Changeset 225129 in webkit for trunk/Source/JavaScriptCore/tools

Timestamp:

Nov 24, 2017, 2:58:16 AM (8 years ago)

Author:

[email protected]

Message:

Move unsafe jsc shell test functions to the $vm object.
​https://bugs.webkit.org/show_bug.cgi?id=179980

Reviewed by Yusuke Suzuki.

JSTests:

• controlFlowProfiler/driver/driver.js:
• controlFlowProfiler/execution-count.js:
• controlFlowProfiler/if-statement.js:
• controlFlowProfiler/loop-statements.js:
• controlFlowProfiler/switch-statements.js:
• controlFlowProfiler/test-jit.js:
• exceptionFuzz/3d-cube.js:
• exceptionFuzz/date-format-xparb.js:
• exceptionFuzz/earley-boyer.js:
• heapProfiler/basic-edges.js:
• heapProfiler/property-edge-types.js:
• microbenchmarks/try-get-by-id-basic.js:
• microbenchmarks/try-get-by-id-polymorphic.js:
• modules/namespace-object-try-get.js:
• stress/argument-count-bytecode.js:
• stress/argument-intrinsic-basic.js:
• stress/argument-intrinsic-inlining-use-caller-arg.js:
• stress/argument-intrinsic-inlining-with-result-escape.js:
• stress/argument-intrinsic-inlining-with-vararg-with-enough-arguments.js:
• stress/argument-intrinsic-inlining-with-vararg.js:
• stress/argument-intrinsic-nested-inlining.js:
• stress/argument-intrinsic-not-convert-to-get-argument.js:
• stress/argument-intrinsic-with-stack-write.js:
• stress/arity-mismatch-get-argument.js:
• stress/array-message-passing.js:
• stress/array-push-with-force-exit.js:
• stress/check-dom-with-signature.js:
• stress/check-sub-class.js:
• stress/compare-eq-incomplete-profile.js:
• stress/custom-get-set-inline-caching-one-level-up-proto-chain.js:
• stress/do-eval-virtual-call-correctly.js:
• stress/dom-jit-with-poly-proto.js:
• stress/domjit-exception-ic.js:
• stress/domjit-exception.js:
• stress/domjit-getter-complex-with-incorrect-object.js:
• stress/domjit-getter-complex.js:
• stress/domjit-getter-poly.js:
• stress/domjit-getter-proto.js:
• stress/domjit-getter-super-poly.js:
• stress/domjit-getter-try-catch-getter-as-get-by-id-register-restoration.js:
• stress/domjit-getter-type-check.js:
• stress/domjit-getter.js:
• stress/exit-during-inlined-arity-fixup-recover-proper-frame.js:
• stress/for-in-proxy-target-changed-structure.js:
• stress/for-in-proxy.js:
• stress/generational-opaque-roots.js:
• stress/global-const-redeclaration-setting-2.js:
• stress/global-const-redeclaration-setting-3.js:
• stress/global-const-redeclaration-setting-4.js:
• stress/global-const-redeclaration-setting-5.js:
• stress/global-const-redeclaration-setting.js:
• stress/import-basic.js:
• stress/import-from-eval.js:
• stress/import-reject-with-exception.js:
• stress/import-syntax.js:
• stress/impure-get-own-property-slot-inline-cache.js:
• stress/is-constructor.js:
• stress/istypedarrayview-intrinsic.js:
• stress/jsc-setImpureGetterDelegate-on-bad-type.js:
• stress/jsc-test-functions-should-be-more-robust.js:
• stress/object-toString-with-proxy.js:
• stress/poly-proto-custom-value-and-accessor.js:
• stress/proxy-inline-cache.js:
• stress/re-execute-error-module.js:
• stress/regress-150532.js:
• stress/regress-156992.js:
• stress/regress-179619.js:
• stress/resources/shadow-chicken-support.js:
• stress/runtime-array.js:
• stress/sampling-profiler-microtasks.js:
• stress/shadow-chicken-enabled.js:
• stress/spread-correct-global-object-on-exception.js:
• stress/super-get-by-id.js:
• stress/tailCallForwardArguments.js:
• stress/to-object-intrinsic-boolean-edge.js:
• stress/to-object-intrinsic-null-or-undefined-edge.js:
• stress/to-object-intrinsic-number-edge.js:
• stress/to-object-intrinsic-object-edge.js:
• stress/to-object-intrinsic-string-edge.js:
• stress/to-object-intrinsic-symbol-edge.js:
• stress/to-object-intrinsic.js:
• stress/try-catch-custom-getter-as-get-by-id.js:
• stress/try-get-by-id-poly-proto.js:
• stress/try-get-by-id-should-spill-registers-dfg.js:
• stress/try-get-by-id.js:
• typeProfiler/arrow-functions.js:
• typeProfiler/basic.js:
• typeProfiler/captured.js:
• typeProfiler/classes.js:
• typeProfiler/dfg-jit-optimizations.js:
• typeProfiler/dictionary-mode.js:
• typeProfiler/es6-block-scoping.js:
• typeProfiler/es6-classes.js:
• typeProfiler/inheritance.js:
• typeProfiler/int52-dfg.js:
• typeProfiler/loop.js:
• typeProfiler/optional-fields.js:
• typeProfiler/overflow.js:
• typeProfiler/return.js:
• typeProfiler/symbol.js:
• typeProfiler/weird-prototype-chain.js:

Source/JavaScriptCore:

Also removed setElementRoot() which was not used.

• jsc.cpp:

(GlobalObject::finishCreation):
(WTF::Element::Element): Deleted.
(WTF::Element::root const): Deleted.
(WTF::Element::setRoot): Deleted.
(WTF::Element::create): Deleted.
(WTF::Element::visitChildren): Deleted.
(WTF::Element::createStructure): Deleted.
(WTF::Root::Root): Deleted.
(WTF::Root::element): Deleted.
(WTF::Root::setElement): Deleted.
(WTF::Root::create): Deleted.
(WTF::Root::createStructure): Deleted.
(WTF::Root::visitChildren): Deleted.
(WTF::ImpureGetter::ImpureGetter): Deleted.
(WTF::ImpureGetter::createStructure): Deleted.
(WTF::ImpureGetter::create): Deleted.
(WTF::ImpureGetter::finishCreation): Deleted.
(WTF::ImpureGetter::getOwnPropertySlot): Deleted.
(WTF::ImpureGetter::visitChildren): Deleted.
(WTF::ImpureGetter::setDelegate): Deleted.
(WTF::CustomGetter::CustomGetter): Deleted.
(WTF::CustomGetter::createStructure): Deleted.
(WTF::CustomGetter::create): Deleted.
(WTF::CustomGetter::getOwnPropertySlot): Deleted.
(WTF::CustomGetter::customGetter): Deleted.
(WTF::CustomGetter::customGetterAcessor): Deleted.
(WTF::RuntimeArray::create): Deleted.
(WTF::RuntimeArray::~RuntimeArray): Deleted.
(WTF::RuntimeArray::destroy): Deleted.
(WTF::RuntimeArray::getOwnPropertySlot): Deleted.
(WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
(WTF::RuntimeArray::put): Deleted.
(WTF::RuntimeArray::deleteProperty): Deleted.
(WTF::RuntimeArray::getLength const): Deleted.
(WTF::RuntimeArray::createPrototype): Deleted.
(WTF::RuntimeArray::createStructure): Deleted.
(WTF::RuntimeArray::finishCreation): Deleted.
(WTF::RuntimeArray::RuntimeArray): Deleted.
(WTF::RuntimeArray::lengthGetter): Deleted.
(WTF::SimpleObject::SimpleObject): Deleted.
(WTF::SimpleObject::create): Deleted.
(WTF::SimpleObject::visitChildren): Deleted.
(WTF::SimpleObject::createStructure): Deleted.
(WTF::SimpleObject::hiddenValue): Deleted.
(WTF::SimpleObject::setHiddenValue): Deleted.
(WTF::DOMJITNode::DOMJITNode): Deleted.
(WTF::DOMJITNode::createStructure): Deleted.
(WTF::DOMJITNode::checkSubClassSnippet): Deleted.
(WTF::DOMJITNode::create): Deleted.
(WTF::DOMJITNode::value const): Deleted.
(WTF::DOMJITNode::offsetOfValue): Deleted.
(WTF::DOMJITGetter::DOMJITGetter): Deleted.
(WTF::DOMJITGetter::createStructure): Deleted.
(WTF::DOMJITGetter::create): Deleted.
(WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
(WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
(WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
(WTF::DOMJITGetter::customGetter): Deleted.
(WTF::DOMJITGetter::finishCreation): Deleted.
(WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
(WTF::DOMJITGetterComplex::createStructure): Deleted.
(WTF::DOMJITGetterComplex::create): Deleted.
(WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
(WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
(WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
(WTF::DOMJITGetterComplex::functionEnableException): Deleted.
(WTF::DOMJITGetterComplex::customGetter): Deleted.
(WTF::DOMJITGetterComplex::finishCreation): Deleted.
(WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
(WTF::DOMJITFunctionObject::createStructure): Deleted.
(WTF::DOMJITFunctionObject::create): Deleted.
(WTF::DOMJITFunctionObject::safeFunction): Deleted.
(WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
(WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
(WTF::DOMJITFunctionObject::finishCreation): Deleted.
(WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
(WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
(WTF::DOMJITCheckSubClassObject::create): Deleted.
(WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
(WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
(WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
(WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
(WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
(WTF::DOMJITGetterBaseJSObject::create): Deleted.
(WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
(WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
(WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
(WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
(WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
(WTF::Element::handleOwner): Deleted.
(WTF::Element::finishCreation): Deleted.
(JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
(JSTestCustomGetterSetter::create): Deleted.
(JSTestCustomGetterSetter::createStructure): Deleted.
(customGetAccessor): Deleted.
(customGetValue): Deleted.
(customSetAccessor): Deleted.
(customSetValue): Deleted.
(JSTestCustomGetterSetter::finishCreation): Deleted.
(GlobalObject::addConstructableFunction): Deleted.
(functionCreateRoot): Deleted.
(functionCreateElement): Deleted.
(functionGetElement): Deleted.
(functionSetElementRoot): Deleted.
(functionCreateSimpleObject): Deleted.
(functionGetHiddenValue): Deleted.
(functionSetHiddenValue): Deleted.
(functionCreateProxy): Deleted.
(functionCreateRuntimeArray): Deleted.
(functionCreateImpureGetter): Deleted.
(functionCreateCustomGetterObject): Deleted.
(functionCreateDOMJITNodeObject): Deleted.
(functionCreateDOMJITGetterObject): Deleted.
(functionCreateDOMJITGetterComplexObject): Deleted.
(functionCreateDOMJITFunctionObject): Deleted.
(functionCreateDOMJITCheckSubClassObject): Deleted.
(functionCreateDOMJITGetterBaseJSObject): Deleted.
(functionSetImpureGetterDelegate): Deleted.
(functionGetGetterSetter): Deleted.
(functionShadowChickenFunctionsOnStack): Deleted.
(functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
(functionGlobalObjectForObject): Deleted.
(functionLoadGetterFromGetterSetter): Deleted.
(functionCreateCustomTestGetterSetter): Deleted.
(functionAbort): Deleted.
(functionFindTypeForExpression): Deleted.
(functionReturnTypeFor): Deleted.
(functionDumpBasicBlockExecutionRanges): Deleted.
(functionHasBasicBlockExecuted): Deleted.
(functionBasicBlockExecutionCount): Deleted.
(functionEnableExceptionFuzz): Deleted.
(functionCreateBuiltin): Deleted.

