Changeset 193640 in webkit for trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

Timestamp:

Dec 7, 2015, 11:17:56 AM (10 years ago)

Author:

[email protected]

Message:

FTL B3 should be able to make JS->JS calls
​https://bugs.webkit.org/show_bug.cgi?id=151901

Reviewed by Saam Barati.

This adds support for the Call and InvalidationPoint opcodes in DFG IR. This required doing some
clean-up in the OSR exit code. We don't want the B3 FTL to use a bunch of vectors to hold
side-state, so the use of OSRExitDescriptorImpl is not right. It makes sense in the LLVM FTL
because that code needs some way of saving some state from LowerDFGToLLVM to compile(), but
that's not how B3 FTL works. It turns out that for B3 FTL, there isn't anything in
OSRExitDescriptorImpl that the code in LowerDFGToLLVM can't just capture in a lambda.

This also simplifies some stackmap-related APIs, since I got tired of writing boilerplate.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• assembler/AbstractMacroAssembler.h:

(JSC::AbstractMacroAssembler::replaceWithAddressComputation):
(JSC::AbstractMacroAssembler::addLinkTask):

• b3/B3CheckSpecial.cpp:

(JSC::B3::CheckSpecial::generate):

• b3/B3Effects.h:
• b3/B3PatchpointSpecial.cpp:

(JSC::B3::PatchpointSpecial::generate):

• b3/B3Procedure.cpp:

(JSC::B3::Procedure::addDataSection):
(JSC::B3::Procedure::callArgAreaSize):
(JSC::B3::Procedure::requestCallArgAreaSize):
(JSC::B3::Procedure::frameSize):

• b3/B3Procedure.h:

(JSC::B3::Procedure::releaseByproducts):
(JSC::B3::Procedure::code):

• b3/B3StackmapGenerationParams.cpp: Added.

(JSC::B3::StackmapGenerationParams::usedRegisters):
(JSC::B3::StackmapGenerationParams::proc):
(JSC::B3::StackmapGenerationParams::StackmapGenerationParams):

• b3/B3StackmapGenerationParams.h: Added.

(JSC::B3::StackmapGenerationParams::value):
(JSC::B3::StackmapGenerationParams::reps):
(JSC::B3::StackmapGenerationParams::size):
(JSC::B3::StackmapGenerationParams::at):
(JSC::B3::StackmapGenerationParams::operator[]):
(JSC::B3::StackmapGenerationParams::begin):
(JSC::B3::StackmapGenerationParams::end):
(JSC::B3::StackmapGenerationParams::context):
(JSC::B3::StackmapGenerationParams::addLatePath):

• b3/B3StackmapValue.h:
• b3/B3ValueRep.h:

(JSC::B3::ValueRep::doubleValue):
(JSC::B3::ValueRep::withOffset):

• b3/air/AirGenerationContext.h:
• b3/testb3.cpp:

(JSC::B3::testSimplePatchpoint):
(JSC::B3::testSimplePatchpointWithoutOuputClobbersGPArgs):
(JSC::B3::testSimplePatchpointWithOuputClobbersGPArgs):
(JSC::B3::testSimplePatchpointWithoutOuputClobbersFPArgs):
(JSC::B3::testSimplePatchpointWithOuputClobbersFPArgs):
(JSC::B3::testPatchpointWithEarlyClobber):
(JSC::B3::testPatchpointCallArg):
(JSC::B3::testPatchpointFixedRegister):
(JSC::B3::testPatchpointAny):
(JSC::B3::testPatchpointLotsOfLateAnys):
(JSC::B3::testPatchpointAnyImm):
(JSC::B3::testPatchpointManyImms):
(JSC::B3::testPatchpointWithRegisterResult):
(JSC::B3::testPatchpointWithStackArgumentResult):
(JSC::B3::testPatchpointWithAnyResult):
(JSC::B3::testSimpleCheck):
(JSC::B3::testCheckLessThan):
(JSC::B3::testCheckMegaCombo):
(JSC::B3::testCheckAddImm):
(JSC::B3::testCheckAddImmCommute):
(JSC::B3::testCheckAddImmSomeRegister):
(JSC::B3::testCheckAdd):
(JSC::B3::testCheckAdd64):
(JSC::B3::testCheckSubImm):
(JSC::B3::testCheckSubBadImm):
(JSC::B3::testCheckSub):
(JSC::B3::testCheckSub64):
(JSC::B3::testCheckNeg):
(JSC::B3::testCheckNeg64):
(JSC::B3::testCheckMul):
(JSC::B3::testCheckMulMemory):
(JSC::B3::testCheckMul2):
(JSC::B3::testCheckMul64):
(JSC::B3::genericTestCompare):

