JavaScriptCore-7601.1.46.3.tar.gz

[apple/javascriptcore.git] / jit / JITOpcodes32_64.cpp
diff --git a/jit/JITOpcodes32_64.cpp b/jit/JITOpcodes32_64.cpp

index a540d6e8a89c668ec3421d5faff0759af292c648..8764cc2ccaa1fc00e5b5500a4ff025b4f44b534c 100644 (file)
--- a/jit/JITOpcodes32_64.cpp
+++ b/jit/JITOpcodes32_64.cpp
@@ -32,15 +32,19 @@
  
  #include "CCallHelpers.h"
  #include "Debugger.h"
  
  #include "CCallHelpers.h"
  #include "Debugger.h"
+#include "Exception.h"
  #include "JITInlines.h"
  #include "JSArray.h"
  #include "JSCell.h"
  #include "JITInlines.h"
  #include "JSArray.h"
  #include "JSCell.h"
+#include "JSEnvironmentRecord.h"
  #include "JSFunction.h"
  #include "JSFunction.h"
-#include "JSPropertyNameIterator.h"
-#include "JSVariableObject.h"
+#include "JSNameScope.h"
+#include "JSPropertyNameEnumerator.h"
  #include "LinkBuffer.h"
  #include "MaxFrameExtentForSlowPathCall.h"
  #include "LinkBuffer.h"
  #include "MaxFrameExtentForSlowPathCall.h"
+#include "RepatchBuffer.h"
  #include "SlowPathCall.h"
  #include "SlowPathCall.h"
+#include "TypeProfilerLog.h"
  #include "VirtualRegister.h"
  
  namespace JSC {
  #include "VirtualRegister.h"
  
  namespace JSC {
@@ -54,12 +58,6 @@ JIT::CodeRef JIT::privateCompileCTINativeCall(VM* vm, NativeFunction func)
      storePtr(callFrameRegister, &m_vm->topCallFrame);
  
  #if CPU(X86)
      storePtr(callFrameRegister, &m_vm->topCallFrame);
  
  #if CPU(X86)
-    // Load caller frame's scope chain into this callframe so that whatever we call can
-    // get to its global data.
-    emitGetCallerFrameFromCallFrameHeaderPtr(regT0);
-    emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, regT1, regT0);
-    emitPutCellToCallFrameHeader(regT1, JSStack::ScopeChain);
-
      // Calling convention:      f(ecx, edx, ...);
      // Host function signature: f(ExecState*);
      move(callFrameRegister, X86Registers::ecx);
      // Calling convention:      f(ecx, edx, ...);
      // Host function signature: f(ExecState*);
      move(callFrameRegister, X86Registers::ecx);
@@ -73,11 +71,6 @@ JIT::CodeRef JIT::privateCompileCTINativeCall(VM* vm, NativeFunction func)
      addPtr(TrustedImm32(8), stackPointerRegister);
  
  #elif CPU(ARM) || CPU(SH4) || CPU(MIPS)
      addPtr(TrustedImm32(8), stackPointerRegister);
  
  #elif CPU(ARM) || CPU(SH4) || CPU(MIPS)
-    // Load caller frame's scope chain into this callframe so that whatever we call can get to its global data.
-    emitGetCallerFrameFromCallFrameHeaderPtr(regT2);
-    emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, regT1, regT2);
-    emitPutCellToCallFrameHeader(regT1, JSStack::ScopeChain);
-
  #if CPU(MIPS)
      // Allocate stack space for (unused) 16 bytes (8-byte aligned) for 4 arguments.
      subPtr(TrustedImm32(16), stackPointerRegister);
  #if CPU(MIPS)
      // Allocate stack space for (unused) 16 bytes (8-byte aligned) for 4 arguments.
      subPtr(TrustedImm32(16), stackPointerRegister);
@@ -105,7 +98,7 @@ JIT::CodeRef JIT::privateCompileCTINativeCall(VM* vm, NativeFunction func)
  #endif // CPU(X86)
  
      // Check for an exception
  #endif // CPU(X86)
  
      // Check for an exception
-    Jump sawException = branch32(NotEqual, AbsoluteAddress(reinterpret_cast<char*>(vm->addressOfException()) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag)); 
+    Jump sawException = branch32(NotEqual, AbsoluteAddress(vm->addressOfException()), TrustedImm32(0));
  
      emitFunctionEpilogue();
      // Return.
  
      emitFunctionEpilogue();
      // Return.
@@ -152,16 +145,6 @@ void JIT::emit_op_mov(Instruction* currentInstruction)
      }
  }
  