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):

• tools/JSDollarVM.cpp:

(WTF::Element::Element):
(WTF::Element::root const):
(WTF::Element::setRoot):
(WTF::Element::create):
(WTF::Element::visitChildren):
(WTF::Element::createStructure):
(WTF::Root::Root):
(WTF::Root::element):
(WTF::Root::setElement):
(WTF::Root::create):
(WTF::Root::createStructure):
(WTF::Root::visitChildren):
(WTF::SimpleObject::SimpleObject):
(WTF::SimpleObject::create):
(WTF::SimpleObject::visitChildren):
(WTF::SimpleObject::createStructure):
(WTF::SimpleObject::hiddenValue):
(WTF::SimpleObject::setHiddenValue):
(WTF::ImpureGetter::ImpureGetter):
(WTF::ImpureGetter::createStructure):
(WTF::ImpureGetter::create):
(WTF::ImpureGetter::finishCreation):
(WTF::ImpureGetter::getOwnPropertySlot):
(WTF::ImpureGetter::visitChildren):
(WTF::ImpureGetter::setDelegate):
(WTF::CustomGetter::CustomGetter):
(WTF::CustomGetter::createStructure):
(WTF::CustomGetter::create):
(WTF::CustomGetter::getOwnPropertySlot):
(WTF::CustomGetter::customGetter):
(WTF::CustomGetter::customGetterAcessor):
(WTF::RuntimeArray::create):
(WTF::RuntimeArray::~RuntimeArray):
(WTF::RuntimeArray::destroy):
(WTF::RuntimeArray::getOwnPropertySlot):
(WTF::RuntimeArray::getOwnPropertySlotByIndex):
(WTF::RuntimeArray::put):
(WTF::RuntimeArray::deleteProperty):
(WTF::RuntimeArray::getLength const):
(WTF::RuntimeArray::createPrototype):
(WTF::RuntimeArray::createStructure):
(WTF::RuntimeArray::finishCreation):
(WTF::RuntimeArray::RuntimeArray):
(WTF::RuntimeArray::lengthGetter):
(WTF::DOMJITNode::DOMJITNode):
(WTF::DOMJITNode::createStructure):
(WTF::DOMJITNode::checkSubClassSnippet):
(WTF::DOMJITNode::create):
(WTF::DOMJITNode::value const):
(WTF::DOMJITNode::offsetOfValue):
(WTF::DOMJITGetter::DOMJITGetter):
(WTF::DOMJITGetter::createStructure):
(WTF::DOMJITGetter::create):
(WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
(WTF::DOMJITGetter::DOMJITAttribute::slowCall):
(WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
(WTF::DOMJITGetter::customGetter):
(WTF::DOMJITGetter::finishCreation):
(WTF::DOMJITGetterComplex::DOMJITGetterComplex):
(WTF::DOMJITGetterComplex::createStructure):
(WTF::DOMJITGetterComplex::create):
(WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
(WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
(WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
(WTF::DOMJITGetterComplex::functionEnableException):
(WTF::DOMJITGetterComplex::customGetter):
(WTF::DOMJITGetterComplex::finishCreation):
(WTF::DOMJITFunctionObject::DOMJITFunctionObject):
(WTF::DOMJITFunctionObject::createStructure):
(WTF::DOMJITFunctionObject::create):
(WTF::DOMJITFunctionObject::safeFunction):
(WTF::DOMJITFunctionObject::unsafeFunction):
(WTF::DOMJITFunctionObject::checkSubClassSnippet):
(WTF::DOMJITFunctionObject::finishCreation):
(WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
(WTF::DOMJITCheckSubClassObject::createStructure):
(WTF::DOMJITCheckSubClassObject::create):
(WTF::DOMJITCheckSubClassObject::safeFunction):
(WTF::DOMJITCheckSubClassObject::unsafeFunction):
(WTF::DOMJITCheckSubClassObject::finishCreation):
(WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
(WTF::DOMJITGetterBaseJSObject::createStructure):
(WTF::DOMJITGetterBaseJSObject::create):
(WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
(WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
(WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
(WTF::DOMJITGetterBaseJSObject::customGetter):
(WTF::DOMJITGetterBaseJSObject::finishCreation):
(WTF::Message::releaseContents):
(WTF::Message::index const):
(WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
(WTF::JSTestCustomGetterSetter::create):
(WTF::JSTestCustomGetterSetter::createStructure):
(WTF::customGetAccessor):
(WTF::customGetValue):
(WTF::customSetAccessor):
(WTF::customSetValue):
(WTF::JSTestCustomGetterSetter::finishCreation):
(WTF::Element::handleOwner):
(WTF::Element::finishCreation):
(JSC::functionCrash):
(JSC::functionCreateProxy):
(JSC::functionCreateRuntimeArray):
(JSC::functionCreateImpureGetter):
(JSC::functionCreateCustomGetterObject):
(JSC::functionCreateDOMJITNodeObject):
(JSC::functionCreateDOMJITGetterObject):
(JSC::functionCreateDOMJITGetterComplexObject):
(JSC::functionCreateDOMJITFunctionObject):
(JSC::functionCreateDOMJITCheckSubClassObject):
(JSC::functionCreateDOMJITGetterBaseJSObject):
(JSC::functionSetImpureGetterDelegate):
(JSC::functionCreateBuiltin):
(JSC::functionCreateRoot):
(JSC::functionCreateElement):
(JSC::functionGetElement):
(JSC::functionCreateSimpleObject):
(JSC::functionGetHiddenValue):
(JSC::functionSetHiddenValue):
(JSC::functionShadowChickenFunctionsOnStack):
(JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
(JSC::functionFindTypeForExpression):
(JSC::functionReturnTypeFor):
(JSC::functionDumpBasicBlockExecutionRanges):
(JSC::functionHasBasicBlockExecuted):
(JSC::functionBasicBlockExecutionCount):
(JSC::functionEnableExceptionFuzz):
(JSC::functionGlobalObjectForObject):
(JSC::functionGetGetterSetter):
(JSC::functionLoadGetterFromGetterSetter):
(JSC::functionCreateCustomTestGetterSetter):
(JSC::JSDollarVM::finishCreation):
(JSC::JSDollarVM::addFunction):
(JSC::JSDollarVM::addConstructibleFunction):

• tools/JSDollarVM.h:

(JSC::JSDollarVM::create):

Tools:

Always set --useDollarVM=true for jsc runs of benchmarks. This is needed because
some microbenchmarks relies on createBuiltin().

Also set --useDollarVM=true for runExceptionFuzz and runExecutableAllocationFuzz.

