Rename op_put_getter_setter to op_put_getter_setter_by_id
[WebKit-https.git] / Source / JavaScriptCore / llint / LLIntSlowPaths.cpp
1 /*
2  * Copyright (C) 2011-2015 Apple Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
24  */
25
26 #include "config.h"
27 #include "LLIntSlowPaths.h"
28
29 #include "ArrayConstructor.h"
30 #include "CallFrame.h"
31 #include "CommonSlowPaths.h"
32 #include "CommonSlowPathsExceptions.h"
33 #include "Error.h"
34 #include "ErrorHandlingScope.h"
35 #include "Exception.h"
36 #include "ExceptionFuzz.h"
37 #include "GetterSetter.h"
38 #include "HostCallReturnValue.h"
39 #include "Interpreter.h"
40 #include "JIT.h"
41 #include "JITExceptions.h"
42 #include "JSArrowFunction.h"
43 #include "JSLexicalEnvironment.h"
44 #include "JSCInlines.h"
45 #include "JSCJSValue.h"
46 #include "JSGlobalObjectFunctions.h"
47 #include "JSStackInlines.h"
48 #include "JSString.h"
49 #include "JSWithScope.h"
50 #include "LLIntCommon.h"
51 #include "LLIntExceptions.h"
52 #include "LegacyProfiler.h"
53 #include "LowLevelInterpreter.h"
54 #include "ObjectConstructor.h"
55 #include "ProtoCallFrame.h"
56 #include "StructureRareDataInlines.h"
57 #include "VMInlines.h"
58 #include <wtf/StringPrintStream.h>
59
60 namespace JSC { namespace LLInt {
61
62 #define LLINT_BEGIN_NO_SET_PC() \
63     VM& vm = exec->vm();      \
64     NativeCallFrameTracer tracer(&vm, exec)
65
66 #ifndef NDEBUG
67 #define LLINT_SET_PC_FOR_STUBS() do { \
68         exec->codeBlock()->bytecodeOffset(pc); \
69         exec->setCurrentVPC(pc + 1); \
70     } while (false)
71 #else
72 #define LLINT_SET_PC_FOR_STUBS() do { \
73         exec->setCurrentVPC(pc + 1); \
74     } while (false)
75 #endif
76
77 #define LLINT_BEGIN()                           \
78     LLINT_BEGIN_NO_SET_PC();                    \
79     LLINT_SET_PC_FOR_STUBS()
80
81 #define LLINT_OP(index) (exec->uncheckedR(pc[index].u.operand))
82 #define LLINT_OP_C(index) (exec->r(pc[index].u.operand))
83
84 #define LLINT_RETURN_TWO(first, second) do {       \
85         return encodeResult(first, second);        \
86     } while (false)
87
88 #define LLINT_END_IMPL() LLINT_RETURN_TWO(pc, 0)
89
90 #define LLINT_THROW(exceptionToThrow) do {                        \
91         vm.throwException(exec, exceptionToThrow);                \
92         pc = returnToThrow(exec);                                 \
93         LLINT_END_IMPL();                                         \
94     } while (false)
95
96 #define LLINT_CHECK_EXCEPTION() do {                    \
97         doExceptionFuzzingIfEnabled(exec, "LLIntSlowPaths", pc);    \
98         if (UNLIKELY(vm.exception())) {                 \
99             pc = returnToThrow(exec);                   \
100             LLINT_END_IMPL();                           \
101         }                                               \
102     } while (false)
103
104 #define LLINT_END() do {                        \
105         LLINT_CHECK_EXCEPTION();                \
106         LLINT_END_IMPL();                       \
107     } while (false)
108
109 #define LLINT_BRANCH(opcode, condition) do {                      \
110         bool __b_condition = (condition);                         \
111         LLINT_CHECK_EXCEPTION();                                  \
112         if (__b_condition)                                        \
113             pc += pc[OPCODE_LENGTH(opcode) - 1].u.operand;        \
114         else                                                      \
115             pc += OPCODE_LENGTH(opcode);                          \
116         LLINT_END_IMPL();                                         \
117     } while (false)
118
119 #define LLINT_RETURN(value) do {                \
120         JSValue __r_returnValue = (value);      \
121         LLINT_CHECK_EXCEPTION();                \
122         LLINT_OP(1) = __r_returnValue;          \
123         LLINT_END_IMPL();                       \
124     } while (false)
125
126 #define LLINT_RETURN_WITH_PC_ADJUSTMENT(value, pcAdjustment) do { \
127         JSValue __r_returnValue = (value);      \
128         LLINT_CHECK_EXCEPTION();                \
129         LLINT_OP(1) = __r_returnValue;          \
130         pc += (pcAdjustment);                   \
131         LLINT_END_IMPL();                       \
132     } while (false)
133
134 #define LLINT_RETURN_PROFILED(opcode, value) do {               \
135         JSValue __rp_returnValue = (value);                     \
136         LLINT_CHECK_EXCEPTION();                                \
137         LLINT_OP(1) = __rp_returnValue;                         \
138         LLINT_PROFILE_VALUE(opcode, __rp_returnValue);          \
139         LLINT_END_IMPL();                                       \
140     } while (false)
141
142 #define LLINT_PROFILE_VALUE(opcode, value) do { \
143         pc[OPCODE_LENGTH(opcode) - 1].u.profile->m_buckets[0] = \
144         JSValue::encode(value);                  \
145     } while (false)
146
147 #define LLINT_CALL_END_IMPL(exec, callTarget) LLINT_RETURN_TWO((callTarget), (exec))
148
149 #define LLINT_CALL_THROW(exec, exceptionToThrow) do {                   \
150         ExecState* __ct_exec = (exec);                                  \
151         vm.throwException(__ct_exec, exceptionToThrow);                 \
152         LLINT_CALL_END_IMPL(0, callToThrow(__ct_exec));                 \
153     } while (false)
154
155 #define LLINT_CALL_CHECK_EXCEPTION(exec, execCallee) do {               \
156         ExecState* __cce_exec = (exec);                                 \
157         ExecState* __cce_execCallee = (execCallee);                     \
158         doExceptionFuzzingIfEnabled(__cce_exec, "LLIntSlowPaths/call", nullptr); \
159         if (UNLIKELY(vm.exception()))                                   \
160             LLINT_CALL_END_IMPL(0, callToThrow(__cce_execCallee));      \
161     } while (false)
162
163 #define LLINT_CALL_RETURN(exec, execCallee, callTarget) do {            \
164         ExecState* __cr_exec = (exec);                                  \
165         ExecState* __cr_execCallee = (execCallee);                      \
166         void* __cr_callTarget = (callTarget);                           \
167         LLINT_CALL_CHECK_EXCEPTION(__cr_exec, __cr_execCallee);         \
168         LLINT_CALL_END_IMPL(__cr_execCallee, __cr_callTarget);          \
169     } while (false)
170
171 #define LLINT_RETURN_CALLEE_FRAME(execCallee) do {                      \
172         ExecState* __rcf_exec = (execCallee);                           \
173         LLINT_RETURN_TWO(pc, __rcf_exec);                               \
174     } while (false)
175     
176 extern "C" SlowPathReturnType llint_trace_operand(ExecState* exec, Instruction* pc, int fromWhere, int operand)
177 {
178     LLINT_BEGIN();
179     dataLogF("%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d\n",
180             exec->codeBlock(),
181             exec,
182             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
183             exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
184             fromWhere,
185             operand,
