Changeset 278576 in webkit for trunk/Source/JavaScriptCore/jit/JIT.cpp

Timestamp:

Jun 7, 2021, 3:51:25 PM (4 years ago)

Author:

[email protected]

Message:

Put the Baseline JIT prologue and op_loop_hint code in JIT thunks.
​https://bugs.webkit.org/show_bug.cgi?id=226375

Reviewed by Keith Miller and Robin Morisset.

Baseline JIT prologue code varies in behavior based on several variables. These
variables include (1) whether the prologue does any arguments value profiling,
(2) whether the prologue is for a constructor, and (3) whether the compiled
CodeBlock will have such a large frame that it is greater than the stack reserved
zone (aka red zone) which would require additional stack check logic.

The pre-existing code would generate specialized code based on these (and other
variables). In converting to using thunks for the prologue, we opt not to
convert these specializations into runtime checks. Instead, the implementation
uses 1 of 8 possible specialized thunks to reduce the need to pass arguments for
runtime checks. The only needed argument passed to the prologue thunks is the
codeBlock pointer.

There are 8 possible thunks because we specialize based on 3 variables:

1. doesProfiling
2. isConstructor
3. hasHugeFrame

23 yields 8 permutations of prologue thunk specializations.

Similarly, there are also 8 analogous arity fixup prologues that work similarly.

The op_loop_hint thunk only takes 1 runtime argument: the bytecode offset.

We've tried doing the loop_hint optimization check in the thunk (in order to move
both the fast and slow path into the thunk for maximum space savings). However,
this seems to have some slight negative impact on benchmark performance. We ended
up just keeping the fast path and instead have the slow path call a thunk to do
its work. This realizes the bulk of the size savings without the perf impact.

This patch also optimizes op_enter a bit more by eliminating the need to pass any
arguments to the thunk. The thunk previously took 2 arguments: localsToInit and
canBeOptimized. localsToInit is now computed in the thunk at runtime, and
canBeOptimized is used as a specialization argument to generate 2 variants of the
op_enter thunk: op_enter_canBeOptimized_Generator and op_enter_cannotBeOptimized_Generator,
thereby removing the need to pass it as a runtime argument.

LinkBuffer size results (from a single run of Speedometer2):

BaselineJIT: 93319628 (88.996532 MB) => 83851824 (79.967331 MB) 0.90x

ExtraCTIThunk: 5992 (5.851562 KB) => 6984 (6.820312 KB) 1.17x

...

Total: 197530008 (188.379295 MB) => 188459444 (179.728931 MB) 0.95x

Speedometer2 and JetStream2 results (as measured on an M1 Mac) are neutral.

• assembler/AbstractMacroAssembler.h:

(JSC::AbstractMacroAssembler::untagReturnAddressWithoutExtraValidation):

• assembler/MacroAssemblerARM64E.h:

(JSC::MacroAssemblerARM64E::untagReturnAddress):
(JSC::MacroAssemblerARM64E::untagReturnAddressWithoutExtraValidation):

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::branchAdd32):

• assembler/MacroAssemblerMIPS.h:

(JSC::MacroAssemblerMIPS::branchAdd32):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::offsetOfNumCalleeLocals):
(JSC::CodeBlock::offsetOfNumVars):
(JSC::CodeBlock::offsetOfArgumentValueProfiles):
(JSC::CodeBlock::offsetOfShouldAlwaysBeInlined):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::emitSaveCalleeSavesFor):
(JSC::AssemblyHelpers::emitSaveCalleeSavesForBaselineJIT):
(JSC::AssemblyHelpers::emitRestoreCalleeSavesForBaselineJIT):

• jit/JIT.cpp:

(JSC::JIT::compileAndLinkWithoutFinalizing):
(JSC::JIT::prologueGenerator):
(JSC::JIT::arityFixupPrologueGenerator):
(JSC::JIT::privateCompileExceptionHandlers):

• jit/JIT.h:
• jit/JITInlines.h:

(JSC::JIT::emitNakedNearCall):

• jit/JITOpcodes.cpp:

(JSC::JIT::op_ret_handlerGenerator):
(JSC::JIT::emit_op_enter):
(JSC::JIT::op_enter_Generator):
(JSC::JIT::op_enter_canBeOptimized_Generator):
(JSC::JIT::op_enter_cannotBeOptimized_Generator):
(JSC::JIT::emit_op_loop_hint):
(JSC::JIT::emitSlow_op_loop_hint):
(JSC::JIT::op_loop_hint_Generator):
(JSC::JIT::op_enter_handlerGenerator): Deleted.