• Scripts/run-jsc-benchmarks:
• Scripts/run-jsc-stress-tests:

LayoutTests:

• js/script-tests/stack-trace.js:
• js/stack-trace-expected.txt:

Location:

trunk/Source/JavaScriptCore/tools

Files:

• JSDollarVM.cpp (modified) (4 diffs)
• JSDollarVM.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -27 +27 @@
 #include "JSDollarVM.h"
 
+#include "BuiltinExecutableCreator.h"
 #include "CodeBlock.h"
+#include "DOMAttributeGetterSetter.h"
+#include "DOMJITGetterSetter.h"
+#include "FrameTracers.h"
 #include "FunctionCodeBlock.h"
+#include "GetterSetter.h"
+#include "JSArray.h"
 #include "JSArrayBuffer.h"
 #include "JSCInlines.h"
+#include "JSFunction.h"
+#include "JSONObject.h"
+#include "JSProxy.h"
+#include "JSString.h"
+#include "ShadowChicken.h"
+#include "Snippet.h"
+#include "SnippetParams.h"
+#include "TypeProfiler.h"
+#include "TypeProfilerLog.h"
 #include "VMInspector.h"
 #include <wtf/Atomics.h>
@@ -37 +52 @@
 #include <wtf/StringPrintStream.h>
 