186             pc[operand].u.operand);
187     LLINT_END();
188 }
189
190 extern "C" SlowPathReturnType llint_trace_value(ExecState* exec, Instruction* pc, int fromWhere, int operand)
191 {
192     JSValue value = LLINT_OP_C(operand).jsValue();
193     union {
194         struct {
195             uint32_t tag;
196             uint32_t payload;
197         } bits;
198         EncodedJSValue asValue;
199     } u;
200     u.asValue = JSValue::encode(value);
201     dataLogF(
202         "%p / %p: executing bc#%zu, op#%u: Trace(%d): %d: %d: %08x:%08x: %s\n",
203         exec->codeBlock(),
204         exec,
205         static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
206         exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
207         fromWhere,
208         operand,
209         pc[operand].u.operand,
210         u.bits.tag,
211         u.bits.payload,
212         toCString(value).data());
213     LLINT_END_IMPL();
214 }
215
216 LLINT_SLOW_PATH_DECL(trace_prologue)
217 {
218     dataLogF("%p / %p: in prologue.\n", exec->codeBlock(), exec);
219     LLINT_END_IMPL();
220 }
221
222 static void traceFunctionPrologue(ExecState* exec, const char* comment, CodeSpecializationKind kind)
223 {
224     JSFunction* callee = jsCast<JSFunction*>(exec->callee());
225     FunctionExecutable* executable = callee->jsExecutable();
226     CodeBlock* codeBlock = executable->codeBlockFor(kind);
227     dataLogF("%p / %p: in %s of function %p, executable %p; numVars = %u, numParameters = %u, numCalleeRegisters = %u, caller = %p.\n",
228             codeBlock, exec, comment, callee, executable,
229             codeBlock->m_numVars, codeBlock->numParameters(), codeBlock->m_numCalleeRegisters,
230             exec->callerFrame());
231 }
232
233 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_call)
234 {
235     traceFunctionPrologue(exec, "call prologue", CodeForCall);
236     LLINT_END_IMPL();
237 }
238
239 LLINT_SLOW_PATH_DECL(trace_prologue_function_for_construct)
240 {
241     traceFunctionPrologue(exec, "construct prologue", CodeForConstruct);
242     LLINT_END_IMPL();
243 }
244
245 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_call)
246 {
247     traceFunctionPrologue(exec, "call arity check", CodeForCall);
248     LLINT_END_IMPL();
249 }
250
251 LLINT_SLOW_PATH_DECL(trace_arityCheck_for_construct)
252 {
253     traceFunctionPrologue(exec, "construct arity check", CodeForConstruct);
254     LLINT_END_IMPL();
255 }
256
257 LLINT_SLOW_PATH_DECL(trace)
258 {
259     dataLogF("%p / %p: executing bc#%zu, %s, pc = %p\n",
260             exec->codeBlock(),
261             exec,
262             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
263             opcodeNames[exec->vm().interpreter->getOpcodeID(pc[0].u.opcode)], pc);
264     if (exec->vm().interpreter->getOpcodeID(pc[0].u.opcode) == op_enter) {
265         dataLogF("Frame will eventually return to %p\n", exec->returnPC().value());
266         *bitwise_cast<volatile char*>(exec->returnPC().value());
267     }
268     if (exec->vm().interpreter->getOpcodeID(pc[0].u.opcode) == op_ret) {
269         dataLogF("Will be returning to %p\n", exec->returnPC().value());
270         dataLogF("The new cfr will be %p\n", exec->callerFrame());
271     }
272     LLINT_END_IMPL();
273 }
274
275 LLINT_SLOW_PATH_DECL(special_trace)
276 {
277     dataLogF("%p / %p: executing special case bc#%zu, op#%u, return PC is %p\n",
278             exec->codeBlock(),
279             exec,
280             static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
281             exec->vm().interpreter->getOpcodeID(pc[0].u.opcode),
282             exec->returnPC().value());
283     LLINT_END_IMPL();
284 }
285
286 enum EntryKind { Prologue, ArityCheck };
287
288 #if ENABLE(JIT)
289 inline bool shouldJIT(ExecState* exec, CodeBlock*)
290 {
291     // You can modify this to turn off JITting without rebuilding the world.
292     return exec->vm().canUseJIT();
293 }
294
295 // Returns true if we should try to OSR.
296 inline bool jitCompileAndSetHeuristics(CodeBlock* codeBlock, ExecState* exec)
297 {
298     VM& vm = exec->vm();
299     DeferGCForAWhile deferGC(vm.heap); // My callers don't set top callframe, so we don't want to GC here at all.
300     
301     codeBlock->updateAllValueProfilePredictions();
302
303     if (!codeBlock->checkIfJITThresholdReached()) {
304         if (Options::verboseOSR())
305             dataLogF("    JIT threshold should be lifted.\n");
306         return false;
307     }
308     
309     switch (codeBlock->jitType()) {
310     case JITCode::BaselineJIT: {
311         if (Options::verboseOSR())
312             dataLogF("    Code was already compiled.\n");
313         codeBlock->jitSoon();
314         return true;
315     }
316     case JITCode::InterpreterThunk: {
317         CompilationResult result = JIT::compile(&vm, codeBlock, JITCompilationCanFail);
318         switch (result) {
319         case CompilationFailed:
320             if (Options::verboseOSR())
321                 dataLogF("    JIT compilation failed.\n");
322             codeBlock->dontJITAnytimeSoon();
323             return false;
324         case CompilationSuccessful:
325             if (Options::verboseOSR())
326                 dataLogF("    JIT compilation successful.\n");
327             codeBlock->ownerScriptExecutable()->installCode(codeBlock);
328             codeBlock->jitSoon();
329             return true;
330         default:
331             RELEASE_ASSERT_NOT_REACHED();
332             return false;
333         }
334     }
335     default:
336         dataLog("Unexpected code block in LLInt: ", *codeBlock, "\n");
337         RELEASE_ASSERT_NOT_REACHED();
338         return false;
339     }
340 }
341
342 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char *name, EntryKind kind)
343 {
344     if (Options::verboseOSR()) {
345         dataLog(
346             *codeBlock, ": Entered ", name, " with executeCounter = ",
347             codeBlock->llintExecuteCounter(), "\n");
348     }
349     
350     if (!shouldJIT(exec, codeBlock)) {
351         codeBlock->dontJITAnytimeSoon();
352         LLINT_RETURN_TWO(0, 0);
353     }
354     if (!jitCompileAndSetHeuristics(codeBlock, exec))
355         LLINT_RETURN_TWO(0, 0);
356     
357     if (kind == Prologue)
358         LLINT_RETURN_TWO(codeBlock->jitCode()->executableAddress(), 0);
359     ASSERT(kind == ArityCheck);
360     LLINT_RETURN_TWO(codeBlock->jitCode()->addressForCall(MustCheckArity).executableAddress(), 0);
361 }
362 #else // ENABLE(JIT)
363 static SlowPathReturnType entryOSR(ExecState* exec, Instruction*, CodeBlock* codeBlock, const char*, EntryKind)
364 {
365     codeBlock->dontJITAnytimeSoon();
366     LLINT_RETURN_TWO(0, exec);
367 }
368 #endif // ENABLE(JIT)
369
370 LLINT_SLOW_PATH_DECL(entry_osr)
371 {
372     return entryOSR(exec, pc, exec->codeBlock(), "entry_osr", Prologue);
373 }
374
375 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call)
376 {
377     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call", Prologue);
378 }
379
380 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct)
381 {
382     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct", Prologue);