• ftl/FTLExceptionHandlerManager.cpp:
• ftl/FTLExceptionHandlerManager.h:
• ftl/FTLJSCall.cpp:
• ftl/FTLJSCall.h:
• ftl/FTLJSCallBase.cpp:

(JSC::FTL::JSCallBase::emit):

• ftl/FTLJSCallBase.h:
• ftl/FTLJSCallVarargs.cpp:
• ftl/FTLJSCallVarargs.h:
• ftl/FTLJSTailCall.cpp:

(JSC::FTL::DFG::getRegisterWithAddend):
(JSC::FTL::JSTailCall::emit):
(JSC::FTL::JSTailCall::JSTailCall): Deleted.

• ftl/FTLJSTailCall.h:

(JSC::FTL::JSTailCall::stackmapID):
(JSC::FTL::JSTailCall::estimatedSize):
(JSC::FTL::JSTailCall::operator<):
(JSC::FTL::JSTailCall::patchpoint): Deleted.

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::DFG::LowerDFGToLLVM::lazySlowPath):
(JSC::FTL::DFG::LowerDFGToLLVM::callCheck):
(JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitArgumentsForPatchpointIfWillCatchException):
(JSC::FTL::DFG::LowerDFGToLLVM::emitBranchToOSRExitIfWillCatchException):
(JSC::FTL::DFG::LowerDFGToLLVM::lowBlock):
(JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExitDescriptor):
(JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::DFG::LowerDFGToLLVM::blessSpeculation):
(JSC::FTL::DFG::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::DFG::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::DFG::LowerDFGToLLVM::exitValueForNode):

• ftl/FTLOSRExit.cpp:

(JSC::FTL::OSRExitDescriptor::OSRExitDescriptor):
(JSC::FTL::OSRExitDescriptor::emitOSRExit):
(JSC::FTL::OSRExitDescriptor::emitOSRExitLater):
(JSC::FTL::OSRExitDescriptor::prepareOSRExitHandle):
(JSC::FTL::OSRExit::OSRExit):
(JSC::FTL::OSRExit::codeLocationForRepatch):
(JSC::FTL::OSRExit::recoverRegistersFromSpillSlot):
(JSC::FTL::OSRExit::willArriveAtExitFromIndirectExceptionCheck):
(JSC::FTL::OSRExit::needsRegisterRecoveryOnGenericUnwindOSRExitPath):

• ftl/FTLOSRExit.h:

(JSC::FTL::OSRExitDescriptorImpl::OSRExitDescriptorImpl):
(JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):

• ftl/FTLState.h:

File:

• trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (18 diffs)

