF("%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d\n",
178             exec->codeBlock(),
179             exec,
180             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
181             exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
182             fromWhere,
183             operand,
184             pc[operand].u.operand);
185     LLINT_END();
186 }
187
188 extern "C" SlowPathReturnType llint_trace_value(ExecState* exec, Instruction* pc, int fromWhere, int operand)
189 {
190     JSValue value = LLINT_OP_C(operand).jsValue();
191     union {
192         struct {
193             uint32_t tag;
194             uint32_t payload;
195         } bits;
196         EncodedJSValue asValue;
197     } u;
198     u.asValue = JSValue::encode(value);
199     dataLogF(
200         "%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d: %08x:%08x: %s\n",
201         exec->codeBlock(),
202         exec,
203         static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
204         exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
205         fromWhere,
206         operand,
207         pc[operand].u.operand,
208         u.bits.tag,
209         u.bits.payload,
210         toCString(value).data());
211     LLINT_END_IMPL();
212 }
213
214 LLINT_SLOW_PATH_DECL(trace_prologue)
215 {
216     dataLogF("%p / %p: in prologue.\n", exec->codeBlock(), exec);
217     LLINT_END_IMPL();
218 }
219
220 static void traceFunctionPrologue(ExecState* exec, const char* comment, CodeSpecializationKind kind)
221 {
222     JSFunction* callee = jsCast<JSFunction*>(exec->callee());
223     FunctionExecutable* executable = callee->jsExecutable();
224     CodeBlock* codeBlock = executable->codeBlockFor(kind);
225     dataLogF("%p / %p: in %s of function %p, executable %p; numVars = %u, numParameters = %u, numCalleeRegisters = %u, caller = %p.\n",
226             codeBlock, exec, comment, callee, executable,
227             codeBlock->m_numVars, codeBlock->numParameters(), codeBlock->m_numCalleeRegisters,
228             exec->callerFrame());
229 }
230
231 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_call)
232 {
233     traceFunctionPrologue(exec, "call prologue", CodeForCall);
234     LLINT_END_IMPL();
235 }
236
237 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_construct)
238 {
239     traceFunctionPrologue(exec, "construct prologue", CodeForConstruct);
240     LLINT_END_IMPL();
241 }
242
243 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_call)
244 {
245     traceFunctionPrologue(exec, "call arity check", CodeForCall);
246     LLINT_END_IMPL();
247 }
248
249 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_construct)
250 {
251     traceFunctionPrologue(exec, "construct arity check", CodeForConstruct);
252     LLINT_END_IMPL();
253 }
254
255 LLINT_SLOW_PATH_DECL(trace)
256 {
257     dataLogF("%p / %p: executing bc#%zu, %s, pc = %p\n",
258             exec->codeBlock(),
259             exec,
260             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
261             opcodeNames[exec->vm().interpreter->getOpcodeID(pc[0].u.opcode)], pc);
262     if (exec->vm().interpreter->getOpcodeID(pc[0].u.opcode) == op_enter) {
263         dataLogF("Frame will eventually return to %p\n", exec->returnPC().value());
264         *bitwise_cast<volatile char*>(exec->returnPC().value());
265     }
266     if (exec->vm().interpreter->getOpcodeID(pc[0].u.opcode) == op_ret) {
267         dataLogF("Will be returning to %p\n", exec->returnPC().value());
268         dataLogF("The new cfr will be %p\n", exec->callerFrame());
269     }
270     LLINT_END_IMPL();
271 }
272
273 LLINT_SLOW_PATH_DECL(special_trace)
274 {
275     dataLogF("%p / %p: executing special case bc#%zu, op#%u, return PC is %p\n",
276             exec->codeBlock(),
277             exec,
278             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
279             exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
280             exec->returnPC().value());
281     LLINT_END_IMPL();
282 }
283
284 enum EntryKind { Prologue, ArityCheck };
285
286 #if ENABLE(JIT)
287 inline bool shouldJIT(ExecState* exec)
288 {
289     // You can modify this to turn off JITting without rebuilding the world.
290     return exec->vm().canUseJIT();
291 }
292
293 // Returns true if we should try to OSR.
294 inline bool jitCompileAndSetHeuristics(CodeBlock* codeBlock, ExecState* exec)
295 {
296     VM& vm = exec->vm();
297     DeferGCForAWhile deferGC(vm.heap); // My callers don't set top callframe, so we don't want to GC here at all.
298     
299     codeBlock->updateAllValueProfilePredictions();
300     
301     if (!codeBlock->checkIfJITThresholdReached()) {
302         if (Options::verboseOSR())
303             dataLogF("    JIT threshold should be lifted.\n");
304         return false;
305     }
306     
307     switch (codeBlock->jitType()) {
308     case JITCode::BaselineJIT: {
309         if (Options::verboseOSR())
310             dataLogF("    Code was already compiled.\n");
311         codeBlock->jitSoon();
312         return true;
313     }
314     case JITCode::InterpreterThunk: {
315         CompilationResult result = JIT::compile(&vm, codeBlock, JITCompilationCanFail);
316         switch (result) {
317         case CompilationFailed:
318             if (Options::verboseOSR())
319                 dataLogF("    JIT compilation failed.\n");
320             codeBlock->dontJITAnytimeSoon();
321             return false;
322         case CompilationSuccessful:
323             if (Options::verboseOSR())
324                 dataLogF("    JIT compilation successful.\n");
325             codeBlock->install();
326             codeBlock->jitSoon();
327             return true;
328         default:
329             RELEASE_ASSERT_NOT_REACHED();