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_enter):

• jit/ThunkGenerators.cpp:

(JSC::popThunkStackPreservesAndHandleExceptionGenerator):

File:

• trunk/Source/JavaScriptCore/jit/JIT.cpp (modified) (15 diffs)

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -56 +56 @@
 }
 
+#if ENABLE(EXTRA_CTI_THUNKS)
+#if CPU(ARM64) || (CPU(X86_64) && !OS(WINDOWS))
+// These are supported ports.
+#else
+// This is a courtesy reminder (and warning) that the implementation of EXTRA_CTI_THUNKS can
+// use up to 6 argument registers and/or 6/7 temp registers, and make use of ARM64 like
+// features. Hence, it may not work for many other ports without significant work. If you
+// plan on adding EXTRA_CTI_THUNKS support for your port, please remember to search the
+// EXTRA_CTI_THUNKS code for CPU(ARM64) and CPU(X86_64) conditional code, and add support
+// for your port there as well.
+#error "unsupported architecture"
+#endif
+#endif // ENABLE(EXTRA_CTI_THUNKS)
+
 Seconds totalBaselineCompileTime;
 Seconds totalDFGCompileTime;
@@ -84 +98 @@
 }
 
-#if ENABLE(DFG_JIT)
+#if ENABLE(DFG_JIT) && !ENABLE(EXTRA_CTI_THUNKS)
 void JIT::emitEnterOptimizationCheck()
 {
@@ -102 +116 @@
     skipOptimize.link(this);
 }
-#endif
+#endif // ENABLE(DFG_JIT) && !ENABLE(EXTRA_CTI_THUNKS)(
 
 void JIT::emitNotifyWrite(WatchpointSet* set)
@@ -683 +697 @@
 }
 
+static inline unsigned prologueGeneratorSelector(bool doesProfiling, bool isConstructor, bool hasHugeFrame)
+{
+    return doesProfiling << 2 | isConstructor << 1 | hasHugeFrame << 0;
+}
+
+#define FOR_EACH_NON_PROFILING_PROLOGUE_GENERATOR(v) \
+    v(!doesProfiling, !isConstructor, !hasHugeFrame, prologueGenerator0, arityFixup_prologueGenerator0) \
+    v(!doesProfiling, !isConstructor,  hasHugeFrame, prologueGenerator1, arityFixup_prologueGenerator1) \
+    v(!doesProfiling,  isConstructor, !hasHugeFrame, prologueGenerator2, arityFixup_prologueGenerator2) \
+    v(!doesProfiling,  isConstructor,  hasHugeFrame, prologueGenerator3, arityFixup_prologueGenerator3)
+
+#if ENABLE(DFG_JIT)
+#define FOR_EACH_PROFILING_PROLOGUE_GENERATOR(v) \
+    v( doesProfiling, !isConstructor, !hasHugeFrame, prologueGenerator4, arityFixup_prologueGenerator4) \
+    v( doesProfiling, !isConstructor,  hasHugeFrame, prologueGenerator5, arityFixup_prologueGenerator5) \
+    v( doesProfiling,  isConstructor, !hasHugeFrame, prologueGenerator6, arityFixup_prologueGenerator6) \
+    v( doesProfiling,  isConstructor,  hasHugeFrame, prologueGenerator7, arityFixup_prologueGenerator7)
+
+#else // not ENABLE(DFG_JIT)
+#define FOR_EACH_PROFILING_PROLOGUE_GENERATOR(v)
+#endif // ENABLE(DFG_JIT)
+
+#define FOR_EACH_PROLOGUE_GENERATOR(v) \
+    FOR_EACH_NON_PROFILING_PROLOGUE_GENERATOR(v) \
+    FOR_EACH_PROFILING_PROLOGUE_GENERATOR(v)
+
 void JIT::compileAndLinkWithoutFinalizing(JITCompilationEffort effort)
 {
@@ -751 +791 @@
 
     emitFunctionPrologue();
+
+#if !ENABLE(EXTRA_CTI_THUNKS)
     emitPutToCallFrameHeader(m_codeBlock, CallFrameSlot::codeBlock);
 