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -31 +31 @@
 #include "AirGenerationContext.h"
 #include "AllowMacroScratchRegisterUsage.h"
+#include "B3StackmapGenerationParams.h"
 #include "CodeBlockWithJITType.h"
 #include "DFGAbstractInterpreterInlines.h"
@@ -4829 +4830 @@
     void compileCallOrConstruct()
     {
+        Node* node = m_node;
+        unsigned numArgs = node->numChildren() - 1;
+
+        LValue jsCallee = lowJSValue(m_graph.varArgChild(node, 0));
+
 #if FTL_USES_B3
-        if (verboseCompilationEnabled() || !verboseCompilationEnabled())
-            CRASH();
+        unsigned frameSize = JSStack::CallFrameHeaderSize + numArgs;
+        unsigned alignedFrameSize = WTF::roundUpToMultipleOf(stackAlignmentRegisters(), frameSize);
+
+        // JS->JS calling convention requires that the caller allows this much space on top of stack to
+        // get trashed by the callee, even if not all of that space is used to pass arguments. We tell
+        // B3 this explicitly for two reasons:
+        //
+        // - We will only pass frameSize worth of stuff.
+        // - The trashed stack guarantee is logically separate from the act of passing arguments, so we
+        //   shouldn't rely on Air to infer the trashed stack property based on the arguments it ends
+        //   up seeing.
+        m_proc.requestCallArgAreaSize(alignedFrameSize);
+
+        // Collect the arguments, since this can generate code and we want to generate it before we emit
+        // the call.
+        Vector<ConstrainedValue> arguments;
+
+        // Make sure that the callee goes into GPR0 because that's where the slow path thunks expect the
+        // callee to be.
+        arguments.append(ConstrainedValue(jsCallee, ValueRep::reg(GPRInfo::regT0)));
+
+        auto addArgument = [&] (LValue value, VirtualRegister reg, int offset) {
+            intptr_t offsetFromSP =
+                (reg.offset() - JSStack::CallerFrameAndPCSize) * sizeof(EncodedJSValue) + offset;
+            arguments.append(ConstrainedValue(value, ValueRep::stackArgument(offsetFromSP)));
+        };
+
+        addArgument(jsCallee, VirtualRegister(JSStack::Callee), 0);
+        addArgument(m_out.constInt32(numArgs), VirtualRegister(JSStack::ArgumentCount), PayloadOffset);
+        for (unsigned i = 0; i < numArgs; ++i)
+            addArgument(lowJSValue(m_graph.varArgChild(node, 1 + i)), virtualRegisterForArgument(i), 0);
+
+        PatchpointValue* patchpoint = m_out.patchpoint(Int64);
+        patchpoint->appendVector(arguments);
+        patchpoint->clobber(RegisterSet::macroScratchRegisters());
+        patchpoint->clobberLate(RegisterSet::volatileRegistersForJSCall());
+        patchpoint->resultConstraint = ValueRep::reg(GPRInfo::returnValueGPR);
+
+        CodeOrigin codeOrigin = codeOriginDescriptionOfCallSite();
+        State* state = &m_ftlState;
+        patchpoint->setGenerator(
+            [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
+                AllowMacroScratchRegisterUsage allowScratch(jit);
+                CallSiteIndex callSiteIndex = state->jitCode->common.addUniqueCallSiteIndex(codeOrigin);
+
+                // FIXME: If we were handling exceptions, then at this point we would ask our descriptor
+                // to prepare and then we would modify the OSRExit data structure inside the
+                // OSRExitHandle to link it up to this call.
+                // https://bugs.webkit.org/show_bug.cgi?id=151686
+
+                jit.store32(
+                    CCallHelpers::TrustedImm32(callSiteIndex.bits()),
+                    CCallHelpers::tagFor(VirtualRegister(JSStack::ArgumentCount)));
+
+                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo();
+
+                CCallHelpers::DataLabelPtr targetToCheck;
+                CCallHelpers::Jump slowPath = jit.branchPtrWithPatch(
+                    CCallHelpers::NotEqual, GPRInfo::regT0, targetToCheck,
+                    CCallHelpers::TrustedImmPtr(0));
+
+                CCallHelpers::Call fastCall = jit.nearCall();
+                CCallHelpers::Jump done = jit.jump();
+
+                slowPath.link(&jit);
+
+                jit.move(CCallHelpers::TrustedImmPtr(callLinkInfo), GPRInfo::regT2);
+                CCallHelpers::Call slowCall = jit.nearCall();
+                done.link(&jit);
+
+                callLinkInfo->setUpCall(
+                    node->op() == Construct ? CallLinkInfo::Construct : CallLinkInfo::Call,
+                    node->origin.semantic, GPRInfo::regT0);
+
+                jit.addPtr(
+                    CCallHelpers::TrustedImm32(-params.proc().frameSize()),
+                    GPRInfo::callFrameRegister, CCallHelpers::stackPointerRegister);
+
+                jit.addLinkTask(
+                    [=] (LinkBuffer& linkBuffer) {
+                        MacroAssemblerCodePtr linkCall =
+                            linkBuffer.vm().getCTIStub(linkCallThunkGenerator).code();
+                        linkBuffer.link(slowCall, FunctionPtr(linkCall.executableAddress()));
+
+                        callLinkInfo->setCallLocations(
+                            linkBuffer.locationOfNearCall(slowCall),
+                            linkBuffer.locationOf(targetToCheck),
+                            linkBuffer.locationOfNearCall(fastCall));
+                    });
+            });
+
+        setJSValue(patchpoint);
 #else
-        int numArgs = m_node->numChildren() - 1;
-
-        LValue jsCallee = lowJSValue(m_graph.varArgChild(m_node, 0));
-
         unsigned stackmapID = m_stackmapIDs++;
 