      }
  }
  
-void JIT::emit_op_captured_mov(Instruction* currentInstruction)
-{
-    int dst = currentInstruction[1].u.operand;
-    int src = currentInstruction[2].u.operand;
-
-    emitLoad(src, regT1, regT0);
-    emitNotifyWrite(regT1, regT0, regT2, currentInstruction[3].u.watchpointSet);
-    emitStore(dst, regT1, regT0);
-}
-
  void JIT::emit_op_end(Instruction* currentInstruction)
  {
      ASSERT(returnValueGPR != callFrameRegister);
  void JIT::emit_op_end(Instruction* currentInstruction)
  {
      ASSERT(returnValueGPR != callFrameRegister);
@@ -349,25 +332,22 @@ void JIT::emit_op_is_string(Instruction* currentInstruction)
      emitStoreBool(dst, regT0);
  }
  
      emitStoreBool(dst, regT0);
  }
  
-void JIT::emit_op_tear_off_activation(Instruction* currentInstruction)
+void JIT::emit_op_is_object(Instruction* currentInstruction)
  {
  {
-    int activation = currentInstruction[1].u.operand;
-    Jump activationNotCreated = branch32(Equal, tagFor(activation), TrustedImm32(JSValue::EmptyValueTag));
-    emitLoadPayload(activation, regT0);
-    callOperation(operationTearOffActivation, regT0);
-    activationNotCreated.link(this);
-}
+    int dst = currentInstruction[1].u.operand;
+    int value = currentInstruction[2].u.operand;
  
  
-void JIT::emit_op_tear_off_arguments(Instruction* currentInstruction)
-{
-    VirtualRegister arguments = VirtualRegister(currentInstruction[1].u.operand);
-    int activation = currentInstruction[2].u.operand;
+    emitLoad(value, regT1, regT0);
+    Jump isNotCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
+
+    compare8(AboveOrEqual, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(ObjectType), regT0);
+    Jump done = jump();
+
+    isNotCell.link(this);
+    move(TrustedImm32(0), regT0);
  
  
-    Jump argsNotCreated = branch32(Equal, tagFor(unmodifiedArgumentsRegister(arguments).offset()), TrustedImm32(JSValue::EmptyValueTag));
-    emitLoadPayload(unmodifiedArgumentsRegister(VirtualRegister(arguments)).offset(), regT0);
-    emitLoadPayload(activation, regT1);
-    callOperation(operationTearOffArguments, regT0, regT1);
-    argsNotCreated.link(this);
+    done.link(this);
+    emitStoreBool(dst, regT0);
  }
  
  void JIT::emit_op_to_primitive(Instruction* currentInstruction)
  }
  
  void JIT::emit_op_to_primitive(Instruction* currentInstruction)
@@ -378,7 +358,7 @@ void JIT::emit_op_to_primitive(Instruction* currentInstruction)
      emitLoad(src, regT1, regT0);
  
      Jump isImm = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
      emitLoad(src, regT1, regT0);
  
      Jump isImm = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
-    addSlowCase(branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(m_vm->stringStructure.get())));
+    addSlowCase(emitJumpIfCellObject(regT0));
      isImm.link(this);
  
      if (dst != src)
      isImm.link(this);
  
      if (dst != src)
@@ -651,12 +631,12 @@ void JIT::compileOpStrictEq(Instruction* currentInstruction, CompileOpStrictEqTy
      addSlowCase(branch32(NotEqual, regT1, regT3));
      addSlowCase(branch32(Below, regT1, TrustedImm32(JSValue::LowestTag)));
  
      addSlowCase(branch32(NotEqual, regT1, regT3));
      addSlowCase(branch32(Below, regT1, TrustedImm32(JSValue::LowestTag)));
  
-    // Jump to a slow case if both are strings.
+    // Jump to a slow case if both are strings or symbols (non object).
      Jump notCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
      Jump notCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
-    Jump firstNotString = branchPtr(NotEqual, Address(regT0, JSCell::structureIDOffset()), TrustedImmPtr(m_vm->stringStructure.get()));
-    addSlowCase(branchPtr(Equal, Address(regT2, JSCell::structureIDOffset()), TrustedImmPtr(m_vm->stringStructure.get())));
+    Jump firstIsObject = emitJumpIfCellObject(regT0);
+    addSlowCase(emitJumpIfCellNotObject(regT2));
      notCell.link(this);
      notCell.link(this);
-    firstNotString.link(this);
+    firstIsObject.link(this);
  
      // Simply compare the payloads.
      if (type == OpStrictEq)
  
      // Simply compare the payloads.
      if (type == OpStrictEq)
@@ -767,143 +747,76 @@ void JIT::emit_op_throw(Instruction* currentInstruction)
      jumpToExceptionHandler();
  }
  
      jumpToExceptionHandler();
  }
  
-void JIT::emit_op_get_pnames(Instruction* currentInstruction)
+void JIT::emit_op_push_with_scope(Instruction* currentInstruction)
  {
      int dst = currentInstruction[1].u.operand;
  {
      int dst = currentInstruction[1].u.operand;
-    int base = currentInstruction[2].u.operand;
-    int i = currentInstruction[3].u.operand;
-    int size = currentInstruction[4].u.operand;
-    int breakTarget = currentInstruction[5].u.operand;
-
-    JumpList isNotObject;
-
-    emitLoad(base, regT1, regT0);
-    if (!m_codeBlock->isKnownNotImmediate(base))
-        isNotObject.append(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
-    if (VirtualRegister(base) != m_codeBlock->thisRegister() || m_codeBlock->isStrictMode())
-        isNotObject.append(emitJumpIfCellNotObject(regT0));
-
-    // We could inline the case where you have a valid cache, but
-    // this call doesn't seem to be hot.
-    Label isObject(this);
-    callOperation(operationGetPNames, regT0);
-    emitStoreCell(dst, returnValueGPR);
-    load32(Address(regT0, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStringsSize)), regT3);
-    store32(TrustedImm32(Int32Tag), intTagFor(i));
-    store32(TrustedImm32(0), intPayloadFor(i));
-    store32(TrustedImm32(Int32Tag), intTagFor(size));
-    store32(regT3, payloadFor(size));
-    Jump end = jump();
-
-    isNotObject.link(this);
-    addJump(branch32(Equal, regT1, TrustedImm32(JSValue::NullTag)), breakTarget);
-    addJump(branch32(Equal, regT1, TrustedImm32(JSValue::UndefinedTag)), breakTarget);
-    callOperation(operationToObject, base, regT1, regT0);
-    jump().linkTo(isObject, this);
+    emitLoad(currentInstruction[2].u.operand, regT1, regT0);
+    callOperation(operationPushWithScope, dst, regT1, regT0);
+}
  