@@ -772 +814 @@
         ASSERT(!m_bytecodeIndex);
         if (shouldEmitProfiling()) {
-            for (unsigned argument = 0; argument < m_codeBlock->numParameters(); ++argument) {
-                // If this is a constructor, then we want to put in a dummy profiling site (to
-                // keep things consistent) but we don't actually want to record the dummy value.
-                if (m_codeBlock->isConstructor() && !argument)
-                    continue;
+            // If this is a constructor, then we want to put in a dummy profiling site (to
+            // keep things consistent) but we don't actually want to record the dummy value.
+            unsigned startArgument = m_codeBlock->isConstructor() ? 1 : 0;
+            for (unsigned argument = startArgument; argument < m_codeBlock->numParameters(); ++argument) {
                 int offset = CallFrame::argumentOffsetIncludingThis(argument) * static_cast<int>(sizeof(Register));
 #if USE(JSVALUE64)
@@ -790 +831 @@
         }
     }
-    
+#else // ENABLE(EXTRA_CTI_THUNKS)
+    constexpr GPRReg codeBlockGPR = regT7;
+    ASSERT(!m_bytecodeIndex);
+
+    int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
+    unsigned maxFrameSize = -frameTopOffset;
+
+    bool doesProfiling = (m_codeBlock->codeType() == FunctionCode) && shouldEmitProfiling();
+    bool isConstructor = m_codeBlock->isConstructor();
+    bool hasHugeFrame = maxFrameSize > Options::reservedZoneSize();
+
+    static constexpr ThunkGenerator generators[] = {
+#define USE_PROLOGUE_GENERATOR(doesProfiling, isConstructor, hasHugeFrame, name, arityFixupName) name,
+        FOR_EACH_PROLOGUE_GENERATOR(USE_PROLOGUE_GENERATOR)
+#undef USE_PROLOGUE_GENERATOR
+    };
+    static constexpr unsigned numberOfGenerators = sizeof(generators) / sizeof(generators[0]);
+
+    move(TrustedImmPtr(m_codeBlock), codeBlockGPR);
+
+    unsigned generatorSelector = prologueGeneratorSelector(doesProfiling, isConstructor, hasHugeFrame);
+    RELEASE_ASSERT(generatorSelector < numberOfGenerators);
+    auto generator = generators[generatorSelector];
+    emitNakedNearCall(vm().getCTIStub(generator).retaggedCode<NoPtrTag>());
+
+    Label bodyLabel(this);
+#endif // !ENABLE(EXTRA_CTI_THUNKS)
+
     RELEASE_ASSERT(!JITCode::isJIT(m_codeBlock->jitType()));
 
@@ -804 +872 @@
     m_pcToCodeOriginMapBuilder.appendItem(label(), PCToCodeOriginMapBuilder::defaultCodeOrigin());
 
+#if !ENABLE(EXTRA_CTI_THUNKS)
     stackOverflow.link(this);
     m_bytecodeIndex = BytecodeIndex(0);
@@ -809 +878 @@
         addPtr(TrustedImm32(-static_cast<int32_t>(maxFrameExtentForSlowPathCall)), stackPointerRegister);
     callOperationWithCallFrameRollbackOnException(operationThrowStackOverflowError, m_codeBlock);
+#endif
 
     // If the number of parameters is 1, we never require arity fixup.
@@ -814 +884 @@
     if (m_codeBlock->codeType() == FunctionCode && requiresArityFixup) {
         m_arityCheck = label();
+#if !ENABLE(EXTRA_CTI_THUNKS)
         store8(TrustedImm32(0), &m_codeBlock->m_shouldAlwaysBeInlined);
         emitFunctionPrologue();
@@ -832 +903 @@
         emitNakedNearCall(m_vm->getCTIStub(arityFixupGenerator).retaggedCode<NoPtrTag>());
 