330             return false;
331         }
332     }
333     default:
334         dataLog("Unexpected code block in LLInt: ", *codeBlock, "\n");
335         RELEASE_ASSERT_NOT_REACHED();
336         return false;
337     }
338 }
339
340 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char *name, EntryKind kind)
341 {
342     if (Options::verboseOSR()) {
343         dataLog(
344             *codeBlock, ": Entered ", name, " with executeCounter = ",
345             codeBlock->llintExecuteCounter(), "\n");
346     }
347     
348     if (!shouldJIT(exec)) {
349         codeBlock->dontJITAnytimeSoon();
350         LLINT_RETURN_TWO(0, 0);
351     }
352     if (!jitCompileAndSetHeuristics(codeBlock, exec))
353         LLINT_RETURN_TWO(0, 0);
354     
355     if (kind == Prologue)
356         LLINT_RETURN_TWO(codeBlock->jitCode()->executableAddress(), 0);
357     ASSERT(kind == ArityCheck);
358     LLINT_RETURN_TWO(codeBlock->jitCode()->addressForCall(
359         *codeBlock->vm(), codeBlock->ownerExecutable(), MustCheckArity,
360         RegisterPreservationNotRequired).executableAddress(), 0);
361 }
362 #else // ENABLE(JIT)
363 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char*, EntryKind)
364 {
365     codeBlock->dontJITAnytimeSoon();
366     LLINT_RETURN_TWO(0, exec);
367 }
368 #endif // ENABLE(JIT)
369
370 LLINT_SLOW_PATH_DECL(entry_osr)
371 {
372     return entryOSR(exec, pc, exec->codeBlock(), "entry_osr", Prologue);
373 }
374
375 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call)
376 {
377     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call", Prologue);
378 }
379
380 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct)
381 {
382     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct", Prologue);
383 }
384
385 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call_arityCheck)
386 {
387     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call_arityCheck", ArityCheck);
388 }
389
390 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct_arityCheck)
391 {
392     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct_arityCheck", ArityCheck);
393 }
394
395 LLINT_SLOW_PATH_DECL(loop_osr)
396 {
397     CodeBlock* codeBlock = exec->codeBlock();
398
399 #if ENABLE(JIT)
400     if (Options::verboseOSR()) {
401         dataLog(
402             *codeBlock, ": Entered loop_osr with executeCounter = ",
403             codeBlock->llintExecuteCounter(), "\n");
404     }
405     
406     if (!shouldJIT(exec)) {
407         codeBlock->dontJITAnytimeSoon();
408         LLINT_RETURN_TWO(0, 0);
409     }
410     
411     if (!jitCompileAndSetHeuristics(codeBlock, exec))
412         LLINT_RETURN_TWO(0, 0);
413     
414     ASSERT(codeBlock->jitType() == JITCode::BaselineJIT);
415     
416     Vector<BytecodeAndMachineOffset> map;
417     codeBlock->jitCodeMap()->decode(map);
418     BytecodeAndMachineOffset* mapping = binarySearch<BytecodeAndMachineOffset, unsigned>(map, map.size(), pc - codeBlock->instructions().begin(), BytecodeAndMachineOffset::getBytecodeIndex);
419     ASSERT(mapping);
420     ASSERT(mapping->m_bytecodeIndex == static_cast<unsigned>(pc - codeBlock->instructions().begin()));
421     
422     void* jumpTarget = codeBlock->jitCode()->executableAddressAtOffset(mapping->m_machineCodeOffset);
423     ASSERT(jumpTarget);
424     
425     LLINT_RETURN_TWO(jumpTarget, exec->topOfFrame());
426 #else // ENABLE(JIT)
427     UNUSED_PARAM(pc);
428     codeBlock->dontJITAnytimeSoon();
429     LLINT_RETURN_TWO(0, 0);
430 #endif // ENABLE(JIT)
431 }
432
433 LLINT_SLOW_PATH_DECL(replace)
434 {
435     CodeBlock* codeBlock = exec->codeBlock();
436
437 #if ENABLE(JIT)
438     if (Options::verboseOSR()) {
439         dataLog(
440             *codeBlock, ": Entered replace with executeCounter = ",
441             codeBlock->llintExecuteCounter(), "\n");
442     }
443     
444     if (shouldJIT(exec))
445         jitCompileAndSetHeuristics(codeBlock, exec);
446     else
447         codeBlock->dontJITAnytimeSoon();
448     LLINT_END_IMPL();
449 #else // ENABLE(JIT)
450     codeBlock->dontJITAnytimeSoon();
451     LLINT_END_IMPL();
452 #endif // ENABLE(JIT)
453 }
454
455 LLINT_SLOW_PATH_DECL(stack_check)
456 {
457     LLINT_BEGIN();
458 #if LLINT_SLOW_PATH_TRACING
459     dataLogF("Checking stack height with exec = %p.\n", exec);
460     dataLogF("CodeBlock = %p.\n", exec->codeBlock());
461     dataLogF("Num callee registers = %u.\n", exec->codeBlock()->m_numCalleeRegisters);
462     dataLogF("Num vars = %u.\n", exec->codeBlock()->m_numVars);
463
464 #if ENABLE(JIT)
465     dataLogF("Current end is at %p.\n", exec->vm().stackLimit());
466 #else
467     dataLogF("Current end is at %p.\n", exec->vm().jsStackLimit());
468 #endif
469
470 #endif
471     // This stack check is done in the prologue for a function call, and the
472     // CallFrame is not completely set up yet. For example, if the frame needs
473     // a lexical environment object, the lexical environment object will only be
474     // set up after we start executing the function. If we need to throw a
475     // StackOverflowError here, then we need to tell the prologue to start the
476     // stack unwinding from the caller frame (which is fully set up) instead.
477     // To do that, we return the caller's CallFrame in the second return value.
478     //
479     // If the stack check succeeds and we don't need to throw the error, then
480     // we'll return 0 instead. The prologue will check for a non-zero value
481     // when determining whether to set the callFrame or not.
482
483     // For JIT enabled builds which uses the C stack, the stack is not growable.
484     // Hence, if we get here, then we know a stack overflow is imminent. So, just
485     // throw the StackOverflowError unconditionally.