  
-    end.link(this);
+void JIT::emit_op_pop_scope(Instruction* currentInstruction)
+{
+    int scope = currentInstruction[1].u.operand;
+    callOperation(operationPopScope, scope);
  }
  
  }
  
-void JIT::emit_op_next_pname(Instruction* currentInstruction)
+void JIT::emit_op_to_number(Instruction* currentInstruction)
  {
      int dst = currentInstruction[1].u.operand;
  {
      int dst = currentInstruction[1].u.operand;
-    int base = currentInstruction[2].u.operand;
-    int i = currentInstruction[3].u.operand;
-    int size = currentInstruction[4].u.operand;
-    int it = currentInstruction[5].u.operand;
-    int target = currentInstruction[6].u.operand;
-
-    JumpList callHasProperty;
-
-    Label begin(this);
-    load32(intPayloadFor(i), regT0);
-    Jump end = branch32(Equal, regT0, intPayloadFor(size));
-
-    // Grab key @ i
-    loadPtr(payloadFor(it), regT1);
-    loadPtr(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStrings)), regT2);
-    load32(BaseIndex(regT2, regT0, TimesEight), regT2);
-    store32(TrustedImm32(JSValue::CellTag), tagFor(dst));
-    store32(regT2, payloadFor(dst));
-
-    // Increment i
-    add32(TrustedImm32(1), regT0);
-    store32(regT0, intPayloadFor(i));
-
-    // Verify that i is valid:
-    loadPtr(payloadFor(base), regT0);
-
-    // Test base's structure
-    loadPtr(Address(regT0, JSCell::structureIDOffset()), regT2);
-    callHasProperty.append(branchPtr(NotEqual, regT2, Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure)))));
-
-    // Test base's prototype chain
-    loadPtr(Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedPrototypeChain))), regT3);
-    loadPtr(Address(regT3, OBJECT_OFFSETOF(StructureChain, m_vector)), regT3);
-    addJump(branchTestPtr(Zero, Address(regT3)), target);
-
-    Label checkPrototype(this);
-    callHasProperty.append(branch32(Equal, Address(regT2, Structure::prototypeOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::NullTag)));
-    loadPtr(Address(regT2, Structure::prototypeOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT2);
-    loadPtr(Address(regT2, JSCell::structureIDOffset()), regT2);
-    callHasProperty.append(branchPtr(NotEqual, regT2, Address(regT3)));
-    addPtr(TrustedImm32(sizeof(Structure*)), regT3);
-    branchTestPtr(NonZero, Address(regT3)).linkTo(checkPrototype, this);
-
-    // Continue loop.
-    addJump(jump(), target);
+    int src = currentInstruction[2].u.operand;
  
  
-    // Slow case: Ask the object if i is valid.
-    callHasProperty.link(this);
-    loadPtr(addressFor(dst), regT1);
-    callOperation(operationHasProperty, regT0, regT1);
+    emitLoad(src, regT1, regT0);
  
  
-    // Test for valid key.
-    addJump(branchTest32(NonZero, regT0), target);
-    jump().linkTo(begin, this);
+    Jump isInt32 = branch32(Equal, regT1, TrustedImm32(JSValue::Int32Tag));
+    addSlowCase(branch32(AboveOrEqual, regT1, TrustedImm32(JSValue::LowestTag)));
+    isInt32.link(this);
  
  
-    // End of loop.
-    end.link(this);
+    if (src != dst)
+        emitStore(dst, regT1, regT0);
  }
  
  }
  
-void JIT::emit_op_push_with_scope(Instruction* currentInstruction)
+void JIT::emitSlow_op_to_number(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
  {
  {
-    emitLoad(currentInstruction[1].u.operand, regT1, regT0);
-    callOperation(operationPushWithScope, regT1, regT0);
-}
+    linkSlowCase(iter);
  
  
-void JIT::emit_op_pop_scope(Instruction*)
-{
-    callOperation(operationPopScope);
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_number);
+    slowPathCall.call();
  }
  
  }
  
-void JIT::emit_op_to_number(Instruction* currentInstruction)
+void JIT::emit_op_to_string(Instruction* currentInstruction)
  {
      int dst = currentInstruction[1].u.operand;
      int src = currentInstruction[2].u.operand;
  
      emitLoad(src, regT1, regT0);
  
  {
      int dst = currentInstruction[1].u.operand;
      int src = currentInstruction[2].u.operand;
  
      emitLoad(src, regT1, regT0);
  