+        jump(beginLabel);
+
+#else // ENABLE(EXTRA_CTI_THUNKS)
+        emitFunctionPrologue();
+
+        static_assert(codeBlockGPR == regT7);
+        ASSERT(!m_bytecodeIndex);
+
+        static constexpr ThunkGenerator generators[] = {
+#define USE_PROLOGUE_GENERATOR(doesProfiling, isConstructor, hasHugeFrame, name, arityFixupName) arityFixupName,
+            FOR_EACH_PROLOGUE_GENERATOR(USE_PROLOGUE_GENERATOR)
+#undef USE_PROLOGUE_GENERATOR
+        };
+        static constexpr unsigned numberOfGenerators = sizeof(generators) / sizeof(generators[0]);
+
+        move(TrustedImmPtr(m_codeBlock), codeBlockGPR);
+
+        RELEASE_ASSERT(generatorSelector < numberOfGenerators);
+        auto generator = generators[generatorSelector];
+        RELEASE_ASSERT(generator);
+        emitNakedNearCall(vm().getCTIStub(generator).retaggedCode<NoPtrTag>());
+
+        jump(bodyLabel);
+#endif // !ENABLE(EXTRA_CTI_THUNKS)
+
 #if ASSERT_ENABLED
         m_bytecodeIndex = BytecodeIndex(); // Reset this, in order to guard its use with ASSERTs.
 #endif
-
-        jump(beginLabel);
     } else
         m_arityCheck = entryLabel; // Never require arity fixup.
@@ -842 +936 @@
     ASSERT(m_jmpTable.isEmpty());
     