383 }
384
385 LLINT_SLOW_PATH_DECL(entry_osr_function_for_call_arityCheck)
386 {
387     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForCall(), "entry_osr_function_for_call_arityCheck", ArityCheck);
388 }
389
390 LLINT_SLOW_PATH_DECL(entry_osr_function_for_construct_arityCheck)
391 {
392     return entryOSR(exec, pc, jsCast<JSFunction*>(exec->callee())->jsExecutable()->codeBlockForConstruct(), "entry_osr_function_for_construct_arityCheck", ArityCheck);
393 }
394
395 LLINT_SLOW_PATH_DECL(loop_osr)
396 {
397     CodeBlock* codeBlock = exec->codeBlock();
398
399 #if ENABLE(JIT)
400     if (Options::verboseOSR()) {
401         dataLog(
402             *codeBlock, ": Entered loop_osr with executeCounter = ",
403             codeBlock->llintExecuteCounter(), "\n");
404     }
405     
406     if (!shouldJIT(exec, codeBlock)) {
407         codeBlock->dontJITAnytimeSoon();
408         LLINT_RETURN_TWO(0, 0);
409     }
410     
411     if (!jitCompileAndSetHeuristics(codeBlock, exec))
412         LLINT_RETURN_TWO(0, 0);
413     
414     ASSERT(codeBlock->jitType() == JITCode::BaselineJIT);
415     
416     Vector<BytecodeAndMachineOffset> map;
417     codeBlock->jitCodeMap()->decode(map);
418     BytecodeAndMachineOffset* mapping = binarySearch<BytecodeAndMachineOffset, unsigned>(map, map.size(), pc - codeBlock->instructions().begin(), BytecodeAndMachineOffset::getBytecodeIndex);
419     ASSERT(mapping);
420     ASSERT(mapping->m_bytecodeIndex == static_cast<unsigned>(pc - codeBlock->instructions().begin()));
421     
422     void* jumpTarget = codeBlock->jitCode()->executableAddressAtOffset(mapping->m_machineCodeOffset);
423     ASSERT(jumpTarget);
424     
425     LLINT_RETURN_TWO(jumpTarget, exec->topOfFrame());
426 #else // ENABLE(JIT)
427     UNUSED_PARAM(pc);
428     codeBlock->dontJITAnytimeSoon();
429     LLINT_RETURN_TWO(0, 0);
430 #endif // ENABLE(JIT)
431 }
432
433 LLINT_SLOW_PATH_DECL(replace)
434 {
435     CodeBlock* codeBlock = exec->codeBlock();
436
437 #if ENABLE(JIT)
438     if (Options::verboseOSR()) {
439         dataLog(
440             *codeBlock, ": Entered replace with executeCounter = ",
441             codeBlock->llintExecuteCounter(), "\n");
442     }
443     
444     if (shouldJIT(exec, codeBlock))
445         jitCompileAndSetHeuristics(codeBlock, exec);
446     else
447         codeBlock->dontJITAnytimeSoon();
448     LLINT_END_IMPL();
449 #else // ENABLE(JIT)
450     codeBlock->dontJITAnytimeSoon();
451     LLINT_END_IMPL();
452 #endif // ENABLE(JIT)
453 }
454
455 LLINT_SLOW_PATH_DECL(stack_check)
456 {
457     LLINT_BEGIN();
458 #if LLINT_SLOW_PATH_TRACING
459     dataLogF("Checking stack height with exec = %p.\n", exec);
460     dataLogF("CodeBlock = %p.\n", exec->codeBlock());
461     dataLogF("Num callee registers = %u.\n", exec->codeBlock()->m_numCalleeRegisters);
462     dataLogF("Num vars = %u.\n", exec->codeBlock()->m_numVars);
463
464 #if ENABLE(JIT)
465     dataLogF("Current end is at %p.\n", exec->vm().stackLimit());
466 #else
467     dataLogF("Current end is at %p.\n", exec->vm().jsStackLimit());
468 #endif
469
470 #endif
471     // If the stack check succeeds and we don't need to throw the error, then
472     // we'll return 0 instead. The prologue will check for a non-zero value
473     // when determining whether to set the callFrame or not.
474
475     // For JIT enabled builds which uses the C stack, the stack is not growable.
476     // Hence, if we get here, then we know a stack overflow is imminent. So, just
477     // throw the StackOverflowError unconditionally.
478 #if !ENABLE(JIT)
479     ASSERT(!vm.interpreter->stack().containsAddress(exec->topOfFrame()));
480     if (LIKELY(vm.interpreter->stack().ensureCapacityFor(exec->topOfFrame())))
481         LLINT_RETURN_TWO(pc, 0);
482 #endif
483
484     vm.topCallFrame = exec;
485     ErrorHandlingScope errorScope(vm);
486     vm.throwException(exec, createStackOverflowError(exec));
487     pc = returnToThrow(exec);
488     LLINT_RETURN_TWO(pc, exec);
489 }
490
491 LLINT_SLOW_PATH_DECL(slow_path_new_object)
492 {
493     LLINT_BEGIN();
494     LLINT_RETURN(constructEmptyObject(exec, pc[3].u.objectAllocationProfile->structure()));
495 }
496
497 LLINT_SLOW_PATH_DECL(slow_path_new_array)
498 {
499     LLINT_BEGIN();
500     LLINT_RETURN(constructArrayNegativeIndexed(exec, pc[4].u.arrayAllocationProfile, bitwise_cast<JSValue*>(&LLINT_OP(2)), pc[3].u.operand));
501 }
502
503 LLINT_SLOW_PATH_DECL(slow_path_new_array_with_size)
504 {
505     LLINT_BEGIN();
506     LLINT_RETURN(constructArrayWithSizeQuirk(exec, pc[3].u.arrayAllocationProfile, exec->lexicalGlobalObject(), LLINT_OP_C(2).jsValue()));
507 }
508
509 LLINT_SLOW_PATH_DECL(slow_path_new_array_buffer)
510 {
511     LLINT_BEGIN();
512     LLINT_RETURN(constructArray(exec, pc[4].u.arrayAllocationProfile, exec->codeBlock()->constantBuffer(pc[2].u.operand), pc[3].u.operand));
513 }
514
515 LLINT_SLOW_PATH_DECL(slow_path_new_regexp)
516 {
517     LLINT_BEGIN();
518     RegExp* regExp = exec->codeBlock()->regexp(pc[2].u.operand);
519     if (!regExp->isValid())
520         LLINT_THROW(createSyntaxError(exec, "Invalid flag supplied to RegExp constructor."));
521     LLINT_RETURN(RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regExp));
522 }
523
524 LLINT_SLOW_PATH_DECL(slow_path_check_has_instance)
525 {
526     LLINT_BEGIN();
527     
528     JSValue value = LLINT_OP_C(2).jsValue();
529     JSValue baseVal = LLINT_OP_C(3).jsValue();
530     if (baseVal.isObject()) {
531         JSObject* baseObject = asObject(baseVal);
532         ASSERT(!baseObject->structure()->typeInfo().implementsDefaultHasInstance());
533         if (baseObject->structure()->typeInfo().implementsHasInstance()) {
534             JSValue result = jsBoolean(baseObject->methodTable()->customHasInstance(baseObject, exec, value));
535             LLINT_RETURN_WITH_PC_ADJUSTMENT(result, pc[4].u.operand);
536         }
537     }
538     LLINT_THROW(createInvalidInstanceofParameterError(exec, baseVal));
539 }
540
541 LLINT_SLOW_PATH_DECL(slow_path_instanceof)
542 {
543     LLINT_BEGIN();
544     JSValue value = LLINT_OP_C(2).jsValue();
545     JSValue proto = LLINT_OP_C(3).jsValue();
546     ASSERT(!value.isObject() || !proto.isObject());
547     LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
548 }
549
550 LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
551 {
552     LLINT_BEGIN();
553     CodeBlock* codeBlock = exec->codeBlock();
554     const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
555     JSValue baseValue = LLINT_OP_C(2).jsValue();
556     PropertySlot slot(baseValue);
557
558     JSValue result = baseValue.get(exec, ident, slot);
559     LLINT_CHECK_EXCEPTION();
560     LLINT_OP(1) = result;
561     
562     if (!LLINT_ALWAYS_ACCESS_SLOW
563         && baseValue.isCell()
564         && slot.isCacheable()
565         && slot.slotBase() == baseValue
566         && slot.isCacheableValue()) {
567         
568         JSCell* baseCell = baseValue.asCell();
569         Structure* structure = baseCell->structure();
570         
571         // Start out by clearing out the old cache.