@@ -4849 +4941 @@
         arguments.append(jsCallee); // callee -> stack
         arguments.append(m_out.constInt64(numArgs)); // argument count and zeros for the tag
-        for (int i = 0; i < numArgs; ++i)
-            arguments.append(lowJSValue(m_graph.varArgChild(m_node, 1 + i)));
+        for (unsigned i = 0; i < numArgs; ++i)
+            arguments.append(lowJSValue(m_graph.varArgChild(node, 1 + i)));
         for (unsigned i = 0; i < padding; ++i)
             arguments.append(getUndef(m_out.int64));
@@ -4864 +4956 @@
         setInstructionCallingConvention(call, LLVMWebKitJSCallConv);
         
-        m_ftlState.jsCalls.append(JSCall(stackmapID, m_node, codeOriginDescriptionOfCallSite()));
+        m_ftlState.jsCalls.append(JSCall(stackmapID, node, codeOriginDescriptionOfCallSite()));
         
         setJSValue(call);
@@ -5323 +5415 @@
     void compileInvalidationPoint()
     {
-#if FTL_USES_B3
-        UNREACHABLE_FOR_PLATFORM();
-#else // FTL_USES_B3
         if (verboseCompilationEnabled())
             dataLog("    Invalidation point with availability: ", availabilityMap(), "\n");
@@ -5331 +5420 @@
         DFG_ASSERT(m_graph, m_node, m_origin.exitOK);
         
+#if FTL_USES_B3
+        B3::PatchpointValue* patchpoint = m_out.patchpoint(Void);
+        OSRExitDescriptor* descriptor = appendOSRExitDescriptor(noValue(), nullptr);
+        NodeOrigin origin = m_origin;
+        patchpoint->appendColdAnys(buildExitArguments(descriptor, origin.forExit, noValue()));
+        
+        State* state = &m_ftlState;
+
+        patchpoint->setGenerator(
+            [=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
+                // The MacroAssembler knows more about this than B3 does. The watchpointLabel() method
+                // will ensure that this is followed by a nop shadow but only when this is actually
+                // necessary.
+                CCallHelpers::Label label = jit.watchpointLabel();
+
+                RefPtr<OSRExitHandle> handle = descriptor->emitOSRExitLater(
+                    *state, UncountableInvalidation, origin, params);
+
+                RefPtr<JITCode> jitCode = state->jitCode.get();
+
+                jit.addLinkTask(
+                    [=] (LinkBuffer& linkBuffer) {
+                        JumpReplacement jumpReplacement(
+                            linkBuffer.locationOf(label),
+                            linkBuffer.locationOf(handle->label));
+                        jitCode->common.jumpReplacements.append(jumpReplacement);
+                    });
+            });
+
+        // Set some obvious things.
+        patchpoint->effects.terminal = false;
+        patchpoint->effects.writesSSAState = false;
+        patchpoint->effects.readsSSAState = false;
+        
+        // This is how we tell B3 about the possibility of jump replacement.
+        patchpoint->effects.exitsSideways = true;
+        
+        // It's not possible for some prior branch to determine the safety of this operation. It's always
+        // fine to execute this on some path that wouldn't have originally executed it before
+        // optimization.
+        patchpoint->effects.controlDependent = false;
+
+        // If this falls through then it won't write anything.
+        patchpoint->effects.writes = HeapRange();
+
+        // When this abruptly terminates, it could read any heap location.
+        patchpoint->effects.reads = HeapRange::top();
+#else // FTL_USES_B3
 