486 #if !ENABLE(JIT)
487     ASSERT(!vm.interpreter->stack().containsAddress(exec->topOfFrame()));
488     if (LIKELY(vm.interpreter->stack().ensureCapacityFor(exec->topOfFrame())))
489         LLINT_RETURN_TWO(pc, 0);
490 #endif
491
492     exec = exec->callerFrame(vm.topVMEntryFrame);
493     vm.topCallFrame = exec;
494     ErrorHandlingScope errorScope(vm);
495     CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));
496     pc = returnToThrowForThrownException(exec);
497     LLINT_RETURN_TWO(pc, exec);
498 }
499
500 LLINT_SLOW_PATH_DECL(slow_path_create_lexical_environment)
501 {
502     LLINT_BEGIN();
503 #if LLINT_SLOW_PATH_TRACING
504     dataLogF("Creating an lexicalEnvironment, exec = %p!\n", exec);
505 #endif
506     int scopeReg = pc[2].u.operand;
507     JSScope* scope = exec->uncheckedR(scopeReg).Register::scope();
508     JSLexicalEnvironment* lexicalEnvironment = JSLexicalEnvironment::create(vm, exec, scope, exec->codeBlock());
509     LLINT_RETURN(JSValue(lexicalEnvironment));
510 }
511
512 LLINT_SLOW_PATH_DECL(slow_path_new_object)
513 {
514     LLINT_BEGIN();
515     LLINT_RETURN(constructEmptyObject(exec, pc[3].u.objectAllocationProfile->structure()));
516 }
517
518 LLINT_SLOW_PATH_DECL(slow_path_new_array)
519 {
520     LLINT_BEGIN();
521     LLINT_RETURN(constructArrayNegativeIndexed(exec, pc[4].u.arrayAllocationProfile, bitwise_cast<JSValue*>(&LLINT_OP(2)), pc[3].u.operand));
522 }
523
524 LLINT_SLOW_PATH_DECL(slow_path_new_array_with_size)
525 {
526     LLINT_BEGIN();
527     LLINT_RETURN(constructArrayWithSizeQuirk(exec, pc[3].u.arrayAllocationProfile, exec->lexicalGlobalObject(), LLINT_OP_C(2).jsValue()));
528 }
529
530 LLINT_SLOW_PATH_DECL(slow_path_new_array_buffer)
531 {
532     LLINT_BEGIN();
533     LLINT_RETURN(constructArray(exec, pc[4].u.arrayAllocationProfile, exec->codeBlock()->constantBuffer(pc[2].u.operand), pc[3].u.operand));
534 }
535
536 LLINT_SLOW_PATH_DECL(slow_path_new_regexp)
537 {
538     LLINT_BEGIN();
539     RegExp* regExp = exec->codeBlock()->regexp(pc[2].u.operand);
540     if (!regExp->isValid())
541         LLINT_THROW(createSyntaxError(exec, "Invalid flag supplied to RegExp constructor."));
542     LLINT_RETURN(RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regExp));
543 }
544
545 LLINT_SLOW_PATH_DECL(slow_path_check_has_instance)
546 {
547     LLINT_BEGIN();
548     
549     JSValue value = LLINT_OP_C(2).jsValue();
550     JSValue baseVal = LLINT_OP_C(3).jsValue();
551     if (baseVal.isObject()) {
552         JSObject* baseObject = asObject(baseVal);
553         ASSERT(!baseObject->structure()->typeInfo().implementsDefaultHasInstance());
554         if (baseObject->structure()->typeInfo().implementsHasInstance()) {
555             JSValue result = jsBoolean(baseObject->methodTable()->customHasInstance(baseObject, exec, value));
556             LLINT_RETURN_WITH_PC_ADJUSTMENT(result, pc[4].u.operand);
557         }
558     }
559     LLINT_THROW(createInvalidInstanceofParameterError(exec, baseVal));
560 }
561
562 LLINT_SLOW_PATH_DECL(slow_path_instanceof)
563 {
564     LLINT_BEGIN();
565     JSValue value = LLINT_OP_C(2).jsValue();
566     JSValue proto = LLINT_OP_C(3).jsValue();
567     ASSERT(!value.isObject() || !proto.isObject());
568     LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
569 }
570
571 LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
572 {
573     LLINT_BEGIN();
574     CodeBlock* codeBlock = exec->codeBlock();
575     const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
576     JSValue baseValue = LLINT_OP_C(2).jsValue();
577     PropertySlot slot(baseValue);
578
579     JSValue result = baseValue.get(exec, ident, slot);
580     LLINT_CHECK_EXCEPTION();
581     LLINT_OP(1) = result;
582     
583     if (!LLINT_ALWAYS_ACCESS_SLOW
584         && baseValue.isCell()
585         && slot.isCacheable()
586         && slot.slotBase() == baseValue
587         && slot.isCacheableValue()) {
588         
589         JSCell* baseCell = baseValue.asCell();
590         Structure* structure = baseCell->structure();
591         
592         if (!structure->isUncacheableDictionary()
593             && !structure->typeInfo().prohibitsPropertyCaching()
594             && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
595             ConcurrentJITLocker locker(codeBlock->m_lock);
596
597             pc[4].u.structure.set(
598                 vm, codeBlock->ownerExecutable(), structure);
599             if (isInlineOffset(slot.cachedOffset())) {
600                 pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
601                 pc[5].u.operand = offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue) + JSObject::offsetOfInlineStorage();
602             } else {
603                 pc[0].u.opcode = LLInt::getOpcode(op_get_by_id_out_of_line);
604                 pc[5].u.operand = offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue);
605             }
606         }
607     }
608
609     if (!LLINT_ALWAYS_ACCESS_SLOW
610         && isJSArray(baseValue)
611         && ident == exec->propertyNames().length) {
612         pc[0].u.opcode = LLInt::getOpcode(op_get_array_length);
613         ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(pc - codeBlock->instructions().begin());
614         arrayProfile->observeStructure(baseValue.asCell()->structure());
615         pc[4].u.arrayProfile = arrayProfile;
616     }
617
618     pc[OPCODE_LENGTH(op_get_by_id) - 1].u.profile->m_buckets[0] = JSValue::encode(result);
619     LLINT_END();
620 }
621
622 LLINT_SLOW_PATH_DECL(slow_path_get_arguments_length)
623 {
624     LLINT_BEGIN();
625     CodeBlock* codeBlock = exec->codeBlock();
626     const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
627     JSValue baseValue = LLINT_OP(2).jsValue();
628     PropertySlot slot(baseValue);
629     LLINT_RETURN(baseValue.get(exec, ident, slot));
630 }
631
632 LLINT_SLOW_PATH_DECL(slow_path_put_by_id)
633 {
634     LLINT_BEGIN();
635     CodeBlock* codeBlock = exec->codeBlock();
636     const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
637     
638     JSValue baseValue = LLINT_OP_C(1).jsValue();
639     PutPropertySlot slot(baseValue, codeBlock->isStrictMode(), codeBlock->putByIdContext());
640     if (pc[8].u.operand)
641         asObject(baseValue)->putDirect(vm, ident, LLINT_OP_C(3).jsValue(), slot);
642     else
643         baseValue.put(exec, ident, LLINT_OP_C(3).jsValue(), slot);
644     LLINT_CHECK_EXCEPTION();
645     
646     if (!LLINT_ALWAYS_ACCESS_SLOW
647         && baseValue.isCell()
648         && slot.isCacheablePut()) {
649         
650         JSCell* baseCell = baseValue.asCell();
651         Structure* structure = baseCell->structure();
652         
653         if (!structure->isUncacheableDictionary()
654             && !structure->typeInfo().prohibitsPropertyCaching()
655             && baseCell == slot.base()) {
656             
657             if (slot.type() == PutPropertySlot::NewProperty) {
658                 GCSafeConcurrentJITLocker locker(codeBlock->m_lock, vm.heap);
659             
660                 if (!structure->isDictionary() && structure->previousID()->outOfLineCapacity() == structure->outOfLineCapacity()) {
661                     ASSERT(structure->previousID()->transitionWatchpointSetHasBeenInvalidated());
662                     
663                     // This is needed because some of the methods we call
664                     // below may GC.