+using namespace JSC;
+using namespace WTF;
+
+namespace {
+
+class ElementHandleOwner;
+class Root;
+
+class Element : public JSNonFinalObject {
+public:
+    Element(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    typedef JSNonFinalObject Base;
+
+    Root* root() const { return m_root.get(); }
+    void setRoot(VM& vm, Root* root) { m_root.set(vm, this, root); }
+
+    static Element* create(VM& vm, JSGlobalObject* globalObject, Root* root)
+    {
+        Structure* structure = createStructure(vm, globalObject, jsNull());
+        Element* element = new (NotNull, allocateCell<Element>(vm.heap, sizeof(Element))) Element(vm, structure);
+        element->finishCreation(vm, root);
+        return element;
+    }
+
+    void finishCreation(VM&, Root*);
+
+    static void visitChildren(JSCell* cell, SlotVisitor& visitor)
+    {
+        Element* thisObject = jsCast<Element*>(cell);
+        ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+        Base::visitChildren(thisObject, visitor);
+        visitor.append(thisObject->m_root);
+    }
+
+    static ElementHandleOwner* handleOwner();
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    DECLARE_INFO;
+
+private:
+    WriteBarrier<Root> m_root;
+};
+
+class ElementHandleOwner : public WeakHandleOwner {
+public:
+    bool isReachableFromOpaqueRoots(Handle<JSC::Unknown> handle, void*, SlotVisitor& visitor) override
+    {
+        Element* element = jsCast<Element*>(handle.slot()->asCell());
+        return visitor.containsOpaqueRoot(element->root());
+    }
+};
+
+class Root : public JSDestructibleObject {
+public:
+    Root(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    Element* element()
+    {
+        return m_element.get();
+    }
+
+    void setElement(Element* element)
+    {
+        Weak<Element> newElement(element, Element::handleOwner());
+        m_element.swap(newElement);
+    }
+
+    static Root* create(VM& vm, JSGlobalObject* globalObject)
+    {
+        Structure* structure = createStructure(vm, globalObject, jsNull());
+        Root* root = new (NotNull, allocateCell<Root>(vm.heap, sizeof(Root))) Root(vm, structure);
+        root->finishCreation(vm);
+        return root;
+    }
+
+    typedef JSDestructibleObject Base;
+
+    DECLARE_INFO;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    static void visitChildren(JSCell* thisObject, SlotVisitor& visitor)
+    {
+        Base::visitChildren(thisObject, visitor);
+        visitor.addOpaqueRoot(thisObject);
+    }
+
+private:
+    Weak<Element> m_element;
+};
+
+class SimpleObject : public JSNonFinalObject {
+public:
+    SimpleObject(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    typedef JSNonFinalObject Base;
+    static const bool needsDestruction = false;
+
+    static SimpleObject* create(VM& vm, JSGlobalObject* globalObject)
+    {
+        Structure* structure = createStructure(vm, globalObject, jsNull());
+        SimpleObject* simpleObject = new (NotNull, allocateCell<SimpleObject>(vm.heap, sizeof(SimpleObject))) SimpleObject(vm, structure);
+        simpleObject->finishCreation(vm);
+        return simpleObject;
+    }
+
+    static void visitChildren(JSCell* cell, SlotVisitor& visitor)
+    {
+        SimpleObject* thisObject = jsCast<SimpleObject*>(cell);
+        ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+        Base::visitChildren(thisObject, visitor);
+        visitor.append(thisObject->m_hiddenValue);
+    }
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    JSValue hiddenValue()
+    {
+        return m_hiddenValue.get();
+    }
+
+    void setHiddenValue(VM& vm, JSValue value)
+    {
+        ASSERT(value.isCell());
+        m_hiddenValue.set(vm, this, value);
+    }
+
+    DECLARE_INFO;
+
+private:
+    WriteBarrier<JSC::Unknown> m_hiddenValue;
+};
+
+class ImpureGetter : public JSNonFinalObject {
+public:
+    ImpureGetter(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef JSNonFinalObject Base;
+    static const unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::OverridesGetOwnPropertySlot;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    static ImpureGetter* create(VM& vm, Structure* structure, JSObject* delegate)
+    {
+        ImpureGetter* getter = new (NotNull, allocateCell<ImpureGetter>(vm.heap, sizeof(ImpureGetter))) ImpureGetter(vm, structure);
+        getter->finishCreation(vm, delegate);
+        return getter;
+    }
+
+    void finishCreation(VM& vm, JSObject* delegate)
+    {
+        Base::finishCreation(vm);
+        if (delegate)
+            m_delegate.set(vm, this, delegate);
+    }
+
+    static bool getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName name, PropertySlot& slot)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+        ImpureGetter* thisObject = jsCast<ImpureGetter*>(object);
+        
+        if (thisObject->m_delegate) {
+            if (thisObject->m_delegate->getPropertySlot(exec, name, slot))
+                return true;
+            RETURN_IF_EXCEPTION(scope, false);
+        }
+
+        return Base::getOwnPropertySlot(object, exec, name, slot);
+    }
+
+    static void visitChildren(JSCell* cell, SlotVisitor& visitor)
+    {
+        Base::visitChildren(cell, visitor);
+        ImpureGetter* thisObject = jsCast<ImpureGetter*>(cell);
+        visitor.append(thisObject->m_delegate);
+    }
+
+    void setDelegate(VM& vm, JSObject* delegate)
+    {
+        m_delegate.set(vm, this, delegate);
+    }
+
+private:
+    WriteBarrier<JSObject> m_delegate;
+};
+
+class CustomGetter : public JSNonFinalObject {
+public:
+    CustomGetter(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef JSNonFinalObject Base;
+    static const unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    static CustomGetter* create(VM& vm, Structure* structure)
+    {
+        CustomGetter* getter = new (NotNull, allocateCell<CustomGetter>(vm.heap, sizeof(CustomGetter))) CustomGetter(vm, structure);
+        getter->finishCreation(vm);
+        return getter;
+    }
+
+    static bool getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
+    {
+        CustomGetter* thisObject = jsCast<CustomGetter*>(object);
+        if (propertyName == PropertyName(Identifier::fromString(exec, "customGetter"))) {
+            slot.setCacheableCustom(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, thisObject->customGetter);
+            return true;
+        }
+        
+        if (propertyName == PropertyName(Identifier::fromString(exec, "customGetterAccessor"))) {
+            slot.setCacheableCustom(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum | PropertyAttribute::CustomAccessor, thisObject->customGetterAcessor);
+            return true;
+        }
+        
+        return JSObject::getOwnPropertySlot(thisObject, exec, propertyName, slot);
+    }
+
+private:
+    static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+
+        CustomGetter* thisObject = jsDynamicCast<CustomGetter*>(vm, JSValue::decode(thisValue));
+        if (!thisObject)
+            return throwVMTypeError(exec, scope);
+        bool shouldThrow = thisObject->get(exec, PropertyName(Identifier::fromString(exec, "shouldThrow"))).toBoolean(exec);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        if (shouldThrow)
+            return throwVMTypeError(exec, scope);
+        return JSValue::encode(jsNumber(100));
+    }
+    
+    static EncodedJSValue customGetterAcessor(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+        
+        JSObject* thisObject = jsDynamicCast<JSObject*>(vm, JSValue::decode(thisValue));
+        if (!thisObject)
+            return throwVMTypeError(exec, scope);
+        bool shouldThrow = thisObject->get(exec, PropertyName(Identifier::fromString(exec, "shouldThrow"))).toBoolean(exec);
+        RETURN_IF_EXCEPTION(scope, encodedJSValue());
+        if (shouldThrow)
+            return throwVMTypeError(exec, scope);
+        return JSValue::encode(jsNumber(100));
+    }
+};
+
+class RuntimeArray : public JSArray {
+public:
+    typedef JSArray Base;
+    static const unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames;
+
+    static RuntimeArray* create(ExecState* exec)
+    {
+        VM& vm = exec->vm();
+        JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+        Structure* structure = createStructure(vm, globalObject, createPrototype(vm, globalObject));
+        RuntimeArray* runtimeArray = new (NotNull, allocateCell<RuntimeArray>(vm.heap)) RuntimeArray(exec, structure);
+        runtimeArray->finishCreation(exec);
+        vm.heap.addFinalizer(runtimeArray, destroy);
+        return runtimeArray;
+    }
+
+    ~RuntimeArray() { }
+
+    static void destroy(JSCell* cell)
+    {
+        static_cast<RuntimeArray*>(cell)->RuntimeArray::~RuntimeArray();
+    }
+
+    static const bool needsDestruction = false;
+
+    static bool getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
+    {
+        VM& vm = exec->vm();
+        RuntimeArray* thisObject = jsCast<RuntimeArray*>(object);
+        if (propertyName == vm.propertyNames->length) {
+            slot.setCacheableCustom(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, thisObject->lengthGetter);
+            return true;
+        }
+
+        std::optional<uint32_t> index = parseIndex(propertyName);
+        if (index && index.value() < thisObject->getLength()) {
+            slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::DontEnum, jsNumber(thisObject->m_vector[index.value()]));
+            return true;
+        }
+
+        return JSObject::getOwnPropertySlot(thisObject, exec, propertyName, slot);
+    }
+
+    static bool getOwnPropertySlotByIndex(JSObject* object, ExecState* exec, unsigned index, PropertySlot& slot)
+    {
+        RuntimeArray* thisObject = jsCast<RuntimeArray*>(object);
+        if (index < thisObject->getLength()) {
+            slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::DontEnum, jsNumber(thisObject->m_vector[index]));
+            return true;
+        }
+
+        return JSObject::getOwnPropertySlotByIndex(thisObject, exec, index, slot);
+    }
+
+    static NO_RETURN_DUE_TO_CRASH bool put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&)
+    {
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+
+    static NO_RETURN_DUE_TO_CRASH bool deleteProperty(JSCell*, ExecState*, PropertyName)
+    {
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+
+    unsigned getLength() const { return m_vector.size(); }
+
+    DECLARE_INFO;
+
+    static ArrayPrototype* createPrototype(VM&, JSGlobalObject* globalObject)
+    {
+        return globalObject->arrayPrototype();
+    }
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(DerivedArrayType, StructureFlags), info(), ArrayClass);
+    }
+
+protected:
+    void finishCreation(ExecState* exec)
+    {
+        VM& vm = exec->vm();
+        Base::finishCreation(vm);
+        ASSERT(inherits(vm, info()));