         OSRExitDescriptor* exitDescriptor = appendOSRExitDescriptor(UncountableInvalidation, ExceptionType::None, noValue(), nullptr, m_origin);
         
-        StackmapArgumentList arguments = buildExitArguments(exitDescriptor, m_ftlState.osrExitDescriptorImpls.last(), FormattedValue());
+        StackmapArgumentList arguments = buildExitArguments(exitDescriptor, m_ftlState.osrExitDescriptorImpls.last().m_codeOrigin, FormattedValue());
         callStackmap(exitDescriptor, arguments);
         
@@ -7902 +8039 @@
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
                 Vector<Location> locations;
-                for (const B3::ValueRep& rep : params.reps)
+                for (const B3::ValueRep& rep : params)
                     locations.append(Location::forValueRep(rep));
 
@@ -7910 +8047 @@
                 CCallHelpers::Label done = jit.label();
 
-                RegisterSet usedRegisters = params.usedRegisters;
+                RegisterSet usedRegisters = params.usedRegisters();
 
                 // FIXME: As part of handling exceptions, we need to create a concrete OSRExit here.
                 // Doing so should automagically register late paths that emit exit thunks.
-                
-                params.context->latePaths.append(
-                    createSharedTask<Air::GenerationContext::LatePathFunction>(
-                        [=] (CCallHelpers& jit, Air::GenerationContext&) {
-                            AllowMacroScratchRegisterUsage allowScratch(jit);
-                            patchableJump.m_jump.link(&jit);
-                            unsigned index = state->jitCode->lazySlowPaths.size();
-                            state->jitCode->lazySlowPaths.append(nullptr);
-                            jit.pushToSaveImmediateWithoutTouchingRegisters(
-                                CCallHelpers::TrustedImm32(index));
-                            CCallHelpers::Jump generatorJump = jit.jump();
-
-                            // Note that so long as we're here, we don't really know if our late path
-                            // runs before or after any other late paths that we might depend on, like
-                            // the exception thunk.
-
-                            RefPtr<JITCode> jitCode = state->jitCode;
-                            VM* vm = &state->graph.m_vm;
-
-                            jit.addLinkTask(
-                                [=] (LinkBuffer& linkBuffer) {
-                                    linkBuffer.link(
-                                        generatorJump, CodeLocationLabel(
-                                            vm->getCTIStub(
-                                                lazySlowPathGenerationThunkGenerator).code()));
+
+                params.addLatePath(
+                    [=] (CCallHelpers& jit) {
+                        AllowMacroScratchRegisterUsage allowScratch(jit);
+                        patchableJump.m_jump.link(&jit);
+                        unsigned index = state->jitCode->lazySlowPaths.size();
+                        state->jitCode->lazySlowPaths.append(nullptr);
+                        jit.pushToSaveImmediateWithoutTouchingRegisters(
+                            CCallHelpers::TrustedImm32(index));
+                        CCallHelpers::Jump generatorJump = jit.jump();
+
+                        // Note that so long as we're here, we don't really know if our late path
+                        // runs before or after any other late paths that we might depend on, like
+                        // the exception thunk.
+
+                        RefPtr<JITCode> jitCode = state->jitCode;
+                        VM* vm = &state->graph.m_vm;
+
+                        jit.addLinkTask(
+                            [=] (LinkBuffer& linkBuffer) {
+                                linkBuffer.link(
+                                    generatorJump, CodeLocationLabel(
+                                        vm->getCTIStub(
+                                            lazySlowPathGenerationThunkGenerator).code()));
                                     