665                     pc[0].u.opcode = LLInt::getOpcode(op_put_by_id);
666
667                     if (normalizePrototypeChain(exec, structure) != InvalidPrototypeChain) {
668                         ASSERT(structure->previousID()->isObject());
669                         pc[4].u.structure.set(
670                             vm, codeBlock->ownerExecutable(), structure->previousID());
671                         if (isInlineOffset(slot.cachedOffset()))
672                             pc[5].u.operand = offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue) + JSObject::offsetOfInlineStorage();
673                         else
674                             pc[5].u.operand = offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue);
675                         pc[6].u.structure.set(
676                             vm, codeBlock->ownerExecutable(), structure);
677                         StructureChain* chain = structure->prototypeChain(exec);
678                         ASSERT(chain);
679                         pc[7].u.structureChain.set(
680                             vm, codeBlock->ownerExecutable(), chain);
681                     
682                         if (pc[8].u.operand) {
683                             if (isInlineOffset(slot.cachedOffset()))
684                                 pc[0].u.opcode = LLInt::getOpcode(op_put_by_id_transition_direct);
685                             else
686                                 pc[0].u.opcode = LLInt::getOpcode(op_put_by_id_transition_direct_out_of_line);
687                         } else {
688                             if (isInlineOffset(slot.cachedOffset()))
689                                 pc[0].u.opcode = LLInt::getOpcode(op_put_by_id_transition_normal);
690                             else
691                                 pc[0].u.opcode = LLInt::getOpcode(op_put_by_id_transition_normal_out_of_line);
692                         }
693                     }
694                 }
695             } else {
696                 structure->didCachePropertyReplacement(vm, slot.cachedOffset());
697                 pc[4].u.structure.set(
698                     vm, codeBlock->ownerExecutable(), structure);
699                 if (isInlineOffset(slot.cachedOffset())) {
700                     pc[0].u.opcode = LLInt::getOpcode(op_put_by_id);
701                     pc[5].u.operand = offsetInInlineStorage(slot.cachedOffset()) * sizeof(JSValue) + JSObject::offsetOfInlineStorage();
702                 } else {
703                     pc[0].u.opcode = LLInt::getOpcode(op_put_by_id_out_of_line);
704                     pc[5].u.operand = offsetInButterfly(slot.cachedOffset()) * sizeof(JSValue);
705                 }
706             }
707         }
708     }
709     
710     LLINT_END();
711 }
712
713 LLINT_SLOW_PATH_DECL(slow_path_del_by_id)
714 {
715     LLINT_BEGIN();
716     CodeBlock* codeBlock = exec->codeBlock();
717     JSObject* baseObject = LLINT_OP_C(2).jsValue().toObject(exec);
718     bool couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, codeBlock->identifier(pc[3].u.operand));
719     LLINT_CHECK_EXCEPTION();
720     if (!couldDelete && codeBlock->isStrictMode())
721         LLINT_THROW(createTypeError(exec, "Unable to delete property."));
722     LLINT_RETURN(jsBoolean(couldDelete));
723 }
724
725 inline JSValue getByVal(ExecState* exec, JSValue baseValue, JSValue subscript)
726 {
727     if (LIKELY(baseValue.isCell() && subscript.isString())) {
728         VM& vm = exec->vm();
729         Structure& structure = *baseValue.asCell()->structure(vm);
730         if (JSCell::canUseFastGetOwnProperty(structure)) {
731             if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
732                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
733                     return result;
734             }
735         }
736     }
737     
738     if (subscript.isUInt32()) {
739         uint32_t i = subscript.asUInt32();
740         if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
741             return asString(baseValue)->getIndex(exec, i);
742         
743         return baseValue.get(exec, i);
744     }
745
746     baseValue.requireObjectCoercible(exec);
747     if (exec->hadException())
748         return jsUndefined();
749     auto property = subscript.toPropertyKey(exec);
750     if (exec->hadException())
751         return jsUndefined();
752     return baseValue.get(exec, property);
753 }
754
755 LLINT_SLOW_PATH_DECL(slow_path_get_by_val)
756 {
757     LLINT_BEGIN();
758     LLINT_RETURN_PROFILED(op_get_by_val, getByVal(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(3).jsValue()));
759 }
760
761 LLINT_SLOW_PATH_DECL(slow_path_put_by_val)
762 {
763     LLINT_BEGIN();
764     
765     JSValue baseValue = LLINT_OP_C(1).jsValue();
766     JSValue subscript = LLINT_OP_C(2).jsValue();
767     JSValue value = LLINT_OP_C(3).jsValue();
768     
769     if (LIKELY(subscript.isUInt32())) {
770         uint32_t i = subscript.asUInt32();
771         if (baseValue.isObject()) {
772             JSObject* object = asObject(baseValue);
773             if (object->canSetIndexQuickly(i))
774                 object->setIndexQuickly(vm, i, value);
775             else
776                 object->methodTable()->putByIndex(object, exec, i, value, exec->codeBlock()->isStrictMode());
777             LLINT_END();
778         }
779         baseValue.putByIndex(exec, i, value, exec->codeBlock()->isStrictMode());
780         LLINT_END();
781     }
782
783     auto property = subscript.toPropertyKey(exec);
784     LLINT_CHECK_EXCEPTION();
785     PutPropertySlot slot(baseValue, exec->codeBlock()->isStrictMode());
786     baseValue.put(exec, property, value, slot);
787     LLINT_END();
788 }
789
790 LLINT_SLOW_PATH_DECL(slow_path_put_by_val_direct)
791 {
792     LLINT_BEGIN();
793     
794     JSValue baseValue = LLINT_OP_C(1).jsValue();
795     JSValue subscript = LLINT_OP_C(2).jsValue();
796     JSValue value = LLINT_OP_C(3).jsValue();
797     RELEASE_ASSERT(baseValue.isObject());
798     JSObject* baseObject = asObject(baseValue);
799     bool isStrictMode = exec->codeBlock()->isStrictMode();
800     if (LIKELY(subscript.isUInt32())) {
801         // Despite its name, JSValue::isUInt32 will return true only for positive boxed int32_t; all those values are valid array indices.
802         ASSERT(isIndex(subscript.asUInt32()));
803         baseObject->putDirectIndex(exec, subscript.asUInt32(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
804         LLINT_END();
805     }
806
807     if (subscript.isDouble()) {
808         double subscriptAsDouble = subscript.asDouble();
809         uint32_t subscriptAsUInt32 = static_cast<uint32_t>(subscriptAsDouble);
810         if (subscriptAsDouble == subscriptAsUInt32 && isIndex(subscriptAsUInt32)) {
811             baseObject->putDirectIndex(exec, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
812             LLINT_END();
813         }
814     }
815
816     // Don't put to an object if toString threw an exception.