572         pc[0].u.opcode = LLInt::getOpcode(op_get_by_id);
573         pc[4].u.pointer = nullptr; // old structure
574         pc[5].u.pointer = nullptr; // offset
575         
576         if (!structure->isUncacheableDictionary()
577             && !structure->typeInfo().prohibitsPropertyCaching()
578             && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
579             vm.heap.writeBarrier(codeBlock);
580             
581             ConcurrentJITLocker locker(codeBlock->m_lock);
582
583             pc[4].u.structureID = structure->id();
584             pc[5].u.operand = slot.cachedOffset();
585         }
586     }
587
588     if (!LLINT_ALWAYS_ACCESS_SLOW
589         && isJSArray(baseValue)
590         && ident == exec->propertyNames().length) {
591         pc[0].u.opcode = LLInt::getOpcode(op_get_array_length);
592         ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(pc - codeBlock->instructions().begin());
593         arrayProfile->observeStructure(baseValue.asCell()->structure());
594         pc[4].u.arrayProfile = arrayProfile;
595     }
596
597     pc[OPCODE_LENGTH(op_get_by_id) - 1].u.profile->m_buckets[0] = JSValue::encode(result);
598     LLINT_END();
599 }
600
601 LLINT_SLOW_PATH_DECL(slow_path_get_arguments_length)
602 {
603     LLINT_BEGIN();
604     CodeBlock* codeBlock = exec->codeBlock();
605     const Identifier& ident = codeBlock->identifier(pc[3].u.operand);
606     JSValue baseValue = LLINT_OP(2).jsValue();
607     PropertySlot slot(baseValue);
608     LLINT_RETURN(baseValue.get(exec, ident, slot));
609 }
610
611 LLINT_SLOW_PATH_DECL(slow_path_put_by_id)
612 {
613     LLINT_BEGIN();
614     CodeBlock* codeBlock = exec->codeBlock();
615     const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
616     
617     JSValue baseValue = LLINT_OP_C(1).jsValue();
618     PutPropertySlot slot(baseValue, codeBlock->isStrictMode(), codeBlock->putByIdContext());
619     if (pc[8].u.putByIdFlags & PutByIdIsDirect)
620         asObject(baseValue)->putDirect(vm, ident, LLINT_OP_C(3).jsValue(), slot);
621     else
622         baseValue.put(exec, ident, LLINT_OP_C(3).jsValue(), slot);
623     LLINT_CHECK_EXCEPTION();
624     
625     if (!LLINT_ALWAYS_ACCESS_SLOW
626         && baseValue.isCell()
627         && slot.isCacheablePut()) {
628
629         // Start out by clearing out the old cache.
630         pc[4].u.pointer = nullptr; // old structure
631         pc[5].u.pointer = nullptr; // offset
632         pc[6].u.pointer = nullptr; // new structure
633         pc[7].u.pointer = nullptr; // structure chain
634         pc[8].u.putByIdFlags =
635             static_cast<PutByIdFlags>(pc[8].u.putByIdFlags & PutByIdPersistentFlagsMask);
636         
637         JSCell* baseCell = baseValue.asCell();
638         Structure* structure = baseCell->structure();
639         
640         if (!structure->isUncacheableDictionary()
641             && !structure->typeInfo().prohibitsPropertyCaching()
642             && baseCell == slot.base()) {
643
644             vm.heap.writeBarrier(codeBlock);
645             
646             if (slot.type() == PutPropertySlot::NewProperty) {
647                 GCSafeConcurrentJITLocker locker(codeBlock->m_lock, vm.heap);
648             
649                 if (!structure->isDictionary() && structure->previousID()->outOfLineCapacity() == structure->outOfLineCapacity()) {
650                     ASSERT(structure->previousID()->transitionWatchpointSetHasBeenInvalidated());
651
652                     if (normalizePrototypeChain(exec, structure) != InvalidPrototypeChain) {
653                         ASSERT(structure->previousID()->isObject());
654                         pc[4].u.structureID = structure->previousID()->id();
655                         pc[5].u.operand = slot.cachedOffset();
656                         pc[6].u.structureID = structure->id();
657                         if (!(pc[8].u.putByIdFlags & PutByIdIsDirect)) {
658                             StructureChain* chain = structure->prototypeChain(exec);
659                             ASSERT(chain);
660                             pc[7].u.structureChain.set(
661                                 vm, codeBlock, chain);
662                         }
663                         pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
664                             pc[8].u.putByIdFlags |
665                             structure->inferredTypeDescriptorFor(ident.impl()).putByIdFlags());
666                     }
667                 }
668             } else {
669                 structure->didCachePropertyReplacement(vm, slot.cachedOffset());
670                 pc[4].u.structureID = structure->id();
671                 pc[5].u.operand = slot.cachedOffset();
672                 pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
673                     pc[8].u.putByIdFlags |
674                     structure->inferredTypeDescriptorFor(ident.impl()).putByIdFlags());
675             }
676         }
677     }
678     
679     LLINT_END();
680 }
681
682 LLINT_SLOW_PATH_DECL(slow_path_del_by_id)
683 {
684     LLINT_BEGIN();
685     CodeBlock* codeBlock = exec->codeBlock();
686     JSObject* baseObject = LLINT_OP_C(2).jsValue().toObject(exec);
687     bool couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, codeBlock->identifier(pc[3].u.operand));
688     LLINT_CHECK_EXCEPTION();
689     if (!couldDelete && codeBlock->isStrictMode())
690         LLINT_THROW(createTypeError(exec, "Unable to delete property."));
691     LLINT_RETURN(jsBoolean(couldDelete));
692 }
693
694 inline JSValue getByVal(ExecState* exec, JSValue baseValue, JSValue subscript)
695 {
696     if (LIKELY(baseValue.isCell() && subscript.isString())) {
697         VM& vm = exec->vm();
698         Structure& structure = *baseValue.asCell()->structure(vm);
699         if (JSCell::canUseFastGetOwnProperty(structure)) {
700             if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
701                 if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
702                     return result;
703             }
704         }
705     }
706     
707     if (subscript.isUInt32()) {
708         uint32_t i = subscript.asUInt32();
709         if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
710             return asString(baseValue)->getIndex(exec, i);
711         
712         return baseValue.get(exec, i);
713     }
714
715     baseValue.requireObjectCoercible(exec);
716     if (exec->hadException())
717         return jsUndefined();
718     auto property = subscript.toPropertyKey(exec);
719     if (exec->hadException())
720         return jsUndefined();
721     return baseValue.get(exec, property);
722 }
723
724 LLINT_SLOW_PATH_DECL(slow_path_get_by_val)
725 {
726     LLINT_BEGIN();
727     LLINT_RETURN_PROFILED(op_get_by_val, getByVal(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(3).jsValue()));
728 }
729
730 LLINT_SLOW_PATH_DECL(slow_path_put_by_val)
731 {
732     LLINT_BEGIN();
733     
734     JSValue baseValue = LLINT_OP_C(1).jsValue();
735     JSValue subscript = LLINT_OP_C(2).jsValue();
736     JSValue value = LLINT_OP_C(3).jsValue();
737     
738     if (LIKELY(subscript.isUInt32())) {
739         uint32_t i = subscript.asUInt32();
740         if (baseValue.isObject()) {
741             JSObject* object = asObject(baseValue);
742             if (object->canSetIndexQuickly(i))
743                 object->setIndexQuickly(vm, i, value);
744             else
745                 object->methodTable()->putByIndex(object, exec, i, value, exec->codeBlock()->isStrictMode());
746             LLINT_END();
747         }
748         baseValue.putByIndex(exec, i, value, exec->codeBlock()->isStrictMode());
749         LLINT_END();
750     }
751
752     auto property = subscript.toPropertyKey(exec);
753     LLINT_CHECK_EXCEPTION();
754     PutPropertySlot slot(baseValue, exec->codeBlock()->isStrictMode());
755     baseValue.put(exec, property, value, slot);
756     LLINT_END();
757 }
758
759 LLINT_SLOW_PATH_DECL(slow_path_put_by_val_direct)
760 {
761     LLINT_BEGIN();
762     
763     JSValue baseValue = LLINT_OP_C(1).jsValue();
764     JSValue subscript = LLINT_OP_C(2).jsValue();
765     JSValue value = LLINT_OP_C(3).jsValue();
766     RELEASE_ASSERT(baseValue.isObject());
767     JSObject* baseObject = asObject(baseValue);
768     bool isStrictMode = exec->codeBlock()->isStrictMode();
769     if (LIKELY(subscript.isUInt32())) {
770         // Despite its name, JSValue::isUInt32 will return true only for positive boxed int32_t; all those values are valid array indices.