+#if !ENABLE(EXTRA_CTI_THUNKS)
     privateCompileExceptionHandlers();
+#endif
     
     if (m_disassembler)
@@ -851 +947 @@
     link();
 }
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::prologueGenerator(VM& vm, bool doesProfiling, bool isConstructor, bool hasHugeFrame, const char* thunkName)
+{
+    // This function generates the Baseline JIT's prologue code. It is not useable by other tiers.
+    constexpr GPRReg codeBlockGPR = regT7; // incoming.
+
+    constexpr int virtualRegisterSize = static_cast<int>(sizeof(Register));
+    constexpr int virtualRegisterSizeShift = 3;
+    static_assert((1 << virtualRegisterSizeShift) == virtualRegisterSize);
+
+    tagReturnAddress();
+
+    storePtr(codeBlockGPR, addressFor(CallFrameSlot::codeBlock));
+
+    load32(Address(codeBlockGPR, CodeBlock::offsetOfNumCalleeLocals()), regT1);
+    if constexpr (maxFrameExtentForSlowPathCallInRegisters)
+        add32(TrustedImm32(maxFrameExtentForSlowPathCallInRegisters), regT1);
+    lshift32(TrustedImm32(virtualRegisterSizeShift), regT1);
+    neg64(regT1);
+#if ASSERT_ENABLED
+    Probe::Function probeFunction = [] (Probe::Context& context) {
+        CodeBlock* codeBlock = context.fp<CallFrame*>()->codeBlock();
+        int64_t frameTopOffset = stackPointerOffsetFor(codeBlock) * sizeof(Register);
+        RELEASE_ASSERT(context.gpr<intptr_t>(regT1) == frameTopOffset);
+    };
+    probe(tagCFunctionPtr<JITProbePtrTag>(probeFunction), nullptr);
+#endif
+
+    addPtr(callFrameRegister, regT1);
+
+    JumpList stackOverflow;
+    if (hasHugeFrame)
+        stackOverflow.append(branchPtr(Above, regT1, callFrameRegister));
+    stackOverflow.append(branchPtr(Above, AbsoluteAddress(vm.addressOfSoftStackLimit()), regT1));
+
+    // We'll be imminently returning with a `retab` (ARM64E's return with authentication
+    // using the B key) in the normal path (see MacroAssemblerARM64E's implementation of
+    // ret()), which will do validation. So, extra validation here is redundant and unnecessary.
+    untagReturnAddressWithoutExtraValidation();
+#if CPU(X86_64)
+    pop(regT2); // Save the return address.
+#endif
+    move(regT1, stackPointerRegister);
+    tagReturnAddress();
+    checkStackPointerAlignment();
+#if CPU(X86_64)
+    push(regT2); // Restore the return address.
+#endif
+
+    emitSaveCalleeSavesForBaselineJIT();
+    emitMaterializeTagCheckRegisters();
+
+    if (doesProfiling) {
+        constexpr GPRReg argumentValueProfileGPR = regT6;
+        constexpr GPRReg numParametersGPR = regT5;
+        constexpr GPRReg argumentGPR = regT4;
+
+        load32(Address(codeBlockGPR, CodeBlock::offsetOfNumParameters()), numParametersGPR);
+        loadPtr(Address(codeBlockGPR, CodeBlock::offsetOfArgumentValueProfiles()), argumentValueProfileGPR);
+        if (isConstructor)
+            addPtr(TrustedImm32(sizeof(ValueProfile)), argumentValueProfileGPR);
+
+        int startArgument = CallFrameSlot::thisArgument + (isConstructor ? 1 : 0);
+        int startArgumentOffset = startArgument * virtualRegisterSize;
+        move(TrustedImm64(startArgumentOffset), argumentGPR);
+
+        add32(TrustedImm32(static_cast<int>(CallFrameSlot::thisArgument)), numParametersGPR);
+        lshift32(TrustedImm32(virtualRegisterSizeShift), numParametersGPR);
+
+        addPtr(callFrameRegister, argumentGPR);
+        addPtr(callFrameRegister, numParametersGPR);
+
+        Label loopStart(this);
+        Jump done = branchPtr(AboveOrEqual, argumentGPR, numParametersGPR);
+        {
+            load64(Address(argumentGPR), regT0);
+            store64(regT0, Address(argumentValueProfileGPR, OBJECT_OFFSETOF(ValueProfile, m_buckets)));
+
+            // The argument ValueProfiles are stored in a FixedVector. Hence, the
+            // address of the next profile can be trivially computed with an increment.
+            addPtr(TrustedImm32(sizeof(ValueProfile)), argumentValueProfileGPR);
+            addPtr(TrustedImm32(virtualRegisterSize), argumentGPR);
+            jump().linkTo(loopStart, this);
+        }
+        done.link(this);
+    }
+    ret();
+
+    stackOverflow.link(this);
+#if CPU(X86_64)
+    addPtr(TrustedImm32(1 * sizeof(CPURegister)), stackPointerRegister); // discard return address.
+#endif
+
+    uint32_t locationBits = CallSiteIndex(0).bits();
+    store32(TrustedImm32(locationBits), tagFor(CallFrameSlot::argumentCountIncludingThis));
+
+    if (maxFrameExtentForSlowPathCall)
+        addPtr(TrustedImm32(-static_cast<int32_t>(maxFrameExtentForSlowPathCall)), stackPointerRegister);
+
+    setupArguments<decltype(operationThrowStackOverflowError)>(codeBlockGPR);