-    Jump isInt32 = branch32(Equal, regT1, TrustedImm32(JSValue::Int32Tag));
-    addSlowCase(branch32(AboveOrEqual, regT1, TrustedImm32(JSValue::LowestTag)));
-    isInt32.link(this);
+    addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
+    addSlowCase(branch8(NotEqual, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
  
      if (src != dst)
          emitStore(dst, regT1, regT0);
  }
  
  
      if (src != dst)
          emitStore(dst, regT1, regT0);
  }
  
-void JIT::emitSlow_op_to_number(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+void JIT::emitSlow_op_to_string(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
  {
  {
-    linkSlowCase(iter);
+    linkSlowCase(iter); // Not JSCell.
+    linkSlowCase(iter); // Not JSString.
  
  
-    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_number);
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_string);
      slowPathCall.call();
  }
  
  void JIT::emit_op_push_name_scope(Instruction* currentInstruction)
  {
      slowPathCall.call();
  }
  
  void JIT::emit_op_push_name_scope(Instruction* currentInstruction)
  {
+    int dst = currentInstruction[1].u.operand;
      emitLoad(currentInstruction[2].u.operand, regT1, regT0);
      emitLoad(currentInstruction[2].u.operand, regT1, regT0);
-    callOperation(operationPushNameScope, &m_codeBlock->identifier(currentInstruction[1].u.operand), regT1, regT0, currentInstruction[3].u.operand);
+    if (currentInstruction[4].u.operand == JSNameScope::CatchScope) {
+        callOperation(operationPushCatchScope, dst, jsCast<SymbolTable*>(getConstantOperand(currentInstruction[3].u.operand)), regT1, regT0);
+        return;
+    }
+
+    RELEASE_ASSERT(currentInstruction[4].u.operand == JSNameScope::FunctionNameScope);
+    callOperation(operationPushFunctionNameScope, dst, jsCast<SymbolTable*>(getConstantOperand(currentInstruction[3].u.operand)), regT1, regT0);
  }
  
  void JIT::emit_op_catch(Instruction* currentInstruction)
  }
  
  void JIT::emit_op_catch(Instruction* currentInstruction)
@@ -911,17 +824,25 @@ void JIT::emit_op_catch(Instruction* currentInstruction)
      move(TrustedImmPtr(m_vm), regT3);
      // operationThrow returns the callFrame for the handler.
      load32(Address(regT3, VM::callFrameForThrowOffset()), callFrameRegister);
      move(TrustedImmPtr(m_vm), regT3);
      // operationThrow returns the callFrame for the handler.
      load32(Address(regT3, VM::callFrameForThrowOffset()), callFrameRegister);
+    load32(Address(regT3, VM::vmEntryFrameForThrowOffset()), regT0);
+    store32(regT0, Address(regT3, VM::topVMEntryFrameOffset()));
  
      addPtr(TrustedImm32(stackPointerOffsetFor(codeBlock()) * sizeof(Register)), callFrameRegister, stackPointerRegister);
  
      // Now store the exception returned by operationThrow.
  
      addPtr(TrustedImm32(stackPointerOffsetFor(codeBlock()) * sizeof(Register)), callFrameRegister, stackPointerRegister);
  
      // Now store the exception returned by operationThrow.
-    load32(Address(regT3, VM::exceptionOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
-    load32(Address(regT3, VM::exceptionOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
-    store32(TrustedImm32(JSValue().payload()), Address(regT3, VM::exceptionOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
-    store32(TrustedImm32(JSValue().tag()), Address(regT3, VM::exceptionOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+    load32(Address(regT3, VM::exceptionOffset()), regT2);
+    move(TrustedImm32(JSValue::CellTag), regT1);
+
+    store32(TrustedImm32(0), Address(regT3, VM::exceptionOffset()));
  
      unsigned exception = currentInstruction[1].u.operand;
  
      unsigned exception = currentInstruction[1].u.operand;
-    emitStore(exception, regT1, regT0);
+    emitStore(exception, regT1, regT2);
+
+    load32(Address(regT2, Exception::valueOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
+    load32(Address(regT2, Exception::valueOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
+
+    unsigned thrownValue = currentInstruction[2].u.operand;
+    emitStore(thrownValue, regT1, regT0);
  }
  
  void JIT::emit_op_switch_imm(Instruction* currentInstruction)
  }
  
  void JIT::emit_op_switch_imm(Instruction* currentInstruction)
@@ -1000,77 +921,59 @@ void JIT::emit_op_enter(Instruction* currentInstruction)
      slowPathCall.call();
  }
  
      slowPathCall.call();
  }
  
-void JIT::emit_op_create_activation(Instruction* currentInstruction)
-{
-    int activation = currentInstruction[1].u.operand;
-    
-    Jump activationCreated = branch32(NotEqual, tagFor(activation), TrustedImm32(JSValue::EmptyValueTag));
-    callOperation(operationCreateActivation, 0);
-    emitStoreCell(activation, returnValueGPR);
-    activationCreated.link(this);
-}
-
-void JIT::emit_op_create_arguments(Instruction* currentInstruction)
+void JIT::emit_op_create_lexical_environment(Instruction* currentInstruction)
  {
  {
-    int dst = currentInstruction[1].u.operand;
+    int lexicalEnvironment = currentInstruction[1].u.operand;
+    int scope = currentInstruction[2].u.operand;
  