771         ASSERT(isIndex(subscript.asUInt32()));
772         baseObject->putDirectIndex(exec, subscript.asUInt32(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
773         LLINT_END();
774     }
775
776     if (subscript.isDouble()) {
777         double subscriptAsDouble = subscript.asDouble();
778         uint32_t subscriptAsUInt32 = static_cast<uint32_t>(subscriptAsDouble);
779         if (subscriptAsDouble == subscriptAsUInt32 && isIndex(subscriptAsUInt32)) {
780             baseObject->putDirectIndex(exec, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
781             LLINT_END();
782         }
783     }
784
785     // Don't put to an object if toString threw an exception.
786     auto property = subscript.toPropertyKey(exec);
787     if (exec->vm().exception())
788         LLINT_END();
789
790     if (Optional<uint32_t> index = parseIndex(property))
791         baseObject->putDirectIndex(exec, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
792     else {
793         PutPropertySlot slot(baseObject, isStrictMode);
794         baseObject->putDirect(exec->vm(), property, value, slot);
795     }
796     LLINT_END();
797 }
798
799 LLINT_SLOW_PATH_DECL(slow_path_del_by_val)
800 {
801     LLINT_BEGIN();
802     JSValue baseValue = LLINT_OP_C(2).jsValue();
803     JSObject* baseObject = baseValue.toObject(exec);
804     
805     JSValue subscript = LLINT_OP_C(3).jsValue();
806     
807     bool couldDelete;
808     
809     uint32_t i;
810     if (subscript.getUInt32(i))
811         couldDelete = baseObject->methodTable()->deletePropertyByIndex(baseObject, exec, i);
812     else {
813         LLINT_CHECK_EXCEPTION();
814         auto property = subscript.toPropertyKey(exec);
815         LLINT_CHECK_EXCEPTION();
816         couldDelete = baseObject->methodTable()->deleteProperty(baseObject, exec, property);
817     }
818     
819     if (!couldDelete && exec->codeBlock()->isStrictMode())
820         LLINT_THROW(createTypeError(exec, "Unable to delete property."));
821     
822     LLINT_RETURN(jsBoolean(couldDelete));
823 }
824
825 LLINT_SLOW_PATH_DECL(slow_path_put_by_index)
826 {
827     LLINT_BEGIN();
828     JSValue arrayValue = LLINT_OP_C(1).jsValue();
829     ASSERT(isJSArray(arrayValue));
830     asArray(arrayValue)->putDirectIndex(exec, pc[2].u.operand, LLINT_OP_C(3).jsValue());
831     LLINT_END();
832 }
833
834 LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_id)
835 {
836     LLINT_BEGIN();
837     ASSERT(LLINT_OP(1).jsValue().isObject());
838     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
839
840     unsigned options = pc[3].u.operand;
841
842     JSValue getter = LLINT_OP(4).jsValue();
843     ASSERT(getter.isObject());
844
845     baseObj->putGetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(getter), options);
846     LLINT_END();
847 }
848
849 LLINT_SLOW_PATH_DECL(slow_path_put_setter_by_id)
850 {
851     LLINT_BEGIN();
852     ASSERT(LLINT_OP(1).jsValue().isObject());
853     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
854
855     unsigned options = pc[3].u.operand;
856
857     JSValue setter = LLINT_OP(4).jsValue();
858     ASSERT(setter.isObject());
859
860     baseObj->putSetter(exec, exec->codeBlock()->identifier(pc[2].u.operand), asObject(setter), options);
861     LLINT_END();
862 }
863
864 LLINT_SLOW_PATH_DECL(slow_path_put_getter_setter_by_id)
865 {
866     LLINT_BEGIN();
867     ASSERT(LLINT_OP(1).jsValue().isObject());
868     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
869     
870     GetterSetter* accessor = GetterSetter::create(vm, exec->lexicalGlobalObject());
871     LLINT_CHECK_EXCEPTION();
872
873     JSValue getter = LLINT_OP(4).jsValue();
874     JSValue setter = LLINT_OP(5).jsValue();
875     ASSERT(getter.isObject() || getter.isUndefined());
876     ASSERT(setter.isObject() || setter.isUndefined());
877     ASSERT(getter.isObject() || setter.isObject());
878     
879     if (!getter.isUndefined())
880         accessor->setGetter(vm, exec->lexicalGlobalObject(), asObject(getter));
881     if (!setter.isUndefined())
882         accessor->setSetter(vm, exec->lexicalGlobalObject(), asObject(setter));
883     baseObj->putDirectAccessor(
884         exec,
885         exec->codeBlock()->identifier(pc[2].u.operand),
886         accessor, pc[3].u.operand);
887     LLINT_END();
888 }
889
890 LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_val)
891 {
892     LLINT_BEGIN();
893     ASSERT(LLINT_OP(1).jsValue().isObject());
894     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
895     JSValue subscript = LLINT_OP_C(2).jsValue();
896
897     unsigned options = pc[3].u.operand;
898
899     JSValue getter = LLINT_OP(4).jsValue();
900     ASSERT(getter.isObject());
901
902     auto property = subscript.toPropertyKey(exec);
903     LLINT_CHECK_EXCEPTION();
904
905     baseObj->putGetter(exec, property, asObject(getter), options);
906     LLINT_END();
907 }
908
909 LLINT_SLOW_PATH_DECL(slow_path_put_setter_by_val)
910 {
911     LLINT_BEGIN();
912     ASSERT(LLINT_OP(1).jsValue().isObject());
913     JSObject* baseObj = asObject(LLINT_OP(1).jsValue());
914     JSValue subscript = LLINT_OP_C(2).jsValue();
915
916     unsigned options = pc[3].u.operand;
917
918     JSValue setter = LLINT_OP(4).jsValue();
919     ASSERT(setter.isObject());
920
921     auto property = subscript.toPropertyKey(exec);
922     LLINT_CHECK_EXCEPTION();
923
924     baseObj->putSetter(exec, property, asObject(setter), options);
925     LLINT_END();
926 }
927
928 LLINT_SLOW_PATH_DECL(slow_path_jtrue)
929 {
930     LLINT_BEGIN();
931     LLINT_BRANCH(op_jtrue, LLINT_OP_C(1).jsValue().toBoolean(exec));
932 }
933
934 LLINT_SLOW_PATH_DECL(slow_path_jfalse)
935 {
936     LLINT_BEGIN();
937     LLINT_BRANCH(op_jfalse, !LLINT_OP_C(1).jsValue().toBoolean(exec));
938 }
939
940 LLINT_SLOW_PATH_DECL(slow_path_jless)
941 {
942     LLINT_BEGIN();
943     LLINT_BRANCH(op_jless, jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
944 }
945
946 LLINT_SLOW_PATH_DECL(slow_path_jnless)
947 {
948     LLINT_BEGIN();
949     LLINT_BRANCH(op_jnless, !jsLess<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
950 }
951
952 LLINT_SLOW_PATH_DECL(slow_path_jgreater)
953 {
954     LLINT_BEGIN();