+
+        for (size_t i = 0; i < exec->argumentCount(); i++)
+            m_vector.append(exec->argument(i).toInt32(exec));
+    }
+
+private:
+    RuntimeArray(ExecState* exec, Structure* structure)
+        : JSArray(exec->vm(), structure, 0)
+    {
+    }
+
+    static EncodedJSValue lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+
+        RuntimeArray* thisObject = jsDynamicCast<RuntimeArray*>(vm, JSValue::decode(thisValue));
+        if (!thisObject)
+            return throwVMTypeError(exec, scope);
+        return JSValue::encode(jsNumber(thisObject->getLength()));
+    }
+
+    Vector<int> m_vector;
+};
+
+class DOMJITNode : public JSNonFinalObject {
+public:
+    DOMJITNode(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef JSNonFinalObject Base;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSC::JSType(LastJSCObjectType + 1), StructureFlags), info());
+    }
+
+#if ENABLE(JIT)
+    static Ref<Snippet> checkSubClassSnippet()
+    {
+        Ref<Snippet> snippet = Snippet::create();
+        snippet->setGenerator([=](CCallHelpers& jit, SnippetParams& params) {
+            CCallHelpers::JumpList failureCases;
+            failureCases.append(jit.branch8(
+                CCallHelpers::NotEqual,
+                CCallHelpers::Address(params[0].gpr(), JSCell::typeInfoTypeOffset()),
+                CCallHelpers::TrustedImm32(JSC::JSType(LastJSCObjectType + 1))));
+            return failureCases;
+        });
+        return snippet;
+    }
+#endif
+
+    static DOMJITNode* create(VM& vm, Structure* structure)
+    {
+        DOMJITNode* getter = new (NotNull, allocateCell<DOMJITNode>(vm.heap, sizeof(DOMJITNode))) DOMJITNode(vm, structure);
+        getter->finishCreation(vm);
+        return getter;
+    }
+
+    int32_t value() const
+    {
+        return m_value;
+    }
+
+    static ptrdiff_t offsetOfValue() { return OBJECT_OFFSETOF(DOMJITNode, m_value); }
+
+private:
+    int32_t m_value { 42 };
+};
+
+class DOMJITGetter : public DOMJITNode {
+public:
+    DOMJITGetter(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef DOMJITNode Base;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSC::JSType(LastJSCObjectType + 1), StructureFlags), info());
+    }
+
+    static DOMJITGetter* create(VM& vm, Structure* structure)
+    {
+        DOMJITGetter* getter = new (NotNull, allocateCell<DOMJITGetter>(vm.heap, sizeof(DOMJITGetter))) DOMJITGetter(vm, structure);
+        getter->finishCreation(vm);
+        return getter;
+    }
+
+    class DOMJITAttribute : public DOMJIT::GetterSetter {
+    public:
+        constexpr DOMJITAttribute()
+            : DOMJIT::GetterSetter(
+                DOMJITGetter::customGetter,
+#if ENABLE(JIT)
+                &callDOMGetter,
+#else
+                nullptr,
+#endif
+                SpecInt32Only)
+        {
+        }
+
+#if ENABLE(JIT)
+        static EncodedJSValue JIT_OPERATION slowCall(ExecState* exec, void* pointer)
+        {
+            VM& vm = exec->vm();
+            NativeCallFrameTracer tracer(&vm, exec);
+            return JSValue::encode(jsNumber(static_cast<DOMJITGetter*>(pointer)->value()));
+        }
+
+        static Ref<DOMJIT::CallDOMGetterSnippet> callDOMGetter()
+        {
+            Ref<DOMJIT::CallDOMGetterSnippet> snippet = DOMJIT::CallDOMGetterSnippet::create();
+            snippet->requireGlobalObject = false;
+            snippet->setGenerator([=](CCallHelpers& jit, SnippetParams& params) {
+                JSValueRegs results = params[0].jsValueRegs();
+                GPRReg dom = params[1].gpr();
+                params.addSlowPathCall(jit.jump(), jit, slowCall, results, dom);
+                return CCallHelpers::JumpList();
+
+            });
+            return snippet;
+        }
+#endif
+    };
+
+private:
+    void finishCreation(VM&);
+
+    static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    {
+        VM& vm = exec->vm();
+        DOMJITNode* thisObject = jsDynamicCast<DOMJITNode*>(vm, JSValue::decode(thisValue));
+        ASSERT(thisObject);
+        return JSValue::encode(jsNumber(thisObject->value()));
+    }
+};
+
+static const DOMJITGetter::DOMJITAttribute DOMJITGetterDOMJIT;
+
+void DOMJITGetter::finishCreation(VM& vm)
+{
+    Base::finishCreation(vm);
+    const DOMJIT::GetterSetter* domJIT = &DOMJITGetterDOMJIT;
+    auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, domJIT->getter(), nullptr, DOMAttributeAnnotation { DOMJITNode::info(), domJIT });
+    putDirectCustomAccessor(vm, Identifier::fromString(&vm, "customGetter"), customGetterSetter, PropertyAttribute::ReadOnly | PropertyAttribute::CustomAccessor);
+}
+
+class DOMJITGetterComplex : public DOMJITNode {
+public:
+    DOMJITGetterComplex(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef DOMJITNode Base;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSC::JSType(LastJSCObjectType + 1), StructureFlags), info());
+    }
+
+    static DOMJITGetterComplex* create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
+    {
+        DOMJITGetterComplex* getter = new (NotNull, allocateCell<DOMJITGetterComplex>(vm.heap, sizeof(DOMJITGetterComplex))) DOMJITGetterComplex(vm, structure);
+        getter->finishCreation(vm, globalObject);
+        return getter;
+    }
+
+    class DOMJITAttribute : public DOMJIT::GetterSetter {
+    public:
+        constexpr DOMJITAttribute()
+            : DOMJIT::GetterSetter(
+                DOMJITGetterComplex::customGetter,
+#if ENABLE(JIT)
+                &callDOMGetter,
+#else
+                nullptr,
+#endif
+                SpecInt32Only)
+        {
+        }
+
+#if ENABLE(JIT)
+        static EncodedJSValue JIT_OPERATION slowCall(ExecState* exec, void* pointer)
+        {
+            VM& vm = exec->vm();
+            NativeCallFrameTracer tracer(&vm, exec);
+            auto scope = DECLARE_THROW_SCOPE(vm);
+            auto* object = static_cast<DOMJITNode*>(pointer);
+            auto* domjitGetterComplex = jsDynamicCast<DOMJITGetterComplex*>(vm, object);
+            if (domjitGetterComplex) {
+                if (domjitGetterComplex->m_enableException)
+                    return JSValue::encode(throwException(exec, scope, createError(exec, ASCIILiteral("DOMJITGetterComplex slow call exception"))));
+            }
+            return JSValue::encode(jsNumber(object->value()));
+        }
+
+        static Ref<DOMJIT::CallDOMGetterSnippet> callDOMGetter()
+        {
+            Ref<DOMJIT::CallDOMGetterSnippet> snippet = DOMJIT::CallDOMGetterSnippet::create();
+            static_assert(GPRInfo::numberOfRegisters >= 4, "Number of registers should be larger or equal to 4.");
+            unsigned numGPScratchRegisters = GPRInfo::numberOfRegisters - 4;
+            snippet->numGPScratchRegisters = numGPScratchRegisters;
+            snippet->numFPScratchRegisters = 3;
+            snippet->setGenerator([=](CCallHelpers& jit, SnippetParams& params) {
+                JSValueRegs results = params[0].jsValueRegs();
+                GPRReg domGPR = params[1].gpr();
+                for (unsigned i = 0; i < numGPScratchRegisters; ++i)
+                    jit.move(CCallHelpers::TrustedImm32(42), params.gpScratch(i));
+
+                params.addSlowPathCall(jit.jump(), jit, slowCall, results, domGPR);
+                return CCallHelpers::JumpList();
+            });
+            return snippet;
+        }
+#endif
+    };
+
+private:
+    void finishCreation(VM&, JSGlobalObject*);
+
+    static EncodedJSValue JSC_HOST_CALL functionEnableException(ExecState* exec)
+    {
+        VM& vm = exec->vm();
+        auto* object = jsDynamicCast<DOMJITGetterComplex*>(vm, exec->thisValue());
+        if (object)
+            object->m_enableException = true;
+        return JSValue::encode(jsUndefined());
+    }
+
+    static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+
+        auto* thisObject = jsDynamicCast<DOMJITGetterComplex*>(vm, JSValue::decode(thisValue));
+        ASSERT(thisObject);
+        if (thisObject->m_enableException)
+            return JSValue::encode(throwException(exec, scope, createError(exec, ASCIILiteral("DOMJITGetterComplex slow call exception"))));
+        return JSValue::encode(jsNumber(thisObject->value()));
+    }
+
+    bool m_enableException { false };
+};
+
+static const DOMJITGetterComplex::DOMJITAttribute DOMJITGetterComplexDOMJIT;
+
+void DOMJITGetterComplex::finishCreation(VM& vm, JSGlobalObject* globalObject)
+{
+    Base::finishCreation(vm);
+    const DOMJIT::GetterSetter* domJIT = &DOMJITGetterComplexDOMJIT;
+    auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, domJIT->getter(), nullptr, DOMAttributeAnnotation { DOMJITGetterComplex::info(), domJIT });
+    putDirectCustomAccessor(vm, Identifier::fromString(&vm, "customGetter"), customGetterSetter, PropertyAttribute::ReadOnly | PropertyAttribute::CustomAccessor);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "enableException"), 0, functionEnableException, NoIntrinsic, 0);
+}
+
+class DOMJITFunctionObject : public DOMJITNode {
+public:
+    DOMJITFunctionObject(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef DOMJITNode Base;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSC::JSType(LastJSCObjectType + 1), StructureFlags), info());
+    }
+
+    static DOMJITFunctionObject* create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
+    {
+        DOMJITFunctionObject* object = new (NotNull, allocateCell<DOMJITFunctionObject>(vm.heap, sizeof(DOMJITFunctionObject))) DOMJITFunctionObject(vm, structure);
+        object->finishCreation(vm, globalObject);
+        return object;
+    }
+
+    static EncodedJSValue JSC_HOST_CALL safeFunction(ExecState* exec)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+
+        DOMJITNode* thisObject = jsDynamicCast<DOMJITNode*>(vm, exec->thisValue());
+        if (!thisObject)
+            return throwVMTypeError(exec, scope);
+        return JSValue::encode(jsNumber(thisObject->value()));
+    }
+
+    static EncodedJSValue JIT_OPERATION unsafeFunction(ExecState* exec, DOMJITNode* node)
+    {
+        VM& vm = exec->vm();
+        NativeCallFrameTracer tracer(&vm, exec);
+        return JSValue::encode(jsNumber(node->value()));
+    }
+
+#if ENABLE(JIT)
+    static Ref<Snippet> checkSubClassSnippet()
+    {
+        Ref<Snippet> snippet = Snippet::create();
+        snippet->numFPScratchRegisters = 1;
+        snippet->setGenerator([=](CCallHelpers& jit, SnippetParams& params) {
+            static const double value = 42.0;
+            CCallHelpers::JumpList failureCases;
+            // May use scratch registers.
+            jit.loadDouble(CCallHelpers::TrustedImmPtr(&value), params.fpScratch(0));
+            failureCases.append(jit.branch8(
+                CCallHelpers::NotEqual,
+                CCallHelpers::Address(params[0].gpr(), JSCell::typeInfoTypeOffset()),
+                CCallHelpers::TrustedImm32(JSC::JSType(LastJSCObjectType + 1))));