817     auto property = subscript.toPropertyKey(exec);
818     if (exec->vm().exception())
819         LLINT_END();
820
821     if (Optional<uint32_t> index = parseIndex(property))
822         baseObject->putDirectIndex(exec, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
823     else {
824         PutPropertySlot slot(baseObject, isStrictMode);
825         baseObject->putDirect(exec->vm(), property, value, slot);
826     }
827     LLINT_END();
828 }
829
830 LLINT_SLOW_PATH_DECL(slow_path_del_by_val)
831 {
832     LLINT_BEGIN();
833     JSValue baseValue = LLINT_OP_C(2).jsValue();
834     JSObject* baseObject = baseValue.toObject(exec);
835     
836     JSValue subscript = LLINT_OP_C(3).jsValue();
837     
838     bool couldDelete;
839     
840     uint32_t i;
841     if (subscript.getUInt32(i))
842         couldDelete = baseObject->methodTable()->deletePropertyByIndex(baseObject, exec, i);
843     else {
844         LLINT_CHECK_EXCEPTION();
845         auto property = subscript.toPropertyKey(exec);
846         LLINT_CHECK_EXCEPTION();
847         couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, property);
848     }
849     
850     if (!couldDelete && exec->codeBlock()->isStrictMode())
851         LLINT_THROW(createTypeError(exec, "Unable to delete property."));
852     
853     LLINT_RETURN(jsBoolean(couldDelete));
854 }
855
856 LLINT_SLOW_PATH_DECL(slow_path_put_by_index)
857 {
858     LLINT_BEGIN();
859     JSValue arrayValue = LLINT_OP_C(1).jsValue();
860     ASSERT(isJSArray(arrayValue));
861     asArray(arrayValue)->putDirectIndex(exec, pc[2].u.operand, LLINT_OP_C(3).jsValue());
862     LLINT_END();
863 }
864
865 LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_id)
866 {
867     LLINT_BEGIN();
868     ASSERT(LLINT_OP(1).jsValue().isObject());
869     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
870     
871     JSValue getter = LLINT_OP(3).jsValue();
872     ASSERT(getter.isObject());
873     
874     baseObj->putGetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(getter));
875     LLINT_END();
876 }
877
878 LLINT_SLOW_PATH_DECL(slow_path_put_setter_by_id)
879 {
880     LLINT_BEGIN();
881     ASSERT(LLINT_OP(1).jsValue().isObject());
882     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
883     
884     JSValue setter = LLINT_OP(3).jsValue();
885     ASSERT(setter.isObject());
886     
887     baseObj->putSetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(setter));
888     LLINT_END();
889 }
890
891 LLINT_SLOW_PATH_DECL(slow_path_put_getter_setter)
892 {
893     LLINT_BEGIN();
894     ASSERT(LLINT_OP(1).jsValue().isObject());
895     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
896     
897     GetterSetter* accessor = GetterSetter::create(vm, exec->lexicalGlobalObject());
898     LLINT_CHECK_EXCEPTION();
899     
900     JSValue getter = LLINT_OP(3).jsValue();
901     JSValue setter = LLINT_OP(4).jsValue();
902     ASSERT(getter.isObject() || getter.isUndefined());
903     ASSERT(setter.isObject() || setter.isUndefined());
904     ASSERT(getter.isObject() || setter.isObject());
905     
906     if (!getter.isUndefined())
907         accessor->setGetter(vm, exec->lexicalGlobalObject(), asObject(getter));
908     if (!setter.isUndefined())
909         accessor->setSetter(vm, exec->lexicalGlobalObject(), asObject(setter));
910     baseObj->putDirectAccessor(
911         exec,
912         exec->codeBlock()->identifier(pc[2].u.operand),
913         accessor, Accessor);
914     LLINT_END();
915 }
916
917 LLINT_SLOW_PATH_DECL(slow_path_jtrue)
918 {
919     LLINT_BEGIN();
920     LLINT_BRANCH(op_jtrue, LLINT_OP_C(1).jsValue().toBoolean(exec));
921 }
922
923 LLINT_SLOW_PATH_DECL(slow_path_jfalse)
924 {
925     LLINT_BEGIN();
926     LLINT_BRANCH(op_jfalse, !LLINT_OP_C(1).jsValue().toBoolean(exec));
927 }
928
929 LLINT_SLOW_PATH_DECL(slow_path_jless)
930 {
931     LLINT_BEGIN();
932     LLINT_BRANCH(op_jless, jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
933 }
934
935 LLINT_SLOW_PATH_DECL(slow_path_jnless)
936 {
937     LLINT_BEGIN();
938     LLINT_BRANCH(op_jnless, !jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
939 }
940
941 LLINT_SLOW_PATH_DECL(slow_path_jgreater)
942 {
943     LLINT_BEGIN();
944     LLINT_BRANCH(op_jgreater, jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
945 }
946
947 LLINT_SLOW_PATH_DECL(slow_path_jngreater)
948 {
949     LLINT_BEGIN();
950     LLINT_BRANCH(op_jngreater, !jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
951 }
952
953 LLINT_SLOW_PATH_DECL(slow_path_jlesseq)
954 {
955     LLINT_BEGIN();
956     LLINT_BRANCH(op_jlesseq, jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
957 }
958
959 LLINT_SLOW_PATH_DECL(slow_path_jnlesseq)
960 {
961     LLINT_BEGIN();
962     LLINT_BRANCH(op_jnlesseq, !jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
963 }
964
965 LLINT_SLOW_PATH_DECL(slow_path_jgreatereq)
966 {
967     LLINT_BEGIN();
968     LLINT_BRANCH(op_jgreatereq, jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
969 }
970
971 LLINT_SLOW_PATH_DECL(slow_path_jngreatereq)
972 {
973     LLINT_BEGIN();
974     LLINT_BRANCH(op_jngreatereq, !jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
975 }
976
977 LLINT_SLOW_PATH_DECL(slow_path_switch_imm)
978 {
979     LLINT_BEGIN();
980     JSValue scrutinee = LLINT_OP_C(3).jsValue();
981     ASSERT(scrutinee.isDouble());
982     double value = scrutinee.asDouble();
983     int32_t intValue = static_cast<int32_t>(value);
984     int defaultOffset = pc[2].u.operand;
985     if (value == intValue) {
986         CodeBlock* codeBlock = exec->codeBlock();
987         pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue(intValue, defaultOffset);
988     } else
989         pc += defaultOffset;
990     LLINT_END();
991 }
992
993 LLINT_SLOW_PATH_DECL(slow_path_switch_char)
994 {
995     LLINT_BEGIN();
996     JSValue scrutinee = LLINT_OP_C(3).jsValue();
997     ASSERT(scrutinee.isString());
998     JSString* string = asString(scrutinee);
999     ASSERT(string->length() == 1);
1000     int defaultOffset = pc[2].u.operand;
1001     StringImpl* impl = string->value(exec).impl();
1002     CodeBlock* codeBlock = exec->codeBlock();
1003     pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue((*impl)[0], defaultOffset);
1004     LLINT_END();
1005 }
1006
1007 LLINT_SLOW_PATH_DECL(slow_path_switch_string)
1008 {
1009     LLINT_BEGIN();
1010     JSValue scrutinee = LLINT_OP_C(3).jsValue();