955     LLINT_BRANCH(op_jgreater, jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
956 }
957
958 LLINT_SLOW_PATH_DECL(slow_path_jngreater)
959 {
960     LLINT_BEGIN();
961     LLINT_BRANCH(op_jngreater, !jsLess<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
962 }
963
964 LLINT_SLOW_PATH_DECL(slow_path_jlesseq)
965 {
966     LLINT_BEGIN();
967     LLINT_BRANCH(op_jlesseq, jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
968 }
969
970 LLINT_SLOW_PATH_DECL(slow_path_jnlesseq)
971 {
972     LLINT_BEGIN();
973     LLINT_BRANCH(op_jnlesseq, !jsLessEq<true>(exec, LLINT_OP_C(1).jsValue(), LLINT_OP_C(2).jsValue()));
974 }
975
976 LLINT_SLOW_PATH_DECL(slow_path_jgreatereq)
977 {
978     LLINT_BEGIN();
979     LLINT_BRANCH(op_jgreatereq, jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
980 }
981
982 LLINT_SLOW_PATH_DECL(slow_path_jngreatereq)
983 {
984     LLINT_BEGIN();
985     LLINT_BRANCH(op_jngreatereq, !jsLessEq<false>(exec, LLINT_OP_C(2).jsValue(), LLINT_OP_C(1).jsValue()));
986 }
987
988 LLINT_SLOW_PATH_DECL(slow_path_switch_imm)
989 {
990     LLINT_BEGIN();
991     JSValue scrutinee = LLINT_OP_C(3).jsValue();
992     ASSERT(scrutinee.isDouble());
993     double value = scrutinee.asDouble();
994     int32_t intValue = static_cast<int32_t>(value);
995     int defaultOffset = pc[2].u.operand;
996     if (value == intValue) {
997         CodeBlock* codeBlock = exec->codeBlock();
998         pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue(intValue, defaultOffset);
999     } else
1000         pc += defaultOffset;
1001     LLINT_END();
1002 }
1003
1004 LLINT_SLOW_PATH_DECL(slow_path_switch_char)
1005 {
1006     LLINT_BEGIN();
1007     JSValue scrutinee = LLINT_OP_C(3).jsValue();
1008     ASSERT(scrutinee.isString());
1009     JSString* string = asString(scrutinee);
1010     ASSERT(string->length() == 1);
1011     int defaultOffset = pc[2].u.operand;
1012     StringImpl* impl = string->value(exec).impl();
1013     CodeBlock* codeBlock = exec->codeBlock();
1014     pc += codeBlock->switchJumpTable(pc[1].u.operand).offsetForValue((*impl)[0], defaultOffset);
1015     LLINT_END();
1016 }
1017
1018 LLINT_SLOW_PATH_DECL(slow_path_switch_string)
1019 {
1020     LLINT_BEGIN();
1021     JSValue scrutinee = LLINT_OP_C(3).jsValue();
1022     int defaultOffset = pc[2].u.operand;
1023     if (!scrutinee.isString())
1024         pc += defaultOffset;
1025     else {
1026         CodeBlock* codeBlock = exec->codeBlock();
1027         pc += codeBlock->stringSwitchJumpTable(pc[1].u.operand).offsetForValue(asString(scrutinee)->value(exec).impl(), defaultOffset);
1028     }
1029     LLINT_END();
1030 }
1031
1032 LLINT_SLOW_PATH_DECL(slow_path_new_func)
1033 {
1034     LLINT_BEGIN();
1035     CodeBlock* codeBlock = exec->codeBlock();
1036     ASSERT(codeBlock->codeType() != FunctionCode || !codeBlock->needsActivation() || exec->hasActivation());
1037     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1038 #if LLINT_SLOW_PATH_TRACING
1039     dataLogF("Creating function!\n");
1040 #endif
1041     LLINT_RETURN(JSFunction::create(vm, codeBlock->functionDecl(pc[3].u.operand), scope));
1042 }
1043
1044 LLINT_SLOW_PATH_DECL(slow_path_new_func_exp)
1045 {
1046     LLINT_BEGIN();
1047     
1048     CodeBlock* codeBlock = exec->codeBlock();
1049     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1050     FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1051     
1052     LLINT_RETURN(JSFunction::create(vm, executable, scope));
1053 }
1054
1055 LLINT_SLOW_PATH_DECL(slow_path_new_arrow_func_exp)
1056 {
1057     LLINT_BEGIN();
1058
1059     JSValue thisValue = LLINT_OP_C(4).jsValue();
1060     CodeBlock* codeBlock = exec->codeBlock();
1061     JSScope* scope = exec->uncheckedR(pc[2].u.operand).Register::scope();
1062     FunctionExecutable* executable = codeBlock->functionExpr(pc[3].u.operand);
1063     
1064     LLINT_RETURN(JSArrowFunction::create(vm, executable, scope, thisValue));
1065 }
1066
1067 static SlowPathReturnType handleHostCall(ExecState* execCallee, Instruction* pc, JSValue callee, CodeSpecializationKind kind)
1068 {
1069     UNUSED_PARAM(pc);
1070
1071 #if LLINT_SLOW_PATH_TRACING
1072     dataLog("Performing host call.\n");
1073 #endif
1074     
1075     ExecState* exec = execCallee->callerFrame();
1076     VM& vm = exec->vm();
1077
1078     execCallee->setCodeBlock(0);
1079     execCallee->clearReturnPC();
1080
1081     if (kind == CodeForCall) {
1082         CallData callData;
1083         CallType callType = getCallData(callee, callData);
1084     
1085         ASSERT(callType != CallTypeJS);
1086     
1087         if (callType == CallTypeHost) {
1088             NativeCallFrameTracer tracer(&vm, execCallee);
1089             execCallee->setCallee(asObject(callee));
1090             vm.hostCallReturnValue = JSValue::decode(callData.native.function(execCallee));
1091             
1092             LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1093         }
1094         
1095 #if LLINT_SLOW_PATH_TRACING
1096         dataLog("Call callee is not a function: ", callee, "\n");
1097 #endif
1098
1099         ASSERT(callType == CallTypeNone);
1100         LLINT_CALL_THROW(exec, createNotAFunctionError(exec, callee));
1101     }
1102
1103     ASSERT(kind == CodeForConstruct);
1104     
1105     ConstructData constructData;
1106     ConstructType constructType = getConstructData(callee, constructData);
1107     
1108     ASSERT(constructType != ConstructTypeJS);
1109     
1110     if (constructType == ConstructTypeHost) {
1111         NativeCallFrameTracer tracer(&vm, execCallee);
1112         execCallee->setCallee(asObject(callee));
1113         vm.hostCallReturnValue = JSValue::decode(constructData.native.function(execCallee));
1114
1115         LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1116     }
1117     
1118 #if LLINT_SLOW_PATH_TRACING
1119     dataLog("Constructor callee is not a function: ", callee, "\n");
1120 #endif
1121
1122     ASSERT(constructType == ConstructTypeNone);
1123     LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1124 }
1125
1126 inline SlowPathReturnType setUpCall(ExecState* execCallee, Instruction* pc, CodeSpecializationKind kind, JSValue calleeAsValue, LLIntCallLinkInfo* callLinkInfo = 0)