  
-    Jump argsCreated = branch32(NotEqual, tagFor(dst), TrustedImm32(JSValue::EmptyValueTag));
-    callOperation(operationCreateArguments);
-    emitStoreCell(dst, returnValueGPR);
-    emitStoreCell(unmodifiedArgumentsRegister(VirtualRegister(dst)).offset(), returnValueGPR);
-    argsCreated.link(this);
+    emitLoadPayload(currentInstruction[2].u.operand, regT0);
+    callOperation(operationCreateActivation, regT0);
+    emitStoreCell(lexicalEnvironment, returnValueGPR);
+    emitStoreCell(scope, returnValueGPR);
  }
  
  }
  
-void JIT::emit_op_init_lazy_reg(Instruction* currentInstruction)
+void JIT::emit_op_get_scope(Instruction* currentInstruction)
  {
      int dst = currentInstruction[1].u.operand;
  {
      int dst = currentInstruction[1].u.operand;
-
-    emitStore(dst, JSValue());
-}
-
-void JIT::emit_op_get_callee(Instruction* currentInstruction)
-{
-    int result = currentInstruction[1].u.operand;
-    WriteBarrierBase<JSCell>* cachedFunction = &currentInstruction[2].u.jsCell;
      emitGetFromCallFrameHeaderPtr(JSStack::Callee, regT0);
      emitGetFromCallFrameHeaderPtr(JSStack::Callee, regT0);
-
-    loadPtr(cachedFunction, regT2);
-    addSlowCase(branchPtr(NotEqual, regT0, regT2));
-
-    move(TrustedImm32(JSValue::CellTag), regT1);
-    emitStore(result, regT1, regT0);
-}
-
-void JIT::emitSlow_op_get_callee(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    linkSlowCase(iter);
-
-    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_callee);
-    slowPathCall.call();
+    loadPtr(Address(regT0, JSFunction::offsetOfScopeChain()), regT0);
+    emitStoreCell(dst, regT0);
  }
  
  void JIT::emit_op_create_this(Instruction* currentInstruction)
  {
      int callee = currentInstruction[2].u.operand;
  }
  
  void JIT::emit_op_create_this(Instruction* currentInstruction)
  {
      int callee = currentInstruction[2].u.operand;
+    WriteBarrierBase<JSCell>* cachedFunction = &currentInstruction[4].u.jsCell;
      RegisterID calleeReg = regT0;
      RegisterID calleeReg = regT0;
+    RegisterID rareDataReg = regT4;
      RegisterID resultReg = regT0;
      RegisterID allocatorReg = regT1;
      RegisterID structureReg = regT2;
      RegisterID resultReg = regT0;
      RegisterID allocatorReg = regT1;
      RegisterID structureReg = regT2;
+    RegisterID cachedFunctionReg = regT4;
      RegisterID scratchReg = regT3;
  
      emitLoadPayload(callee, calleeReg);
      RegisterID scratchReg = regT3;
  
      emitLoadPayload(callee, calleeReg);
-    loadPtr(Address(calleeReg, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
-    loadPtr(Address(calleeReg, JSFunction::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
+    loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
+    addSlowCase(branchTestPtr(Zero, rareDataReg));
+    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
+    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
      addSlowCase(branchTestPtr(Zero, allocatorReg));
  
      addSlowCase(branchTestPtr(Zero, allocatorReg));
  
+    loadPtr(cachedFunction, cachedFunctionReg);
+    Jump hasSeenMultipleCallees = branchPtr(Equal, cachedFunctionReg, TrustedImmPtr(JSCell::seenMultipleCalleeObjects()));
+    addSlowCase(branchPtr(NotEqual, calleeReg, cachedFunctionReg));
+    hasSeenMultipleCallees.link(this);
+
      emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);
      emitStoreCell(currentInstruction[1].u.operand, resultReg);
  }
  
  void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
  {
      emitAllocateJSObject(allocatorReg, structureReg, resultReg, scratchReg);
      emitStoreCell(currentInstruction[1].u.operand, resultReg);
  }
  
  void JIT::emitSlow_op_create_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
  {
+    linkSlowCase(iter); // doesn't have rare data
      linkSlowCase(iter); // doesn't have an allocation profile
      linkSlowCase(iter); // allocation failed
      linkSlowCase(iter); // doesn't have an allocation profile
      linkSlowCase(iter); // allocation failed
+    linkSlowCase(iter); // cached function didn't match
  
      JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_create_this);
      slowPathCall.call();
  
      JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_create_this);
      slowPathCall.call();
@@ -1099,6 +1002,19 @@ void JIT::emitSlow_op_to_this(Instruction* currentInstruction, Vector<SlowCaseEn
      slowPathCall.call();
  }
  
      slowPathCall.call();
  }
  
+void JIT::emit_op_check_tdz(Instruction* currentInstruction)
+{
+    emitLoadTag(currentInstruction[1].u.operand, regT0);
+    addSlowCase(branch32(Equal, regT0, TrustedImm32(JSValue::EmptyValueTag)));
+}
+
+void JIT::emitSlow_op_check_tdz(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCase(iter);
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_throw_tdz_error);
+    slowPathCall.call();
+}
+
  void JIT::emit_op_profile_will_call(Instruction* currentInstruction)
  {
      load32(m_vm->enabledProfilerAddress(), regT0);
  void JIT::emit_op_profile_will_call(Instruction* currentInstruction)
  {
      load32(m_vm->enabledProfilerAddress(), regT0);
@@ -1117,63 +1033,276 @@ void JIT::emit_op_profile_did_call(Instruction* currentInstruction)
      profilerDone.link(this);
  }
  
      profilerDone.link(this);
  }
  
-void JIT::emit_op_get_arguments_length(Instruction* currentInstruction)
+void JIT::emit_op_has_structure_property(Instruction* currentInstruction)
  {
      int dst = currentInstruction[1].u.operand;
  {
      int dst = currentInstruction[1].u.operand;
-    int argumentsRegister = currentInstruction[2].u.operand;
-    addSlowCase(branch32(NotEqual, tagFor(argumentsRegister), TrustedImm32(JSValue::EmptyValueTag)));
-    load32(payloadFor(JSStack::ArgumentCount), regT0);
-    sub32(TrustedImm32(1), regT0);
-    emitStoreInt32(dst, regT0);
+    int base = currentInstruction[2].u.operand;
+    int enumerator = currentInstruction[4].u.operand;
+
+    emitLoadPayload(base, regT0);
+    emitJumpSlowCaseIfNotJSCell(base);
+
+    emitLoadPayload(enumerator, regT1);
+
+    load32(Address(regT0, JSCell::structureIDOffset()), regT0);
+    addSlowCase(branch32(NotEqual, regT0, Address(regT1, JSPropertyNameEnumerator::cachedStructureIDOffset())));
+    
+    move(TrustedImm32(1), regT0);
+    emitStoreBool(dst, regT0);
  }
  
  }
  
-void JIT::emitSlow_op_get_arguments_length(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+void JIT::privateCompileHasIndexedProperty(ByValInfo* byValInfo, ReturnAddressPtr returnAddress, JITArrayMode arrayMode)
+{
+    Instruction* currentInstruction = m_codeBlock->instructions().begin() + byValInfo->bytecodeIndex;
+    
+    PatchableJump badType;
+    
+    // FIXME: Add support for other types like TypedArrays and Arguments.
+    // See https://bugs.webkit.org/show_bug.cgi?id=135033 and https://bugs.webkit.org/show_bug.cgi?id=135034.
+    JumpList slowCases = emitLoadForArrayMode(currentInstruction, arrayMode, badType);
+    move(TrustedImm32(1), regT0);
+    Jump done = jump();
+
+    LinkBuffer patchBuffer(*m_vm, *this, m_codeBlock);
+    
+    patchBuffer.link(badType, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath));
+    patchBuffer.link(slowCases, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath));
+    
+    patchBuffer.link(done, byValInfo->badTypeJump.labelAtOffset(byValInfo->badTypeJumpToDone));
+    
+    byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
+        m_codeBlock, patchBuffer,
+        ("Baseline has_indexed_property stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.value()));
+    
+    RepatchBuffer repatchBuffer(m_codeBlock);
+    repatchBuffer.relink(byValInfo->badTypeJump, CodeLocationLabel(byValInfo->stubRoutine->code().code()));
+    repatchBuffer.relinkCallerToFunction(returnAddress, FunctionPtr(operationHasIndexedPropertyGeneric));
+}
+
+void JIT::emit_op_has_indexed_property(Instruction* currentInstruction)
  {
  {
-    linkSlowCase(iter);
      int dst = currentInstruction[1].u.operand;
      int base = currentInstruction[2].u.operand;
      int dst = currentInstruction[1].u.operand;
      int base = currentInstruction[2].u.operand;
-    callOperation(operationGetArgumentsLength, dst, base);
+    int property = currentInstruction[3].u.operand;
+    ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+    
+    emitLoadPayload(base, regT0);
+    emitJumpSlowCaseIfNotJSCell(base);
+
+    emitLoadPayload(property, regT1);
+
+    // This is technically incorrect - we're zero-extending an int32. On the hot path this doesn't matter.
+    // We check the value as if it was a uint32 against the m_vectorLength - which will always fail if
+    // number was signed since m_vectorLength is always less than intmax (since the total allocation
+    // size is always less than 4Gb). As such zero extending will have been correct (and extending the value
+    // to 64-bits is necessary since it's used in the address calculation. We zero extend rather than sign
+    // extending since it makes it easier to re-tag the value in the slow case.
+    zeroExtend32ToPtr(regT1, regT1);
+
+    emitArrayProfilingSiteWithCell(regT0, regT2, profile);
+    and32(TrustedImm32(IndexingShapeMask), regT2);
+
+    JITArrayMode mode = chooseArrayMode(profile);
+    PatchableJump badType;
+
+    // FIXME: Add support for other types like TypedArrays and Arguments.
+    // See https://bugs.webkit.org/show_bug.cgi?id=135033 and https://bugs.webkit.org/show_bug.cgi?id=135034.
+    JumpList slowCases = emitLoadForArrayMode(currentInstruction, mode, badType);
+    move(TrustedImm32(1), regT0);
+
+    addSlowCase(badType);
+    addSlowCase(slowCases);
+    
+    Label done = label();
+    
+    emitStoreBool(dst, regT0);
+    
+    m_byValCompilationInfo.append(ByValCompilationInfo(m_bytecodeOffset, badType, mode, done));
  }
  