1011     int defaultOffset = pc[2].u.operand;
1012     if (!scrutinee.isString())
1013         pc += defaultOffset;
1014     else {
1015         CodeBlock* codeBlock = exec->codeBlock();
1016         pc += codeBlock->stringSwitchJumpTable(pc[1].u.operand).offsetForValue(asString(scrutinee)->value(exec).impl(), defaultOffset);
1017     }
1018     LLINT_END();
1019 }
1020
1021 LLINT_SLOW_PATH_DECL(slow_path_new_func)
1022 {
1023     LLINT_BEGIN();
1024     CodeBlock* codeBlock = exec->codeBlock();
1025     ASSERT(codeBlock->codeType() != FunctionCode || !codeBlock->needsActivation() || exec->hasActivation());
1026     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1027 #if LLINT_SLOW_PATH_TRACING
1028     dataLogF("Creating function!\n");
1029 #endif
1030     LLINT_RETURN(JSFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1031 }
1032
1033 LLINT_SLOW_PATH_DECL(slow_path_new_func_exp)
1034 {
1035     LLINT_BEGIN();
1036     CodeBlock* codeBlock = exec->codeBlock();
1037     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1038     FunctionExecutable* function = codeBlock->functionExpr(pc[3].u.operand);
1039     JSFunction* func = JSFunction::create(vm, function, scope);
1040     
1041     LLINT_RETURN(func);
1042 }
1043
1044 static SlowPathReturnType handleHostCall(ExecState* execCallee, Instruction* pc, JSValue callee, CodeSpecializationKind kind)
1045 {
1046     UNUSED_PARAM(pc);
1047
1048 #if LLINT_SLOW_PATH_TRACING
1049     dataLog("Performing host call.\n");
1050 #endif
1051     
1052     ExecState* exec = execCallee->callerFrame();
1053     VM& vm = exec->vm();
1054
1055     execCallee->setCodeBlock(0);
1056     execCallee->clearReturnPC();
1057
1058     if (kind == CodeForCall) {
1059         CallData callData;
1060         CallType callType = getCallData(callee, callData);
1061     
1062         ASSERT(callType != CallTypeJS);
1063     
1064         if (callType == CallTypeHost) {
1065             NativeCallFrameTracer tracer(&vm, execCallee);
1066             execCallee->setCallee(asObject(callee));
1067             vm.hostCallReturnValue = JSValue::decode(callData.native.function(execCallee));
1068             
1069             LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1070         }
1071         
1072 #if LLINT_SLOW_PATH_TRACING
1073         dataLog("Call callee is not a function: ", callee, "\n");
1074 #endif
1075
1076         ASSERT(callType == CallTypeNone);
1077         LLINT_CALL_THROW(exec, createNotAFunctionError(exec, callee));
1078     }
1079
1080     ASSERT(kind == CodeForConstruct);
1081     
1082     ConstructData constructData;
1083     ConstructType constructType = getConstructData(callee, constructData);
1084     
1085     ASSERT(constructType != ConstructTypeJS);
1086     
1087     if (constructType == ConstructTypeHost) {
1088         NativeCallFrameTracer tracer(&vm, execCallee);
1089         execCallee->setCallee(asObject(callee));
1090         vm.hostCallReturnValue = JSValue::decode(constructData.native.function(execCallee));
1091
1092         LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1093     }
1094     
1095 #if LLINT_SLOW_PATH_TRACING
1096     dataLog("Constructor callee is not a function: ", callee, "\n");
1097 #endif
1098
1099     ASSERT(constructType == ConstructTypeNone);
1100     LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1101 }
1102
1103 inline SlowPathReturnType setUpCall(ExecState* execCallee, Instruction* pc, CodeSpecializationKind kind, JSValue calleeAsValue, LLIntCallLinkInfo* callLinkInfo = 0)
1104 {
1105     ExecState* exec = execCallee->callerFrame();
1106
1107 #if LLINT_SLOW_PATH_TRACING
1108     dataLogF("Performing call with recorded PC = %p\n", exec->currentVPC());
1109 #endif
1110     
1111     JSCell* calleeAsFunctionCell = getJSFunction(calleeAsValue);
1112     if (!calleeAsFunctionCell)
1113         return handleHostCall(execCallee, pc, calleeAsValue, kind);
1114     
1115     JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
1116     JSScope* scope = callee->scopeUnchecked();
1117     VM& vm = *scope->vm();
1118     ExecutableBase* executable = callee->executable();
1119     
1120     MacroAssemblerCodePtr codePtr;
1121     CodeBlock* codeBlock = 0;
1122     if (executable->isHostFunction())
1123         codePtr = executable->entrypointFor(vm, kind, MustCheckArity, RegisterPreservationNotRequired);
1124     else {
1125         FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
1126
1127         if (!isCall(kind) && functionExecutable->isBuiltinFunction())
1128             LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1129
1130         JSObject* error = functionExecutable->prepareForExecution(execCallee, callee, scope, kind);
1131         if (error)
1132             LLINT_CALL_THROW(exec, error);
1133         codeBlock = functionExecutable->codeBlockFor(kind);
1134         ASSERT(codeBlock);
1135         ArityCheckMode arity;
1136         if (execCallee->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->numParameters()))
1137             arity = MustCheckArity;
1138         else
1139             arity = ArityCheckNotRequired;
1140         codePtr = functionExecutable->entrypointFor(vm, kind, arity, RegisterPreservationNotRequired);
1141     }
1142     
1143     ASSERT(!!codePtr);
1144     
1145     if (!LLINT_ALWAYS_ACCESS_SLOW && callLinkInfo) {
1146         CodeBlock* callerCodeBlock = exec->codeBlock();
1147
1148         ConcurrentJITLocker locker(callerCodeBlock->m_lock);
1149         
1150         if (callLinkInfo->isOnList())
1151             callLinkInfo->remove();
1152         callLinkInfo->callee.set(vm, callerCodeBlock->ownerExecutable(), callee);
1153         callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock->ownerExecutable(), callee);
1154         callLinkInfo->machineCodeTarget = codePtr;
1155         if (codeBlock)
1156             codeBlock->linkIncomingCall(exec, callLinkInfo);
1157     }
1158
1159     LLINT_CALL_RETURN(exec, execCallee, codePtr.executableAddress());
1160 }
1161
1162 inline SlowPathReturnType genericCall(ExecState* exec, Instruction* pc, CodeSpecializationKind kind)
1163 {
1164     // This needs to:
1165     // - Set up a call frame.
1166     // - Figure out what to call and compile it if necessary.
1167     // - If possible, link the call's inline cache.
1168     // - Return a tuple of machine code address to call and the new call frame.