+            return failureCases;
+        });
+        return snippet;
+    }
+#endif
+
+private:
+    void finishCreation(VM&, JSGlobalObject*);
+};
+
+static const DOMJIT::Signature DOMJITFunctionObjectSignature((uintptr_t)DOMJITFunctionObject::unsafeFunction, DOMJITFunctionObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange::top()), SpecInt32Only);
+
+void DOMJITFunctionObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
+{
+    Base::finishCreation(vm);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "func"), 0, safeFunction, NoIntrinsic, &DOMJITFunctionObjectSignature, static_cast<unsigned>(PropertyAttribute::ReadOnly));
+}
+
+class DOMJITCheckSubClassObject : public DOMJITNode {
+public:
+    DOMJITCheckSubClassObject(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef DOMJITNode Base;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSC::JSType(LastJSCObjectType + 1), StructureFlags), info());
+    }
+
+    static DOMJITCheckSubClassObject* create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
+    {
+        DOMJITCheckSubClassObject* object = new (NotNull, allocateCell<DOMJITCheckSubClassObject>(vm.heap, sizeof(DOMJITCheckSubClassObject))) DOMJITCheckSubClassObject(vm, structure);
+        object->finishCreation(vm, globalObject);
+        return object;
+    }
+
+    static EncodedJSValue JSC_HOST_CALL safeFunction(ExecState* exec)
+    {
+        VM& vm = exec->vm();
+        auto scope = DECLARE_THROW_SCOPE(vm);
+
+        auto* thisObject = jsDynamicCast<DOMJITCheckSubClassObject*>(vm, exec->thisValue());
+        if (!thisObject)
+            return throwVMTypeError(exec, scope);
+        return JSValue::encode(jsNumber(thisObject->value()));
+    }
+
+    static EncodedJSValue JIT_OPERATION unsafeFunction(ExecState* exec, DOMJITNode* node)
+    {
+        VM& vm = exec->vm();
+        NativeCallFrameTracer tracer(&vm, exec);
+        return JSValue::encode(jsNumber(node->value()));
+    }
+
+private:
+    void finishCreation(VM&, JSGlobalObject*);
+};
+
+static const DOMJIT::Signature DOMJITCheckSubClassObjectSignature((uintptr_t)DOMJITCheckSubClassObject::unsafeFunction, DOMJITCheckSubClassObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange::top()), SpecInt32Only);
+
+void DOMJITCheckSubClassObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
+{
+    Base::finishCreation(vm);
+    putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "func"), 0, safeFunction, NoIntrinsic, &DOMJITCheckSubClassObjectSignature, static_cast<unsigned>(PropertyAttribute::ReadOnly));
+}
+
+class DOMJITGetterBaseJSObject : public DOMJITNode {
+public:
+    DOMJITGetterBaseJSObject(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    using Base = DOMJITNode;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(JSC::JSType(LastJSCObjectType + 1), StructureFlags), info());
+    }
+
+    static DOMJITGetterBaseJSObject* create(VM& vm, Structure* structure)
+    {
+        DOMJITGetterBaseJSObject* getter = new (NotNull, allocateCell<DOMJITGetterBaseJSObject>(vm.heap, sizeof(DOMJITGetterBaseJSObject))) DOMJITGetterBaseJSObject(vm, structure);
+        getter->finishCreation(vm);
+        return getter;
+    }
+
+    class DOMJITAttribute : public DOMJIT::GetterSetter {
+    public:
+        constexpr DOMJITAttribute()
+            : DOMJIT::GetterSetter(
+                DOMJITGetterBaseJSObject::customGetter,
+#if ENABLE(JIT)
+                &callDOMGetter,
+#else
+                nullptr,
+#endif
+                SpecBytecodeTop)
+        {
+        }
+
+#if ENABLE(JIT)
+        static EncodedJSValue JIT_OPERATION slowCall(ExecState* exec, void* pointer)
+        {
+            VM& vm = exec->vm();
+            NativeCallFrameTracer tracer(&vm, exec);
+            JSObject* object = static_cast<JSObject*>(pointer);
+            return JSValue::encode(object->getPrototypeDirect(vm));
+        }
+
+        static Ref<DOMJIT::CallDOMGetterSnippet> callDOMGetter()
+        {
+            Ref<DOMJIT::CallDOMGetterSnippet> snippet = DOMJIT::CallDOMGetterSnippet::create();
+            snippet->requireGlobalObject = false;
+            snippet->setGenerator([=](CCallHelpers& jit, SnippetParams& params) {
+                JSValueRegs results = params[0].jsValueRegs();
+                GPRReg dom = params[1].gpr();
+                params.addSlowPathCall(jit.jump(), jit, slowCall, results, dom);
+                return CCallHelpers::JumpList();
+
+            });
+            return snippet;
+        }
+#endif
+    };
+
+private:
+    void finishCreation(VM&);
+
+    static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
+    {
+        VM& vm = exec->vm();
+        JSObject* thisObject = jsDynamicCast<JSObject*>(vm, JSValue::decode(thisValue));
+        RELEASE_ASSERT(thisObject);
+        return JSValue::encode(thisObject->getPrototypeDirect(vm));
+    }
+};
+
+static const DOMJITGetterBaseJSObject::DOMJITAttribute DOMJITGetterBaseJSObjectDOMJIT;
+
+void DOMJITGetterBaseJSObject::finishCreation(VM& vm)
+{
+    Base::finishCreation(vm);
+    const DOMJIT::GetterSetter* domJIT = &DOMJITGetterBaseJSObjectDOMJIT;
+    auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, domJIT->getter(), nullptr, DOMAttributeAnnotation { JSObject::info(), domJIT });
+    putDirectCustomAccessor(vm, Identifier::fromString(&vm, "customGetter"), customGetterSetter, PropertyAttribute::ReadOnly | PropertyAttribute::CustomAccessor);
+}
+
+class Message : public ThreadSafeRefCounted<Message> {
+public:
+    Message(ArrayBufferContents&&, int32_t);
+    ~Message();
+
+    ArrayBufferContents&& releaseContents() { return WTFMove(m_contents); }
+    int32_t index() const { return m_index; }
+
+private:
+    ArrayBufferContents m_contents;
+    int32_t m_index { 0 };
+};
+
+class JSTestCustomGetterSetter : public JSNonFinalObject {
+public:
+    using Base = JSNonFinalObject;
+    static const unsigned StructureFlags = Base::StructureFlags;
+
+    JSTestCustomGetterSetter(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    { }
+
+    static JSTestCustomGetterSetter* create(VM& vm, JSGlobalObject*, Structure* structure)
+    {
+        JSTestCustomGetterSetter* result = new (NotNull, allocateCell<JSTestCustomGetterSetter>(vm.heap, sizeof(JSTestCustomGetterSetter))) JSTestCustomGetterSetter(vm, structure);
+        result->finishCreation(vm);
+        return result;
+    }
+
+    void finishCreation(VM&);
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject)
+    {
+        return Structure::create(vm, globalObject, globalObject->objectPrototype(), TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    DECLARE_INFO;
+};
+
+
+static EncodedJSValue customGetAccessor(ExecState*, EncodedJSValue thisValue, PropertyName)
+{
+    // Passed |this|
+    return thisValue;
+}
+
+static EncodedJSValue customGetValue(ExecState* exec, EncodedJSValue slotValue, PropertyName)
+{
+    RELEASE_ASSERT(JSValue::decode(slotValue).inherits(exec->vm(), JSTestCustomGetterSetter::info()));
+    // Passed property holder.
+    return slotValue;
+}
+
+static bool customSetAccessor(ExecState* exec, EncodedJSValue thisObject, EncodedJSValue encodedValue)
+{
+    VM& vm = exec->vm();
+
+    JSValue value = JSValue::decode(encodedValue);
+    RELEASE_ASSERT(value.isObject());
+    JSObject* object = asObject(value);
+    PutPropertySlot slot(object);
+    object->put(object, exec, Identifier::fromString(&vm, "result"), JSValue::decode(thisObject), slot);
+
+    return true;
+}
+
+static bool customSetValue(ExecState* exec, EncodedJSValue slotValue, EncodedJSValue encodedValue)
+{
+    VM& vm = exec->vm();
+
+    RELEASE_ASSERT(JSValue::decode(slotValue).inherits(exec->vm(), JSTestCustomGetterSetter::info()));
+
+    JSValue value = JSValue::decode(encodedValue);
+    RELEASE_ASSERT(value.isObject());
+    JSObject* object = asObject(value);
+    PutPropertySlot slot(object);
+    object->put(object, exec, Identifier::fromString(&vm, "result"), JSValue::decode(slotValue), slot);
+
+    return true;
+}
+
+void JSTestCustomGetterSetter::finishCreation(VM& vm)
+{
+    Base::finishCreation(vm);
+
+    putDirectCustomAccessor(vm, Identifier::fromString(&vm, "customValue"),
+        CustomGetterSetter::create(vm, customGetValue, customSetValue), 0);
+    putDirectCustomAccessor(vm, Identifier::fromString(&vm, "customAccessor"),
+        CustomGetterSetter::create(vm, customGetAccessor, customSetAccessor), static_cast<unsigned>(PropertyAttribute::CustomAccessor));
+}
+
+const ClassInfo Element::s_info = { "Element", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(Element) };
+const ClassInfo Root::s_info = { "Root", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(Root) };
+const ClassInfo SimpleObject::s_info = { "SimpleObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(SimpleObject) };
+const ClassInfo ImpureGetter::s_info = { "ImpureGetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(ImpureGetter) };
+const ClassInfo CustomGetter::s_info = { "CustomGetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(CustomGetter) };
+const ClassInfo RuntimeArray::s_info = { "RuntimeArray", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(RuntimeArray) };
+#if ENABLE(JIT)
+const ClassInfo DOMJITNode::s_info = { "DOMJITNode", &Base::s_info, nullptr, &DOMJITNode::checkSubClassSnippet, CREATE_METHOD_TABLE(DOMJITNode) };
+#else
+const ClassInfo DOMJITNode::s_info = { "DOMJITNode", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITNode) };
+#endif
+const ClassInfo DOMJITGetter::s_info = { "DOMJITGetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITGetter) };
+const ClassInfo DOMJITGetterComplex::s_info = { "DOMJITGetterComplex", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITGetterComplex) };
+const ClassInfo DOMJITGetterBaseJSObject::s_info = { "DOMJITGetterBaseJSObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITGetterBaseJSObject) };
+#if ENABLE(JIT)
+const ClassInfo DOMJITFunctionObject::s_info = { "DOMJITFunctionObject", &Base::s_info, nullptr, &DOMJITFunctionObject::checkSubClassSnippet, CREATE_METHOD_TABLE(DOMJITFunctionObject) };
+#else
+const ClassInfo DOMJITFunctionObject::s_info = { "DOMJITFunctionObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITFunctionObject) };
+#endif
+const ClassInfo DOMJITCheckSubClassObject::s_info = { "DOMJITCheckSubClassObject", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(DOMJITCheckSubClassObject) };
+const ClassInfo JSTestCustomGetterSetter::s_info = { "JSTestCustomGetterSetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSTestCustomGetterSetter) };
+
+ElementHandleOwner* Element::handleOwner()
+{
+    static ElementHandleOwner* owner = 0;
+    if (!owner)
+        owner = new ElementHandleOwner();
+    return owner;
+}
+
+void Element::finishCreation(VM& vm, Root* root)
+{
+    Base::finishCreation(vm);
+    setRoot(vm, root);
+    m_root->setElement(this);
+}
+
+} // namespace
+
 namespace JSC {
 