  }
  
-void JIT::emit_op_get_argument_by_val(Instruction* currentInstruction)
+void JIT::emitSlow_op_has_indexed_property(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
  {
      int dst = currentInstruction[1].u.operand;
  {
      int dst = currentInstruction[1].u.operand;
-    int argumentsRegister = currentInstruction[2].u.operand;
+    int base = currentInstruction[2].u.operand;
      int property = currentInstruction[3].u.operand;
      int property = currentInstruction[3].u.operand;
-    addSlowCase(branch32(NotEqual, tagFor(argumentsRegister), TrustedImm32(JSValue::EmptyValueTag)));
-    emitLoad(property, regT1, regT2);
-    addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::Int32Tag)));
-    add32(TrustedImm32(1), regT2);
-    // regT2 now contains the integer index of the argument we want, including this
-    load32(payloadFor(JSStack::ArgumentCount), regT3);
-    addSlowCase(branch32(AboveOrEqual, regT2, regT3));
+    ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
+    
+    linkSlowCaseIfNotJSCell(iter, base); // base cell check
+    linkSlowCase(iter); // base array check
+    linkSlowCase(iter); // vector length check
+    linkSlowCase(iter); // empty value
+
+    Label slowPath = label();
+    
+    emitLoad(base, regT1, regT0);
+    emitLoad(property, regT3, regT2);
+    Call call = callOperation(operationHasIndexedPropertyDefault, dst, regT1, regT0, regT3, regT2, profile);
+
+    m_byValCompilationInfo[m_byValInstructionIndex].slowPathTarget = slowPath;
+    m_byValCompilationInfo[m_byValInstructionIndex].returnAddress = call;
+    m_byValInstructionIndex++;
+}
+
+void JIT::emit_op_get_direct_pname(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int base = currentInstruction[2].u.operand;
+    int index = currentInstruction[4].u.operand;
+    int enumerator = currentInstruction[5].u.operand;
+
+    // Check that base is a cell
+    emitLoadPayload(base, regT0);
+    emitJumpSlowCaseIfNotJSCell(base);
+
+    // Check the structure
+    emitLoadPayload(enumerator, regT1);
+    load32(Address(regT0, JSCell::structureIDOffset()), regT2);
+    addSlowCase(branch32(NotEqual, regT2, Address(regT1, JSPropertyNameEnumerator::cachedStructureIDOffset())));
+
+    // Compute the offset
+    emitLoadPayload(index, regT2);
+    // If index is less than the enumerator's cached inline storage, then it's an inline access
+    Jump outOfLineAccess = branch32(AboveOrEqual, regT2, Address(regT1, JSPropertyNameEnumerator::cachedInlineCapacityOffset()));
+    addPtr(TrustedImm32(JSObject::offsetOfInlineStorage()), regT0);
+    load32(BaseIndex(regT0, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
+    load32(BaseIndex(regT0, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
+    
+    Jump done = jump();
+
+    // Otherwise it's out of line
+    outOfLineAccess.link(this);
+    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
+    sub32(Address(regT1, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), regT2);
+    neg32(regT2);
+    int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
+    load32(BaseIndex(regT0, regT2, TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT1);
+    load32(BaseIndex(regT0, regT2, TimesEight, offsetOfFirstProperty + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT0);
      
      
-    loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT0);
-    loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register))), regT1);
+    done.link(this);
      emitValueProfilingSite();
      emitStore(dst, regT1, regT0);
  }
  
      emitValueProfilingSite();
      emitStore(dst, regT1, regT0);
  }
  
-void JIT::emitSlow_op_get_argument_by_val(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+void JIT::emitSlow_op_get_direct_pname(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    int base = currentInstruction[2].u.operand;
+    linkSlowCaseIfNotJSCell(iter, base);
+    linkSlowCase(iter);
+
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_get_direct_pname);
+    slowPathCall.call();
+}
+
+void JIT::emit_op_enumerator_structure_pname(Instruction* currentInstruction)
  {
      int dst = currentInstruction[1].u.operand;
  {
      int dst = currentInstruction[1].u.operand;
-    int arguments = currentInstruction[2].u.operand;
-    int property = currentInstruction[3].u.operand;
+    int enumerator = currentInstruction[2].u.operand;
+    int index = currentInstruction[3].u.operand;
  
  
-    linkSlowCase(iter);
-    Jump skipArgumentsCreation = jump();
+    emitLoadPayload(index, regT0);
+    emitLoadPayload(enumerator, regT1);
+    Jump inBounds = branch32(Below, regT0, Address(regT1, JSPropertyNameEnumerator::endStructurePropertyIndexOffset()));
  