-                                    CodeLocationJump linkedPatchableJump = CodeLocationJump(
-                                        linkBuffer.locationOf(patchableJump));
-                                    CodeLocationLabel linkedDone = linkBuffer.locationOf(done);
-
-                                    // FIXME: Need a story for exceptions in FTL-B3. That basically means
-                                    // doing a lookup of the exception entrypoint here. We will have an
-                                    // OSR exit data structure of some sort.
-                                    // https://bugs.webkit.org/show_bug.cgi?id=151686
-                                    CodeLocationLabel exceptionTarget;
-                                    CallSiteIndex callSiteIndex =
-                                        jitCode->common.addUniqueCallSiteIndex(origin);
+                                CodeLocationJump linkedPatchableJump = CodeLocationJump(
+                                    linkBuffer.locationOf(patchableJump));
+                                CodeLocationLabel linkedDone = linkBuffer.locationOf(done);
+
+                                // FIXME: Need a story for exceptions in FTL-B3. That basically means
+                                // doing a lookup of the exception entrypoint here. We will have an
+                                // OSR exit data structure of some sort.
+                                // https://bugs.webkit.org/show_bug.cgi?id=151686
+                                CodeLocationLabel exceptionTarget;
+                                CallSiteIndex callSiteIndex =
+                                    jitCode->common.addUniqueCallSiteIndex(origin);
                                     
-                                    std::unique_ptr<LazySlowPath> lazySlowPath =
-                                        std::make_unique<LazySlowPath>(
-                                            linkedPatchableJump, linkedDone, exceptionTarget,
-                                            usedRegisters, callSiteIndex, generator);
+                                std::unique_ptr<LazySlowPath> lazySlowPath =
+                                    std::make_unique<LazySlowPath>(
+                                        linkedPatchableJump, linkedDone, exceptionTarget,
+                                        usedRegisters, callSiteIndex, generator);
                                     
-                                    jitCode->lazySlowPaths[index] = WTF::move(lazySlowPath);
-                                });
-                        }));
+                                jitCode->lazySlowPaths[index] = WTF::move(lazySlowPath);
+                            });
+                    });
             });
         return result;
@@ -9214 +9350 @@
     }
 
+#if !FTL_USES_B3
     void appendOSRExitArgumentsForPatchpointIfWillCatchException(StackmapArgumentList& arguments, ExceptionType exceptionType, unsigned offsetOfExitArguments)
     {
@@ -9231 +9368 @@
 
         StackmapArgumentList freshList =
-            buildExitArguments(exitDescriptor, exitDescriptorImpl, noValue(), offsetOfExitArguments);
+            buildExitArguments(exitDescriptor, exitDescriptorImpl.m_codeOrigin, noValue(), offsetOfExitArguments);
         arguments.appendVector(freshList);
     }
+#endif // !FTL_USES_B3
 
     bool emitBranchToOSRExitIfWillCatchException(LValue hadException)
@@ -9252 +9390 @@
     }
 
+
+#if FTL_USES_B3
+    OSRExitDescriptor* appendOSRExitDescriptor(FormattedValue lowValue, Node* highValue)
+    {
+        return &m_ftlState.jitCode->osrExitDescriptors.alloc(
+            lowValue.format(), m_graph.methodOfGettingAValueProfileFor(highValue),
+            availabilityMap().m_locals.numberOfArguments(),
+            availabilityMap().m_locals.numberOfLocals());
+    }
+#else // FTL_USES_B3
     OSRExitDescriptor* appendOSRExitDescriptor(ExitKind kind, ExceptionType exceptionType, FormattedValue lowValue, Node* highValue, NodeOrigin origin)
     {
@@ -9262 +9410 @@
         return &result;
     }
+#endif // FTL_USES_B3
     
     void appendOSRExit(
@@ -9329 +9478 @@
     void blessSpeculation(B3::CheckValue* value, ExitKind kind, FormattedValue lowValue, Node* highValue, NodeOrigin origin, bool isExceptionHandler = false)
     {
-        OSRExitDescriptor* exitDescriptor = appendOSRExitDescriptor(
-            kind, isExceptionHandler ? ExceptionType::CCallException : ExceptionType::None, lowValue,
-            highValue, origin);
-        OSRExitDescriptorImpl* exitDescriptorImpl = &m_ftlState.osrExitDescriptorImpls.last();
+        OSRExitDescriptor* exitDescriptor = appendOSRExitDescriptor(lowValue, highValue);
         
         unsigned offset = value->numChildren();
-        value->appendColdAnys(buildExitArguments(exitDescriptor, m_ftlState.osrExitDescriptorImpls.last(), lowValue));
+        value->appendColdAnys(buildExitArguments(exitDescriptor, origin.forExit, lowValue));
 