1127 {
1128     ExecState* exec = execCallee->callerFrame();
1129
1130 #if LLINT_SLOW_PATH_TRACING
1131     dataLogF("Performing call with recorded PC = %p\n", exec->currentVPC());
1132 #endif
1133     
1134     JSCell* calleeAsFunctionCell = getJSFunction(calleeAsValue);
1135     if (!calleeAsFunctionCell)
1136         return handleHostCall(execCallee, pc, calleeAsValue, kind);
1137     
1138     JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
1139     JSScope* scope = callee->scopeUnchecked();
1140     VM& vm = *scope->vm();
1141     ExecutableBase* executable = callee->executable();
1142
1143     MacroAssemblerCodePtr codePtr;
1144     CodeBlock* codeBlock = 0;
1145     bool isWebAssemblyExecutable = false;
1146 #if ENABLE(WEBASSEMBLY)
1147     isWebAssemblyExecutable = executable->isWebAssemblyExecutable();
1148 #endif
1149
1150     if (executable->isHostFunction()) {
1151         codePtr = executable->entrypointFor(kind, MustCheckArity);
1152     } else if (!isWebAssemblyExecutable) {
1153         FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
1154
1155         if (!isCall(kind) && functionExecutable->constructAbility() == ConstructAbility::CannotConstruct)
1156             LLINT_CALL_THROW(exec, createNotAConstructorError(exec, callee));
1157
1158         JSObject* error = functionExecutable->prepareForExecution(execCallee, callee, scope, kind);
1159         if (error)
1160             LLINT_CALL_THROW(exec, error);
1161         codeBlock = functionExecutable->codeBlockFor(kind);
1162         ASSERT(codeBlock);
1163         ArityCheckMode arity;
1164         if (execCallee->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->numParameters()))
1165             arity = MustCheckArity;
1166         else
1167             arity = ArityCheckNotRequired;
1168         codePtr = functionExecutable->entrypointFor(kind, arity);
1169     } else {
1170 #if ENABLE(WEBASSEMBLY)
1171         WebAssemblyExecutable* webAssemblyExecutable = static_cast<WebAssemblyExecutable*>(executable);
1172         webAssemblyExecutable->prepareForExecution(execCallee);
1173         codeBlock = webAssemblyExecutable->codeBlockForCall();
1174         ASSERT(codeBlock);
1175         ArityCheckMode arity;
1176         if (execCallee->argumentCountIncludingThis() < static_cast<size_t>(codeBlock->numParameters()))
1177             arity = MustCheckArity;
1178         else
1179             arity = ArityCheckNotRequired;
1180         codePtr = webAssemblyExecutable->entrypointFor(kind, arity);
1181 #endif
1182     }
1183     
1184     ASSERT(!!codePtr);
1185     
1186     if (!LLINT_ALWAYS_ACCESS_SLOW && callLinkInfo) {
1187         CodeBlock* callerCodeBlock = exec->codeBlock();
1188
1189         ConcurrentJITLocker locker(callerCodeBlock->m_lock);
1190         
1191         if (callLinkInfo->isOnList())
1192             callLinkInfo->remove();
1193         callLinkInfo->callee.set(vm, callerCodeBlock, callee);
1194         callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock, callee);
1195         callLinkInfo->machineCodeTarget = codePtr;
1196         if (codeBlock)
1197             codeBlock->linkIncomingCall(exec, callLinkInfo);
1198     }
1199
1200     LLINT_CALL_RETURN(exec, execCallee, codePtr.executableAddress());
1201 }
1202
1203 inline SlowPathReturnType genericCall(ExecState* exec, Instruction* pc, CodeSpecializationKind kind)
1204 {
1205     // This needs to:
1206     // - Set up a call frame.
1207     // - Figure out what to call and compile it if necessary.
1208     // - If possible, link the call's inline cache.
1209     // - Return a tuple of machine code address to call and the new call frame.
1210     
1211     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1212     
1213     ExecState* execCallee = exec - pc[4].u.operand;
1214     
1215     execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1216     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1217     execCallee->setCallerFrame(exec);
1218     
1219     ASSERT(pc[5].u.callLinkInfo);
1220     return setUpCall(execCallee, pc, kind, calleeAsValue, pc[5].u.callLinkInfo);
1221 }
1222
1223 LLINT_SLOW_PATH_DECL(slow_path_call)
1224 {
1225     LLINT_BEGIN_NO_SET_PC();
1226     return genericCall(exec, pc, CodeForCall);
1227 }
1228
1229 LLINT_SLOW_PATH_DECL(slow_path_construct)
1230 {
1231     LLINT_BEGIN_NO_SET_PC();
1232     return genericCall(exec, pc, CodeForConstruct);
1233 }
1234
1235 LLINT_SLOW_PATH_DECL(slow_path_size_frame_for_varargs)
1236 {
1237     LLINT_BEGIN();
1238     // This needs to:
1239     // - Set up a call frame while respecting the variable arguments.
1240     
1241     unsigned numUsedStackSlots = -pc[5].u.operand;
1242     unsigned length = sizeFrameForVarargs(exec, &vm.interpreter->stack(),
1243         LLINT_OP_C(4).jsValue(), numUsedStackSlots, pc[6].u.operand);
1244     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1245     
1246     ExecState* execCallee = calleeFrameForVarargs(exec, numUsedStackSlots, length + 1);
1247     vm.varargsLength = length;
1248     vm.newCallFrameReturnValue = execCallee;
1249
1250     LLINT_RETURN_CALLEE_FRAME(execCallee);
1251 }
1252
1253 LLINT_SLOW_PATH_DECL(slow_path_call_varargs)
1254 {
1255     LLINT_BEGIN_NO_SET_PC();
1256     // This needs to:
1257     // - Figure out what to call and compile it if necessary.
1258     // - Return a tuple of machine code address to call and the new call frame.
1259     
1260     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1261     
1262     ExecState* execCallee = vm.newCallFrameReturnValue;
1263
1264     setupVarargsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand, vm.varargsLength);
1265     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1266     
1267     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1268     execCallee->setCallerFrame(exec);
1269     exec->setCurrentVPC(pc);
1270     
1271     return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
1272 }
1273     
1274 LLINT_SLOW_PATH_DECL(slow_path_construct_varargs)
1275 {
1276     LLINT_BEGIN_NO_SET_PC();
1277     // This needs to:
1278     // - Figure out what to call and compile it if necessary.
1279     // - Return a tuple of machine code address to call and the new call frame.