1169     
1170     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1171     
1172     ExecState* execCallee = exec - pc[4].u.operand;
1173     
1174     execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1175     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1176     execCallee->setCallerFrame(exec);
1177     
1178     ASSERT(pc[5].u.callLinkInfo);
1179     return setUpCall(execCallee, pc, kind, calleeAsValue, pc[5].u.callLinkInfo);
1180 }
1181
1182 LLINT_SLOW_PATH_DECL(slow_path_call)
1183 {
1184     LLINT_BEGIN_NO_SET_PC();
1185     return genericCall(exec, pc, CodeForCall);
1186 }
1187
1188 LLINT_SLOW_PATH_DECL(slow_path_construct)
1189 {
1190     LLINT_BEGIN_NO_SET_PC();
1191     return genericCall(exec, pc, CodeForConstruct);
1192 }
1193
1194 LLINT_SLOW_PATH_DECL(slow_path_size_frame_for_varargs)
1195 {
1196     LLINT_BEGIN();
1197     // This needs to:
1198     // - Set up a call frame while respecting the variable arguments.
1199     
1200     unsigned numUsedStackSlots = -pc[5].u.operand;
1201     unsigned length = sizeFrameForVarargs(exec, &vm.interpreter->stack(),
1202         LLINT_OP_C(4).jsValue(), numUsedStackSlots, pc[6].u.operand);
1203     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1204     
1205     ExecState* execCallee = calleeFrameForVarargs(exec, numUsedStackSlots, length + 1);
1206     vm.varargsLength = length;
1207     vm.newCallFrameReturnValue = execCallee;
1208
1209     LLINT_RETURN_CALLEE_FRAME(execCallee);
1210 }
1211
1212 LLINT_SLOW_PATH_DECL(slow_path_call_varargs)
1213 {
1214     LLINT_BEGIN_NO_SET_PC();
1215     // This needs to:
1216     // - Figure out what to call and compile it if necessary.
1217     // - Return a tuple of machine code address to call and the new call frame.
1218     
1219     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1220     
1221     ExecState* execCallee = vm.newCallFrameReturnValue;
1222
1223     setupVarargsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand, vm.varargsLength);
1224     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1225     
1226     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1227     execCallee->setCallerFrame(exec);
1228     exec->setCurrentVPC(pc);
1229     
1230     return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
1231 }
1232     
1233 LLINT_SLOW_PATH_DECL(slow_path_construct_varargs)
1234 {
1235     LLINT_BEGIN_NO_SET_PC();
1236     // This needs to:
1237     // - Figure out what to call and compile it if necessary.
1238     // - Return a tuple of machine code address to call and the new call frame.
1239     
1240     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1241     
1242     ExecState* execCallee = vm.newCallFrameReturnValue;
1243     
1244     setupVarargsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand, vm.varargsLength);
1245     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1246     
1247     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1248     execCallee->setCallerFrame(exec);
1249     exec->setCurrentVPC(pc);
1250     
1251     return setUpCall(execCallee, pc, CodeForConstruct, calleeAsValue);
1252 }
1253     
1254 LLINT_SLOW_PATH_DECL(slow_path_call_eval)
1255 {
1256     LLINT_BEGIN_NO_SET_PC();
1257     JSValue calleeAsValue = LLINT_OP(2).jsValue();
1258     
1259     ExecState* execCallee = exec - pc[4].u.operand;
1260     
1261     execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1262     execCallee->setCallerFrame(exec);
1263     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1264     execCallee->setReturnPC(LLInt::getCodePtr(llint_generic_return_point));
1265     execCallee->setCodeBlock(0);
1266     exec->setCurrentVPC(pc);
1267     
1268     if (!isHostFunction(calleeAsValue, globalFuncEval))
1269         return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
1270     
1271     vm.hostCallReturnValue = eval(execCallee);
1272     LLINT_CALL_RETURN(exec, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1273 }
1274
1275 LLINT_SLOW_PATH_DECL(slow_path_strcat)
1276 {
1277     LLINT_BEGIN();
1278     LLINT_RETURN(jsStringFromRegisterArray(exec, &LLINT_OP(2), pc[3].u.operand));
1279 }
1280
1281 LLINT_SLOW_PATH_DECL(slow_path_to_primitive)
1282 {
1283     LLINT_BEGIN();
1284     LLINT_RETURN(LLINT_OP_C(2).jsValue().toPrimitive(exec));
1285 }
1286
1287 LLINT_SLOW_PATH_DECL(slow_path_push_with_scope)
1288 {
1289     LLINT_BEGIN();
1290     JSValue v = LLINT_OP_C(2).jsValue();
1291     JSObject* o = v.toObject(exec);
1292     LLINT_CHECK_EXCEPTION();
1293
1294     int scopeReg = pc[1].u.operand;
1295     JSScope* currentScope = exec->uncheckedR(scopeReg).Register::scope();
1296     exec->uncheckedR(scopeReg) = JSWithScope::create(exec, o, currentScope);
1297     
1298     LLINT_END();
1299 }
1300
1301 LLINT_SLOW_PATH_DECL(slow_path_pop_scope)
1302 {
1303     LLINT_BEGIN();
1304     int scopeReg = pc[1].u.operand;
1305     JSScope* scope = exec->uncheckedR(scopeReg).Register::scope();
1306     exec->uncheckedR(scopeReg) = scope->next();
1307     LLINT_END();
1308 }
1309
1310 LLINT_SLOW_PATH_DECL(slow_path_push_name_scope)
1311 {
1312     LLINT_BEGIN();
1313     int scopeReg = pc[1].u.operand;
1314     JSScope* currentScope = exec->uncheckedR(scopeReg).Register::scope();
1315     JSValue value = LLINT_OP_C(2).jsValue();
1316     SymbolTable* symbolTable = jsCast<SymbolTable*>(LLINT_OP_C(3).jsValue());
1317     JSNameScope::Type type = static_cast<JSNameScope::Type>(pc[4].u.operand);
1318     JSNameScope* scope = JSNameScope::create(vm, exec->lexicalGlobalObject(), currentScope, symbolTable, value, type);
1319     exec->uncheckedR(scopeReg) = scope;
1320     LLINT_END();
1321 }
1322
1323 LLINT_SLOW_PATH_DECL(slow_path_throw)
1324 {
1325     LLINT_BEGIN();
1326     LLINT_THROW(LLINT_OP_C(1).jsValue());
1327 }
1328
1329 LLINT_SLOW_PATH_DECL(slow_path_throw_static_error)
1330 {
1331     LLINT_BEGIN();