 const ClassInfo JSDollarVM::s_info = { "DollarVM", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSDollarVM) };
-
-void JSDollarVM::addFunction(VM& vm, JSGlobalObject* globalObject, const char* name, NativeFunction function, unsigned arguments)
-{
-    Identifier identifier = Identifier::fromString(&vm, name);
-    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function));
-}
 
 // Triggers a crash immediately.
 // Usage: $vm.crash()
-static EncodedJSValue JSC_HOST_CALL functionCrash(ExecState*)
+static NO_RETURN_DUE_TO_CRASH EncodedJSValue JSC_HOST_CALL functionCrash(ExecState*)
 {
     CRASH();
-    return JSValue::encode(jsUndefined());
 }
 
@@ -357 +1345 @@
 }
 
-void JSDollarVM::finishCreation(VM& vm, JSGlobalObject* globalObject)
+static EncodedJSValue JSC_HOST_CALL functionCreateProxy(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    JSValue target = exec->argument(0);
+    if (!target.isObject())
+        return JSValue::encode(jsUndefined());
+    JSObject* jsTarget = asObject(target.asCell());
+    Structure* structure = JSProxy::createStructure(vm, exec->lexicalGlobalObject(), jsTarget->getPrototypeDirect(vm), ImpureProxyType);
+    JSProxy* proxy = JSProxy::create(vm, structure, jsTarget);
+    return JSValue::encode(proxy);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateRuntimeArray(ExecState* exec)
+{
+    JSLockHolder lock(exec);
+    RuntimeArray* array = RuntimeArray::create(exec);
+    return JSValue::encode(array);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateImpureGetter(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    JSValue target = exec->argument(0);
+    JSObject* delegate = nullptr;
+    if (target.isObject())
+        delegate = asObject(target.asCell());
+    Structure* structure = ImpureGetter::createStructure(vm, exec->lexicalGlobalObject(), jsNull());
+    ImpureGetter* result = ImpureGetter::create(vm, structure, delegate);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateCustomGetterObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = CustomGetter::createStructure(vm, exec->lexicalGlobalObject(), jsNull());
+    CustomGetter* result = CustomGetter::create(vm, structure);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITNodeObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = DOMJITNode::createStructure(vm, exec->lexicalGlobalObject(), DOMJITGetter::create(vm, DOMJITGetter::createStructure(vm, exec->lexicalGlobalObject(), jsNull())));
+    DOMJITNode* result = DOMJITNode::create(vm, structure);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITGetterObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = DOMJITGetter::createStructure(vm, exec->lexicalGlobalObject(), jsNull());
+    DOMJITGetter* result = DOMJITGetter::create(vm, structure);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITGetterComplexObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = DOMJITGetterComplex::createStructure(vm, exec->lexicalGlobalObject(), jsNull());
+    DOMJITGetterComplex* result = DOMJITGetterComplex::create(vm, exec->lexicalGlobalObject(), structure);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITFunctionObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = DOMJITFunctionObject::createStructure(vm, exec->lexicalGlobalObject(), jsNull());
+    DOMJITFunctionObject* result = DOMJITFunctionObject::create(vm, exec->lexicalGlobalObject(), structure);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITCheckSubClassObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = DOMJITCheckSubClassObject::createStructure(vm, exec->lexicalGlobalObject(), jsNull());
+    DOMJITCheckSubClassObject* result = DOMJITCheckSubClassObject::create(vm, exec->lexicalGlobalObject(), structure);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateDOMJITGetterBaseJSObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = DOMJITGetterBaseJSObject::createStructure(vm, exec->lexicalGlobalObject(), jsNull());
+    DOMJITGetterBaseJSObject* result = DOMJITGetterBaseJSObject::create(vm, structure);
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionSetImpureGetterDelegate(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    JSValue base = exec->argument(0);
+    if (!base.isObject())
+        return JSValue::encode(jsUndefined());
+    JSValue delegate = exec->argument(1);
+    if (!delegate.isObject())
+        return JSValue::encode(jsUndefined());
+    ImpureGetter* impureGetter = jsDynamicCast<ImpureGetter*>(vm, asObject(base.asCell()));
+    if (UNLIKELY(!impureGetter)) {
+        throwTypeError(exec, scope, ASCIILiteral("argument is not an ImpureGetter"));
+        return encodedJSValue();
+    }
+    impureGetter->setDelegate(vm, asObject(delegate.asCell()));
+    return JSValue::encode(jsUndefined());
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateBuiltin(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (exec->argumentCount() < 1 || !exec->argument(0).isString())
+        return JSValue::encode(jsUndefined());
+
+    String functionText = asString(exec->argument(0))->value(exec);
+    RETURN_IF_EXCEPTION(scope, encodedJSValue());
+
+    const SourceCode& source = makeSource(functionText, { });
+    JSFunction* func = JSFunction::create(vm, createBuiltinExecutable(vm, source, Identifier::fromString(&vm, "foo"), ConstructorKind::None, ConstructAbility::CannotConstruct)->link(vm, source), exec->lexicalGlobalObject());
+
+    return JSValue::encode(func);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateRoot(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    return JSValue::encode(Root::create(vm, exec->lexicalGlobalObject()));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateElement(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    Root* root = jsDynamicCast<Root*>(vm, exec->argument(0));
+    if (!root)
+        return JSValue::encode(throwException(exec, scope, createError(exec, ASCIILiteral("Cannot create Element without a Root."))));
+    return JSValue::encode(Element::create(vm, exec->lexicalGlobalObject(), root));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionGetElement(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    Root* root = jsDynamicCast<Root*>(vm, exec->argument(0));
+    if (!root)
+        return JSValue::encode(jsUndefined());
+    Element* result = root->element();
+    return JSValue::encode(result ? result : jsUndefined());
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateSimpleObject(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    return JSValue::encode(SimpleObject::create(vm, exec->lexicalGlobalObject()));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionGetHiddenValue(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    SimpleObject* simpleObject = jsDynamicCast<SimpleObject*>(vm, exec->argument(0));
+    if (UNLIKELY(!simpleObject)) {
+        throwTypeError(exec, scope, ASCIILiteral("Invalid use of getHiddenValue test function"));
+        return encodedJSValue();
+    }
+    return JSValue::encode(simpleObject->hiddenValue());
+}
+
+static EncodedJSValue JSC_HOST_CALL functionSetHiddenValue(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSLockHolder lock(vm);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    SimpleObject* simpleObject = jsDynamicCast<SimpleObject*>(vm, exec->argument(0));
+    if (UNLIKELY(!simpleObject)) {
+        throwTypeError(exec, scope, ASCIILiteral("Invalid use of setHiddenValue test function"));
+        return encodedJSValue();
+    }
+    JSValue value = exec->argument(1);
+    simpleObject->setHiddenValue(vm, value);
+    return JSValue::encode(jsUndefined());
+}
+
+static EncodedJSValue JSC_HOST_CALL functionShadowChickenFunctionsOnStack(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    return JSValue::encode(vm.shadowChicken().functionsOnStack(exec));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionSetGlobalConstRedeclarationShouldNotThrow(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    vm.setGlobalConstRedeclarationShouldThrow(false);
+    return JSValue::encode(jsUndefined());
+}
+
+static EncodedJSValue JSC_HOST_CALL functionFindTypeForExpression(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    RELEASE_ASSERT(vm.typeProfiler());
+    vm.typeProfilerLog()->processLogEntries(ASCIILiteral("jsc Testing API: functionFindTypeForExpression"));
+
+    JSValue functionValue = exec->argument(0);
+    RELEASE_ASSERT(functionValue.isFunction());
+    FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable();
+
+    RELEASE_ASSERT(exec->argument(1).isString());
+    String substring = asString(exec->argument(1))->value(exec);
+    String sourceCodeText = executable->source().view().toString();
+    unsigned offset = static_cast<unsigned>(sourceCodeText.find(substring) + executable->source().startOffset());
+    
+    String jsonString = vm.typeProfiler()->typeInformationForExpressionAtOffset(TypeProfilerSearchDescriptorNormal, offset, executable->sourceID(), vm);
+    return JSValue::encode(JSONParse(exec, jsonString));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionReturnTypeFor(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    RELEASE_ASSERT(vm.typeProfiler());
+    vm.typeProfilerLog()->processLogEntries(ASCIILiteral("jsc Testing API: functionReturnTypeFor"));
+
+    JSValue functionValue = exec->argument(0);
+    RELEASE_ASSERT(functionValue.isFunction());
+    FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable();
+
+    unsigned offset = executable->typeProfilingStartOffset();
+    String jsonString = vm.typeProfiler()->typeInformationForExpressionAtOffset(TypeProfilerSearchDescriptorFunctionReturn, offset, executable->sourceID(), vm);
+    return JSValue::encode(JSONParse(exec, jsonString));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionDumpBasicBlockExecutionRanges(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    RELEASE_ASSERT(vm.controlFlowProfiler());
+    vm.controlFlowProfiler()->dumpData();
+    return JSValue::encode(jsUndefined());
+}
+
+static EncodedJSValue JSC_HOST_CALL functionHasBasicBlockExecuted(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    RELEASE_ASSERT(vm.controlFlowProfiler());
+
+    JSValue functionValue = exec->argument(0);
+    RELEASE_ASSERT(functionValue.isFunction());
+    FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable();
+
+    RELEASE_ASSERT(exec->argument(1).isString());
+    String substring = asString(exec->argument(1))->value(exec);
+    String sourceCodeText = executable->source().view().toString();
+    RELEASE_ASSERT(sourceCodeText.contains(substring));
+    int offset = sourceCodeText.find(substring) + executable->source().startOffset();
+    
+    bool hasExecuted = vm.controlFlowProfiler()->hasBasicBlockAtTextOffsetBeenExecuted(offset, executable->sourceID(), vm);
+    return JSValue::encode(jsBoolean(hasExecuted));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionBasicBlockExecutionCount(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    RELEASE_ASSERT(vm.controlFlowProfiler());
+
+    JSValue functionValue = exec->argument(0);
+    RELEASE_ASSERT(functionValue.isFunction());
+    FunctionExecutable* executable = (jsDynamicCast<JSFunction*>(vm, functionValue.asCell()->getObject()))->jsExecutable();
+
+    RELEASE_ASSERT(exec->argument(1).isString());
+    String substring = asString(exec->argument(1))->value(exec);
+    String sourceCodeText = executable->source().view().toString();
+    RELEASE_ASSERT(sourceCodeText.contains(substring));
+    int offset = sourceCodeText.find(substring) + executable->source().startOffset();
+    
+    size_t executionCount = vm.controlFlowProfiler()->basicBlockExecutionCountAtTextOffset(offset, executable->sourceID(), vm);
+    return JSValue::encode(JSValue(executionCount));
+}
+
+static EncodedJSValue JSC_HOST_CALL functionEnableExceptionFuzz(ExecState*)
+{
+    Options::useExceptionFuzz() = true;
+    return JSValue::encode(jsUndefined());
+}
+
+static EncodedJSValue JSC_HOST_CALL functionGlobalObjectForObject(ExecState* exec)
+{
+    JSValue value = exec->argument(0);
+    RELEASE_ASSERT(value.isObject());
+    JSGlobalObject* globalObject = jsCast<JSObject*>(value)->globalObject();
+    RELEASE_ASSERT(globalObject);
+    return JSValue::encode(globalObject);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionGetGetterSetter(ExecState* exec)
+{
+    JSValue value = exec->argument(0);
+    if (!value.isObject())
+        return JSValue::encode(jsUndefined());
+
+    JSValue property = exec->argument(1);
+    if (!property.isString())
+        return JSValue::encode(jsUndefined());
+
+    PropertySlot slot(value, PropertySlot::InternalMethodType::VMInquiry);
+    value.getPropertySlot(exec, asString(property)->toIdentifier(exec), slot);
+
+    JSValue result;
+    if (slot.isCacheableGetter())
+        result = slot.getterSetter();
+    else
+        result = jsNull();
+
+    return JSValue::encode(result);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionLoadGetterFromGetterSetter(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    GetterSetter* getterSetter = jsDynamicCast<GetterSetter*>(vm, exec->argument(0));
+    if (UNLIKELY(!getterSetter)) {
+        throwTypeError(exec, scope, ASCIILiteral("Invalid use of loadGetterFromGetterSetter test function: argument is not a GetterSetter"));
+        return encodedJSValue();
+    }
+
+    JSObject* getter = getterSetter->getter();
+    RELEASE_ASSERT(getter);
+    return JSValue::encode(getter);
+}
+
+static EncodedJSValue JSC_HOST_CALL functionCreateCustomTestGetterSetter(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+    return JSValue::encode(JSTestCustomGetterSetter::create(vm, globalObject, JSTestCustomGetterSetter::createStructure(vm, globalObject)));
+}
+
+void JSDollarVM::finishCreation(VM& vm)
 {
     Base::finishCreation(vm);
-    
-    addFunction(vm, globalObject, "crash", functionCrash, 0);
-    
+
+    JSGlobalObject* globalObject = structure(vm)->globalObject();
+
+    auto addFunction = [&] (VM& vm, const char* name, NativeFunction function, unsigned arguments) {
+        JSDollarVM::addFunction(vm, globalObject, name, function, arguments);
+    };
+    auto addConstructibleFunction = [&] (VM& vm, const char* name, NativeFunction function, unsigned arguments) {
+        JSDollarVM::addConstructibleFunction(vm, globalObject, name, function, arguments);
+    };
+
+    addFunction(vm, "abort", functionCrash, 0);
+    addFunction(vm, "crash", functionCrash, 0);
+
     putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "dfgTrue"), 0, functionDFGTrue, DFGTrueIntrinsic, static_cast<unsigned>(PropertyAttribute::DontEnum));
 