         State* state = &m_ftlState;
         value->setGenerator(
             [=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
-                exitDescriptor->emitOSRExit(*state, exitDescriptorImpl, jit, params, offset);
+                exitDescriptor->emitOSRExit(
+                    *state, kind, origin, jit, params, offset, isExceptionHandler);
             });
     }
@@ -9348 +9495 @@
     void emitOSRExitCall(OSRExitDescriptor* exitDescriptor, FormattedValue lowValue)
     {
-        callStackmap(exitDescriptor, buildExitArguments(exitDescriptor, m_ftlState.osrExitDescriptorImpls.last(), lowValue));
+        callStackmap(exitDescriptor, buildExitArguments(exitDescriptor, m_ftlState.osrExitDescriptorImpls.last().m_codeOrigin, lowValue));
     }
 #endif
 
     StackmapArgumentList buildExitArguments(
-        OSRExitDescriptor* exitDescriptor, OSRExitDescriptorImpl& exitDescriptorImpl, FormattedValue lowValue,
+        OSRExitDescriptor* exitDescriptor, CodeOrigin exitOrigin, FormattedValue lowValue,
         unsigned offsetOfExitArgumentsInStackmapLocations = 0)
     {
         StackmapArgumentList result;
         buildExitArguments(
-            exitDescriptor, exitDescriptorImpl, result, lowValue, offsetOfExitArgumentsInStackmapLocations);
+            exitDescriptor, exitOrigin, result, lowValue, offsetOfExitArgumentsInStackmapLocations);
         return result;
     }
     
     void buildExitArguments(
-        OSRExitDescriptor* exitDescriptor, OSRExitDescriptorImpl& exitDescriptorImpl, StackmapArgumentList& arguments, FormattedValue lowValue,
+        OSRExitDescriptor* exitDescriptor, CodeOrigin exitOrigin, StackmapArgumentList& arguments, FormattedValue lowValue,
         unsigned offsetOfExitArgumentsInStackmapLocations = 0)
     {
@@ -9370 +9517 @@
         
         AvailabilityMap availabilityMap = this->availabilityMap();
-        availabilityMap.pruneByLiveness(m_graph, exitDescriptorImpl.m_codeOrigin);
+        availabilityMap.pruneByLiveness(m_graph, exitOrigin);
         
         HashMap<Node*, ExitTimeObjectMaterialization*> map;
@@ -9397 +9544 @@
                 DFG_ASSERT(
                     m_graph, m_node,
-                    (!(availability.isDead() && m_graph.isLiveInBytecode(VirtualRegister(operand), exitDescriptorImpl.m_codeOrigin))) || m_graph.m_plan.mode == FTLForOSREntryMode);
+                    (!(availability.isDead() && m_graph.isLiveInBytecode(VirtualRegister(operand), exitOrigin))) || m_graph.m_plan.mode == FTLForOSREntryMode);
             }
             ExitValue exitValue = exitValueForAvailability(arguments, map, availability);
@@ -9476 +9623 @@
         Node* node)
     {
+        // NOTE: In FTL->B3, we cannot generate code here, because m_output is positioned after the
+        // stackmap value. Like all values, the stackmap value cannot use a child that is defined after
+        // it.
+        
         ASSERT(node->shouldGenerate());
         ASSERT(node->hasResult());
@@ -9523 +9674 @@
         
         value = m_booleanValues.get(node);
+#if FTL_USES_B3
+        if (isValid(value))
+            return exitArgument(arguments, DataFormatBoolean, value.value());
+#else // FTL_USES_B3
         if (isValid(value)) {
             LValue valueToPass = m_out.zeroExt(value.value(), m_out.int32);
             return exitArgument(arguments, DataFormatBoolean, valueToPass);
         }
+#endif // FTL_USES_B3
         
         value = m_jsValueValues.get(node);