1280     
1281     JSValue calleeAsValue = LLINT_OP_C(2).jsValue();
1282     
1283     ExecState* execCallee = vm.newCallFrameReturnValue;
1284     
1285     setupVarargsFrameAndSetThis(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand, vm.varargsLength);
1286     LLINT_CALL_CHECK_EXCEPTION(exec, exec);
1287     
1288     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1289     execCallee->setCallerFrame(exec);
1290     exec->setCurrentVPC(pc);
1291     
1292     return setUpCall(execCallee, pc, CodeForConstruct, calleeAsValue);
1293 }
1294     
1295 LLINT_SLOW_PATH_DECL(slow_path_call_eval)
1296 {
1297     LLINT_BEGIN_NO_SET_PC();
1298     JSValue calleeAsValue = LLINT_OP(2).jsValue();
1299     
1300     ExecState* execCallee = exec - pc[4].u.operand;
1301     
1302     execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
1303     execCallee->setCallerFrame(exec);
1304     execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
1305     execCallee->setReturnPC(LLInt::getCodePtr(llint_generic_return_point));
1306     execCallee->setCodeBlock(0);
1307     exec->setCurrentVPC(pc);
1308     
1309     if (!isHostFunction(calleeAsValue, globalFuncEval))
1310         return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
1311     
1312     vm.hostCallReturnValue = eval(execCallee);
1313     LLINT_CALL_RETURN(exec, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
1314 }
1315
1316 LLINT_SLOW_PATH_DECL(slow_path_strcat)
1317 {
1318     LLINT_BEGIN();
1319     LLINT_RETURN(jsStringFromRegisterArray(exec, &LLINT_OP(2), pc[3].u.operand));
1320 }
1321
1322 LLINT_SLOW_PATH_DECL(slow_path_to_primitive)
1323 {
1324     LLINT_BEGIN();
1325     LLINT_RETURN(LLINT_OP_C(2).jsValue().toPrimitive(exec));
1326 }
1327
1328 LLINT_SLOW_PATH_DECL(slow_path_throw)
1329 {
1330     LLINT_BEGIN();
1331     LLINT_THROW(LLINT_OP_C(1).jsValue());
1332 }
1333
1334 LLINT_SLOW_PATH_DECL(slow_path_throw_static_error)
1335 {
1336     LLINT_BEGIN();
1337     JSValue errorMessageValue = LLINT_OP_C(1).jsValue();
1338     RELEASE_ASSERT(errorMessageValue.isString());
1339     String errorMessage = asString(errorMessageValue)->value(exec);
1340     if (pc[2].u.operand)
1341         LLINT_THROW(createReferenceError(exec, errorMessage));
1342     else
1343         LLINT_THROW(createTypeError(exec, errorMessage));
1344 }
1345
1346 LLINT_SLOW_PATH_DECL(slow_path_handle_watchdog_timer)
1347 {
1348     LLINT_BEGIN_NO_SET_PC();
1349     ASSERT(vm.watchdog);
1350     if (UNLIKELY(vm.shouldTriggerTermination(exec)))
1351         LLINT_THROW(createTerminatedExecutionException(&vm));
1352     LLINT_RETURN_TWO(0, exec);
1353 }
1354
1355 LLINT_SLOW_PATH_DECL(slow_path_debug)
1356 {
1357     LLINT_BEGIN();
1358     int debugHookID = pc[1].u.operand;
1359     vm.interpreter->debug(exec, static_cast<DebugHookID>(debugHookID));
1360     
1361     LLINT_END();
1362 }
1363
1364 LLINT_SLOW_PATH_DECL(slow_path_profile_will_call)
1365 {
1366     LLINT_BEGIN();
1367     if (LegacyProfiler* profiler = vm.enabledProfiler())
1368         profiler->willExecute(exec, LLINT_OP(1).jsValue());
1369     LLINT_END();
1370 }
1371
1372 LLINT_SLOW_PATH_DECL(slow_path_profile_did_call)
1373 {
1374     LLINT_BEGIN();
1375     if (LegacyProfiler* profiler = vm.enabledProfiler())
1376         profiler->didExecute(exec, LLINT_OP(1).jsValue());
1377     LLINT_END();
1378 }
1379
1380 LLINT_SLOW_PATH_DECL(slow_path_handle_exception)
1381 {
1382     LLINT_BEGIN_NO_SET_PC();
1383     genericUnwind(&vm, exec);
1384     LLINT_END_IMPL();
1385 }
1386
1387 LLINT_SLOW_PATH_DECL(slow_path_get_from_scope)
1388 {
1389     LLINT_BEGIN();
1390
1391     const Identifier& ident = exec->codeBlock()->identifier(pc[3].u.operand);
1392     JSObject* scope = jsCast<JSObject*>(LLINT_OP(2).jsValue());
1393     GetPutInfo getPutInfo(pc[4].u.operand);
1394
1395     // ModuleVar is always converted to ClosureVar for get_from_scope.
1396     ASSERT(getPutInfo.resolveType() != ModuleVar);
1397
1398     PropertySlot slot(scope);
1399     if (!scope->getPropertySlot(exec, ident, slot)) {
1400         if (getPutInfo.resolveMode() == ThrowIfNotFound)
1401             LLINT_RETURN(exec->vm().throwException(exec, createUndefinedVariableError(exec, ident)));
1402         LLINT_RETURN(jsUndefined());
1403     }
1404
1405     JSValue result = JSValue();
1406     if (jsDynamicCast<JSGlobalLexicalEnvironment*>(scope)) {
1407         // When we can't statically prove we need a TDZ check, we must perform the check on the slow path.
1408         result = slot.getValue(exec, ident);
1409         if (result == jsTDZValue())
1410             LLINT_THROW(createTDZError(exec));
1411     }
1412
1413     CommonSlowPaths::tryCacheGetFromScopeGlobal(exec, vm, pc, scope, slot, ident);
1414
1415     if (!result)
1416         result = slot.getValue(exec, ident);
1417     LLINT_RETURN(result);
1418 }
1419
1420 LLINT_SLOW_PATH_DECL(slow_path_put_to_scope)
1421 {
1422     LLINT_BEGIN();
1423
1424     CodeBlock* codeBlock = exec->codeBlock();
1425     const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
1426     JSObject* scope = jsCast<JSObject*>(LLINT_OP(1).jsValue());
1427     JSValue value = LLINT_OP_C(3).jsValue();
1428     GetPutInfo getPutInfo = GetPutInfo(pc[4].u.operand);
1429     if (getPutInfo.resolveType() == LocalClosureVar) {
1430         JSLexicalEnvironment* environment = jsCast<JSLexicalEnvironment*>(scope);
1431         environment->variableAt(ScopeOffset(pc[6].u.operand)).set(vm, environment, value);
1432         
1433         // Have to do this *after* the write, because if this puts the set into IsWatched, then we need
1434         // to have already changed the value of the variable. Otherwise we might watch and constant-fold
1435         // to the Undefined value from before the assignment.
1436         if (WatchpointSet* set = pc[5].u.watchpointSet)
1437             set->touch("Executed op_put_scope<LocalClosureVar>");
1438         LLINT_END();
1439     }
1440
1441     bool hasProperty = scope->hasProperty(exec, ident);
1442     if (hasProperty
1443         && jsDynamicCast<JSGlobalLexicalEnvironment*>(scope)
1444         && getPutInfo.initializationMode() != Initialization) {
1445         // When we can't statically prove we need a TDZ check, we must perform the check on the slow path.
1446         PropertySlot slot(scope);
1447         JSGlobalLexicalEnvironment::getOwnPropertySlot(scope, exec, ident, slot);
1448         if (slot.getValue(exec, ident) == jsTDZValue())
1449             LLINT_THROW(createTDZError(exec));
1450     }
1451
1452     if (getPutInfo.resolveMode() == ThrowIfNotFound && !hasProperty)
1453         LLINT_THROW(createUndefinedVariableError(exec, ident));
1454
1455     PutPropertySlot slot(scope, codeBlock->isStrictMode(), PutPropertySlot::UnknownContext, getPutInfo.initializationMode() == Initialization);
1456     scope->methodTable()->put(scope, exec, ident, value, slot);
1457     
1458     CommonSlowPaths::tryCachePutToScopeGlobal(exec, codeBlock, pc, scope, getPutInfo, slot, ident);
1459
1460     LLINT_END();
1461 }
1462
1463 LLINT_SLOW_PATH_DECL(slow_path_check_if_exception_is_uncatchable_and_notify_profiler)
1464 {
1465     LLINT_BEGIN();
1466     RELEASE_ASSERT(!!vm.exception());
1467
1468     if (LegacyProfiler* profiler = vm.enabledProfiler())
1469         profiler->exceptionUnwind(exec);
1470
1471     if (isTerminatedExecutionException(vm.exception()))
1472         LLINT_RETURN_TWO(pc, bitwise_cast<void*>(static_cast<uintptr_t>(1)));
1473     LLINT_RETURN_TWO(pc, 0);
1474 }
1475
1476 extern "C" SlowPathReturnType llint_throw_stack_overflow_error(VM* vm, ProtoCallFrame* protoFrame)
1477 {
1478     ExecState* exec = vm->topCallFrame;
1479     if (!exec)
1480         exec = protoFrame->callee()->globalObject()->globalExec();
1481     throwStackOverflowError(exec);
1482     return encodeResult(0, 0);
1483 }
1484
1485 #if !ENABLE(JIT)
1486 extern "C" SlowPathReturnType llint_stack_check_at_vm_entry(VM* vm, Register* newTopOfStack)
1487 {
1488     bool success = vm->interpreter->stack().ensureCapacityFor(newTopOfStack);
1489     return encodeResult(reinterpret_cast<void*>(success), 0);
1490 }
1491 #endif
1492
1493 extern "C" void llint_write_barrier_slow(ExecState* exec, JSCell* cell)
1494 {
1495     VM& vm = exec->vm();
1496     vm.heap.writeBarrier(cell);
1497 }
1498
1499 extern "C" NO_RETURN_DUE_TO_CRASH void llint_crash()
1500 {
1501     CRASH();
1502 }
1503
1504 } } // namespace JSC::LLInt