@@ -369 +1721 @@
     putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "cpuCpuid"), 0, functionCpuCpuid, CPUCpuidIntrinsic, 0);
     putDirectNativeFunction(vm, globalObject, Identifier::fromString(&vm, "cpuPause"), 0, functionCpuPause, CPUPauseIntrinsic, 0);
-    addFunction(vm, globalObject, "cpuClflush", functionCpuClflush, 2);
-    
-    addFunction(vm, globalObject, "llintTrue", functionLLintTrue, 0);
-    addFunction(vm, globalObject, "jitTrue", functionJITTrue, 0);
-    
-    addFunction(vm, globalObject, "gc", functionGC, 0);
-    addFunction(vm, globalObject, "edenGC", functionEdenGC, 0);
-    
-    addFunction(vm, globalObject, "codeBlockFor", functionCodeBlockFor, 1);
-    addFunction(vm, globalObject, "codeBlockForFrame", functionCodeBlockForFrame, 1);
-    addFunction(vm, globalObject, "printSourceFor", functionPrintSourceFor, 1);
-    addFunction(vm, globalObject, "printBytecodeFor", functionPrintBytecodeFor, 1);
-    
-    addFunction(vm, globalObject, "print", functionPrint, 1);
-    addFunction(vm, globalObject, "printCallFrame", functionPrintCallFrame, 0);
-    addFunction(vm, globalObject, "printStack", functionPrintStack, 0);
-
-    addFunction(vm, globalObject, "value", functionValue, 1);
-    addFunction(vm, globalObject, "getpid", functionGetPID, 0);
+    addFunction(vm, "cpuClflush", functionCpuClflush, 2);
+
+    addFunction(vm, "llintTrue", functionLLintTrue, 0);
+    addFunction(vm, "jitTrue", functionJITTrue, 0);
+
+    addFunction(vm, "gc", functionGC, 0);
+    addFunction(vm, "edenGC", functionEdenGC, 0);
+
+    addFunction(vm, "codeBlockFor", functionCodeBlockFor, 1);
+    addFunction(vm, "codeBlockForFrame", functionCodeBlockForFrame, 1);
+    addFunction(vm, "printSourceFor", functionPrintSourceFor, 1);
+    addFunction(vm, "printBytecodeFor", functionPrintBytecodeFor, 1);
+
+    addFunction(vm, "print", functionPrint, 1);
+    addFunction(vm, "printCallFrame", functionPrintCallFrame, 0);
+    addFunction(vm, "printStack", functionPrintStack, 0);
+
+    addFunction(vm, "value", functionValue, 1);
+    addFunction(vm, "getpid", functionGetPID, 0);
+
+    addFunction(vm, "createProxy", functionCreateProxy, 1);
+    addFunction(vm, "createRuntimeArray", functionCreateRuntimeArray, 0);
+
+    addFunction(vm, "createImpureGetter", functionCreateImpureGetter, 1);
+    addFunction(vm, "createCustomGetterObject", functionCreateCustomGetterObject, 0);
+    addFunction(vm, "createDOMJITNodeObject", functionCreateDOMJITNodeObject, 0);
+    addFunction(vm, "createDOMJITGetterObject", functionCreateDOMJITGetterObject, 0);
+    addFunction(vm, "createDOMJITGetterComplexObject", functionCreateDOMJITGetterComplexObject, 0);
+    addFunction(vm, "createDOMJITFunctionObject", functionCreateDOMJITFunctionObject, 0);
+    addFunction(vm, "createDOMJITCheckSubClassObject", functionCreateDOMJITCheckSubClassObject, 0);
+    addFunction(vm, "createDOMJITGetterBaseJSObject", functionCreateDOMJITGetterBaseJSObject, 0);
+    addFunction(vm, "createBuiltin", functionCreateBuiltin, 2);
+    addFunction(vm, "setImpureGetterDelegate", functionSetImpureGetterDelegate, 2);
+
+    addConstructibleFunction(vm, "Root", functionCreateRoot, 0);
+    addConstructibleFunction(vm, "Element", functionCreateElement, 1);
+    addFunction(vm, "getElement", functionGetElement, 1);
+
+    addConstructibleFunction(vm, "SimpleObject", functionCreateSimpleObject, 0);
+    addFunction(vm, "getHiddenValue", functionGetHiddenValue, 1);
+    addFunction(vm, "setHiddenValue", functionSetHiddenValue, 2);
+
+    addFunction(vm, "shadowChickenFunctionsOnStack", functionShadowChickenFunctionsOnStack, 0);
+    addFunction(vm, "setGlobalConstRedeclarationShouldNotThrow", functionSetGlobalConstRedeclarationShouldNotThrow, 0);
+
+    addFunction(vm, "findTypeForExpression", functionFindTypeForExpression, 2);
+    addFunction(vm, "returnTypeFor", functionReturnTypeFor, 1);
+
+    addFunction(vm, "dumpBasicBlockExecutionRanges", functionDumpBasicBlockExecutionRanges , 0);
+    addFunction(vm, "hasBasicBlockExecuted", functionHasBasicBlockExecuted, 2);
+    addFunction(vm, "basicBlockExecutionCount", functionBasicBlockExecutionCount, 2);
+
+    addFunction(vm, "enableExceptionFuzz", functionEnableExceptionFuzz, 0);
+
+    addFunction(vm, "globalObjectForObject", functionGlobalObjectForObject, 1);
+
+    addFunction(vm, "getGetterSetter", functionGetGetterSetter, 2);
+    addFunction(vm, "loadGetterFromGetterSetter", functionLoadGetterFromGetterSetter, 1);
+    addFunction(vm, "createCustomTestGetterSetter", functionCreateCustomTestGetterSetter, 1);
+}
+
+void JSDollarVM::addFunction(VM& vm, JSGlobalObject* globalObject, const char* name, NativeFunction function, unsigned arguments)
+{
+    Identifier identifier = Identifier::fromString(&vm, name);
+    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function));
+}
+
+void JSDollarVM::addConstructibleFunction(VM& vm, JSGlobalObject* globalObject, const char* name, NativeFunction function, unsigned arguments)
+{
+    Identifier identifier = Identifier::fromString(&vm, name);
+    putDirect(vm, identifier, JSFunction::create(vm, globalObject, arguments, identifier.string(), function, NoIntrinsic, function));
 }
 

trunk/Source/JavaScriptCore/tools/JSDollarVM.h

@@ -41 +41 @@
     }
 
-    static JSDollarVM* create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
+    static JSDollarVM* create(VM& vm, Structure* structure)
     {
         JSDollarVM* instance = new (NotNull, allocateCell<JSDollarVM>(vm.heap)) JSDollarVM(vm, structure);
-        instance->finishCreation(vm, globalObject);
+        instance->finishCreation(vm);
         return instance;
     }
@@ -54 +54 @@
     }
 
-    void finishCreation(VM&, JSGlobalObject*);
+    void finishCreation(VM&);
     void addFunction(VM&, JSGlobalObject*, const char* name, NativeFunction, unsigned arguments);
+    void addConstructibleFunction(VM&, JSGlobalObject*, const char* name, NativeFunction, unsigned arguments);
 };