1332     JSValue errorMessageValue = LLINT_OP_C(1).jsValue();
1333     RELEASE_ASSERT(errorMessageValue.isString());
1334     String errorMessage = asString(errorMessageValue)->value(exec);
1335     if (pc[2].u.operand)
1336         LLINT_THROW(createReferenceError(exec, errorMessage));
1337     else
1338         LLINT_THROW(createTypeError(exec, errorMessage));
1339 }
1340
1341 LLINT_SLOW_PATH_DECL(slow_path_handle_watchdog_timer)
1342 {
1343     LLINT_BEGIN_NO_SET_PC();
1344     ASSERT(vm.watchdog);
1345     if (UNLIKELY(vm.watchdog->didFire(exec)))
1346         LLINT_THROW(createTerminatedExecutionException(&vm));
1347     LLINT_RETURN_TWO(0, exec);
1348 }
1349
1350 LLINT_SLOW_PATH_DECL(slow_path_debug)
1351 {
1352     LLINT_BEGIN();
1353     int debugHookID = pc[1].u.operand;
1354     vm.interpreter->debug(exec, static_cast<DebugHookID>(debugHookID));
1355     
1356     LLINT_END();
1357 }
1358
1359 LLINT_SLOW_PATH_DECL(slow_path_profile_will_call)
1360 {
1361     LLINT_BEGIN();
1362     if (LegacyProfiler* profiler = vm.enabledProfiler())
1363         profiler->willExecute(exec, LLINT_OP(1).jsValue());
1364     LLINT_END();
1365 }
1366
1367 LLINT_SLOW_PATH_DECL(slow_path_profile_did_call)
1368 {
1369     LLINT_BEGIN();
1370     if (LegacyProfiler* profiler = vm.enabledProfiler())
1371         profiler->didExecute(exec, LLINT_OP(1).jsValue());
1372     LLINT_END();
1373 }
1374
1375 LLINT_SLOW_PATH_DECL(slow_path_handle_exception)
1376 {
1377     LLINT_BEGIN_NO_SET_PC();
1378     genericUnwind(&vm, exec);
1379     LLINT_END_IMPL();
1380 }
1381
1382 LLINT_SLOW_PATH_DECL(slow_path_resolve_scope)
1383 {
1384     LLINT_BEGIN();
1385     const Identifier& ident = exec->codeBlock()->identifier(pc[3].u.operand);
1386     JSScope* scope = LLINT_OP(2).Register::scope();
1387     LLINT_RETURN(JSScope::resolve(exec, scope, ident));
1388 }
1389
1390 LLINT_SLOW_PATH_DECL(slow_path_get_from_scope)
1391 {
1392     LLINT_BEGIN();
1393
1394     const Identifier& ident = exec->codeBlock()->identifier(pc[3].u.operand);
1395     JSObject* scope = jsCast<JSObject*>(LLINT_OP(2).jsValue());
1396     ResolveModeAndType modeAndType(pc[4].u.operand);
1397
1398     PropertySlot slot(scope);
1399     if (!scope->getPropertySlot(exec, ident, slot)) {
1400         if (modeAndType.mode() == ThrowIfNotFound)
1401             LLINT_RETURN(exec->vm().throwException(exec, createUndefinedVariableError(exec, ident)));
1402         LLINT_RETURN(jsUndefined());
1403     }
1404
1405     // Covers implicit globals. Since they don't exist until they first execute, we didn't know how to cache them at compile time.
1406     if (slot.isCacheableValue() && slot.slotBase() == scope && scope->structure()->propertyAccessesAreCacheable()) {
1407         if (modeAndType.type() == GlobalProperty || modeAndType.type() == GlobalPropertyWithVarInjectionChecks) {
1408             CodeBlock* codeBlock = exec->codeBlock();
1409             Structure* structure = scope->structure(vm);
1410             {
1411                 ConcurrentJITLocker locker(codeBlock->m_lock);
1412                 pc[5].u.structure.set(exec->vm(), codeBlock->ownerExecutable(), structure);
1413                 pc[6].u.operand = slot.cachedOffset();
1414             }
1415             structure->startWatchingPropertyForReplacements(vm, slot.cachedOffset());
1416         }
1417     }
1418
1419     LLINT_RETURN(slot.getValue(exec, ident));
1420 }
1421
1422 LLINT_SLOW_PATH_DECL(slow_path_put_to_scope)
1423 {
1424     LLINT_BEGIN();
1425
1426     CodeBlock* codeBlock = exec->codeBlock();
1427     const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
1428     JSObject* scope = jsCast<JSObject*>(LLINT_OP(1).jsValue());
1429     JSValue value = LLINT_OP_C(3).jsValue();
1430     ResolveModeAndType modeAndType = ResolveModeAndType(pc[4].u.operand);
1431     if (modeAndType.type() == LocalClosureVar) {
1432         JSLexicalEnvironment* environment = jsCast<JSLexicalEnvironment*>(scope);
1433         environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value);
1434         
1435         // Have to do this *after* the write, because if this puts the set into IsWatched, then we need
1436         // to have already changed the value of the variable. Otherwise we might watch and constant-fold
1437         // to the Undefined value from before the assignment.
1438         if (WatchpointSet* set = pc[5].u.watchpointSet)
1439             set->touch("Executed op_put_scope<LocalClosureVar>");
1440         LLINT_END();
1441     }
1442
1443     if (modeAndType.mode() == ThrowIfNotFound && !scope->hasProperty(exec, ident))
1444         LLINT_THROW(createUndefinedVariableError(exec, ident));
1445
1446     PutPropertySlot slot(scope, codeBlock->isStrictMode());
1447     scope->methodTable()->put(scope, exec, ident, value, slot);
1448     
1449     CommonSlowPaths::tryCachePutToScopeGlobal(exec, codeBlock, pc, scope, modeAndType, slot);
1450
1451     LLINT_END();
1452 }
1453
1454 extern "C" SlowPathReturnType llint_throw_stack_overflow_error(VM* vm, ProtoCallFrame* protoFrame)
1455 {
1456     ExecState* exec = vm->topCallFrame;
1457     if (!exec)
1458         exec = protoFrame->callee()->globalObject()->globalExec();
1459     throwStackOverflowError(exec);
1460     return encodeResult(0, 0);
1461 }
1462
1463 #if !ENABLE(JIT)
1464 extern "C" SlowPathReturnType llint_stack_check_at_vm_entry(VM* vm, Register* newTopOfStack)
1465 {
1466     bool success = vm->interpreter->stack().ensureCapacityFor(newTopOfStack);
1467     return encodeResult(reinterpret_cast<void*>(success), 0);
1468 }
1469 #endif
1470
1471 extern "C" void llint_write_barrier_slow(ExecState* exec, JSCell* cell)
1472 {
1473     VM& vm = exec->vm();
1474     vm.heap.writeBarrier(cell);
1475 }
1476
1477 extern "C" NO_RETURN_DUE_TO_CRASH void llint_crash()
1478 {
1479     CRASH();
1480 }
1481
1482 } } // namespace JSC::LLInt