  
-    linkSlowCase(iter);
-    linkSlowCase(iter);
+    move(TrustedImm32(JSValue::NullTag), regT2);
+    move(TrustedImm32(0), regT0);
+
+    Jump done = jump();
+    inBounds.link(this);
+
+    loadPtr(Address(regT1, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), regT1);
+    loadPtr(BaseIndex(regT1, regT0, timesPtr()), regT0);
+    move(TrustedImm32(JSValue::CellTag), regT2);
+
+    done.link(this);
+    emitStore(dst, regT2, regT0);
+}
+
+void JIT::emit_op_enumerator_generic_pname(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int enumerator = currentInstruction[2].u.operand;
+    int index = currentInstruction[3].u.operand;
+
+    emitLoadPayload(index, regT0);
+    emitLoadPayload(enumerator, regT1);
+    Jump inBounds = branch32(Below, regT0, Address(regT1, JSPropertyNameEnumerator::endGenericPropertyIndexOffset()));
+
+    move(TrustedImm32(JSValue::NullTag), regT2);
+    move(TrustedImm32(0), regT0);
+
+    Jump done = jump();
+    inBounds.link(this);
  
  
-    callOperation(operationCreateArguments);
-    emitStoreCell(arguments, returnValueGPR);
-    emitStoreCell(unmodifiedArgumentsRegister(VirtualRegister(arguments)).offset(), returnValueGPR);
+    loadPtr(Address(regT1, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), regT1);
+    loadPtr(BaseIndex(regT1, regT0, timesPtr()), regT0);
+    move(TrustedImm32(JSValue::CellTag), regT2);
      
      
-    skipArgumentsCreation.link(this);
-    emitLoad(arguments, regT1, regT0);
-    emitLoad(property, regT3, regT2);
-    callOperation(WithProfile, operationGetByValGeneric, dst, regT1, regT0, regT3, regT2);
+    done.link(this);
+    emitStore(dst, regT2, regT0);
+}
+
+void JIT::emit_op_profile_type(Instruction* currentInstruction)
+{
+    TypeLocation* cachedTypeLocation = currentInstruction[2].u.location;
+    int valueToProfile = currentInstruction[1].u.operand;
+
+    // Load payload in T0. Load tag in T3.
+    emitLoadPayload(valueToProfile, regT0);
+    emitLoadTag(valueToProfile, regT3);
+
+    JumpList jumpToEnd;
+
+    // Compile in a predictive type check, if possible, to see if we can skip writing to the log.
+    // These typechecks are inlined to match those of the 32-bit JSValue type checks.
+    if (cachedTypeLocation->m_lastSeenType == TypeUndefined)
+        jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::UndefinedTag)));
+    else if (cachedTypeLocation->m_lastSeenType == TypeNull)
+        jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::NullTag)));
+    else if (cachedTypeLocation->m_lastSeenType == TypeBoolean)
+        jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::BooleanTag)));
+    else if (cachedTypeLocation->m_lastSeenType == TypeMachineInt)
+        jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::Int32Tag)));
+    else if (cachedTypeLocation->m_lastSeenType == TypeNumber) {
+        jumpToEnd.append(branch32(Below, regT3, TrustedImm32(JSValue::LowestTag)));
+        jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::Int32Tag)));
+    } else if (cachedTypeLocation->m_lastSeenType == TypeString) {
+        Jump isNotCell = branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag));
+        jumpToEnd.append(branch8(Equal, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
+        isNotCell.link(this);
+    }
+
+    // Load the type profiling log into T2.
+    TypeProfilerLog* cachedTypeProfilerLog = m_vm->typeProfilerLog();
+    move(TrustedImmPtr(cachedTypeProfilerLog), regT2);
+
+    // Load the next log entry into T1.
+    loadPtr(Address(regT2, TypeProfilerLog::currentLogEntryOffset()), regT1);
+
+    // Store the JSValue onto the log entry.
+    store32(regT0, Address(regT1, TypeProfilerLog::LogEntry::valueOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.payload)));
+    store32(regT3, Address(regT1, TypeProfilerLog::LogEntry::valueOffset() + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+
+    // Store the structureID of the cell if argument is a cell, otherwise, store 0 on the log entry.
+    Jump notCell = branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag));
+    load32(Address(regT0, JSCell::structureIDOffset()), regT0);
+    store32(regT0, Address(regT1, TypeProfilerLog::LogEntry::structureIDOffset()));
+    Jump skipNotCell = jump();
+    notCell.link(this);
+    store32(TrustedImm32(0), Address(regT1, TypeProfilerLog::LogEntry::structureIDOffset()));
+    skipNotCell.link(this);
+
+    // Store the typeLocation on the log entry.
+    move(TrustedImmPtr(cachedTypeLocation), regT0);
+    store32(regT0, Address(regT1, TypeProfilerLog::LogEntry::locationOffset()));
+
+    // Increment the current log entry.
+    addPtr(TrustedImm32(sizeof(TypeProfilerLog::LogEntry)), regT1);
+    store32(regT1, Address(regT2, TypeProfilerLog::currentLogEntryOffset()));
+    jumpToEnd.append(branchPtr(NotEqual, regT1, TrustedImmPtr(cachedTypeProfilerLog->logEndPtr())));
+    // Clear the log if we're at the end of the log.
+    callOperation(operationProcessTypeProfilerLog);
+
+    jumpToEnd.link(this);
  }
  
  } // namespace JSC
  }
  
  } // namespace JSC