+    prepareCallOperation(vm);
+    MacroAssembler::Call operationCall = call(OperationPtrTag);
+    Jump handleExceptionJump = jump();
+
+    auto handler = vm.getCTIStub(handleExceptionWithCallFrameRollbackGenerator);
+
+    LinkBuffer patchBuffer(*this, GLOBAL_THUNK_ID, LinkBuffer::Profile::ExtraCTIThunk);
+    patchBuffer.link(operationCall, FunctionPtr<OperationPtrTag>(operationThrowStackOverflowError));
+    patchBuffer.link(handleExceptionJump, CodeLocationLabel(handler.retaggedCode<NoPtrTag>()));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, thunkName);
+}
+
+static constexpr bool doesProfiling = true;
+static constexpr bool isConstructor = true;
+static constexpr bool hasHugeFrame = true;
+
+#define DEFINE_PROGLOGUE_GENERATOR(doesProfiling, isConstructor, hasHugeFrame, name, arityFixupName) \
+    MacroAssemblerCodeRef<JITThunkPtrTag> JIT::name(VM& vm) \
+    { \
+        JIT jit(vm); \
+        return jit.prologueGenerator(vm, doesProfiling, isConstructor, hasHugeFrame, "Baseline: " #name); \
+    }
+
+FOR_EACH_PROLOGUE_GENERATOR(DEFINE_PROGLOGUE_GENERATOR)
+#undef DEFINE_PROGLOGUE_GENERATOR
+
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::arityFixupPrologueGenerator(VM& vm, bool isConstructor, ThunkGenerator normalPrologueGenerator, const char* thunkName)
+{
+    // This function generates the Baseline JIT's prologue code. It is not useable by other tiers.
+    constexpr GPRReg codeBlockGPR = regT7; // incoming.
+    constexpr GPRReg numParametersGPR = regT6;
+
+    tagReturnAddress();
+#if CPU(X86_64)
+    push(framePointerRegister);
+#elif CPU(ARM64)
+    pushPair(framePointerRegister, linkRegister);
+#endif
+
+    storePtr(codeBlockGPR, addressFor(CallFrameSlot::codeBlock));
+    store8(TrustedImm32(0), Address(codeBlockGPR, CodeBlock::offsetOfShouldAlwaysBeInlined()));
+
+    load32(payloadFor(CallFrameSlot::argumentCountIncludingThis), regT1);
+    load32(Address(codeBlockGPR, CodeBlock::offsetOfNumParameters()), numParametersGPR);
+    Jump noFixupNeeded = branch32(AboveOrEqual, regT1, numParametersGPR);
+
+    if constexpr (maxFrameExtentForSlowPathCall)
+        addPtr(TrustedImm32(-static_cast<int32_t>(maxFrameExtentForSlowPathCall)), stackPointerRegister);
+
+    loadPtr(Address(codeBlockGPR, CodeBlock::offsetOfGlobalObject()), argumentGPR0);
+
+    static_assert(std::is_same<decltype(operationConstructArityCheck), decltype(operationCallArityCheck)>::value);
+    setupArguments<decltype(operationCallArityCheck)>(argumentGPR0);
+    prepareCallOperation(vm);
+
+    MacroAssembler::Call arityCheckCall = call(OperationPtrTag);
+    Jump handleExceptionJump = emitNonPatchableExceptionCheck(vm);
+
+    if constexpr (maxFrameExtentForSlowPathCall)
+        addPtr(TrustedImm32(maxFrameExtentForSlowPathCall), stackPointerRegister);
+    Jump needFixup = branchTest32(NonZero, returnValueGPR);
+    noFixupNeeded.link(this);
+
+    // The normal prologue expects incoming codeBlockGPR.
+    load64(addressFor(CallFrameSlot::codeBlock), codeBlockGPR);
+
+#if CPU(X86_64)
+    pop(framePointerRegister);
+#elif CPU(ARM64)
+    popPair(framePointerRegister, linkRegister);
+#endif
+    untagReturnAddress();
+
+    JumpList normalPrologueJump;
+    normalPrologueJump.append(jump());
+
+    needFixup.link(this);
+
+    // Restore the stack for arity fixup, and preserve the return address.
+    // arityFixupGenerator will be shifting the stack. So, we can't use the stack to
+    // preserve the return address. We also can't use callee saved registers because
+    // they haven't been saved yet.
+    //
+    // arityFixupGenerator is carefully crafted to only use a0, a1, a2, t3, t4 and t5.
+    // So, the return address can be preserved in regT7.
+#if CPU(X86_64)
+    pop(argumentGPR2); // discard.
+    pop(regT7); // save return address.
+#elif CPU(ARM64)
+    popPair(framePointerRegister, linkRegister);
+    untagReturnAddress();
+    move(linkRegister, regT7);
+    auto randomReturnAddressTag = random();
+    move(TrustedImm32(randomReturnAddressTag), regT1);
+    tagPtr(regT1, regT7);
+#endif
+    move(returnValueGPR, GPRInfo::argumentGPR0);
+    Call arityFixupCall = nearCall();
+
+#if CPU(X86_64)
+    push(regT7); // restore return address.
+#elif CPU(ARM64)
+    move(TrustedImm32(randomReturnAddressTag), regT1);
+    untagPtr(regT1, regT7);
+    move(regT7, linkRegister);
+#endif
+
+    load64(addressFor(CallFrameSlot::codeBlock), codeBlockGPR);
+    normalPrologueJump.append(jump());
+
+    auto arityCheckOperation = isConstructor ? operationConstructArityCheck : operationCallArityCheck;
+    auto arityFixup = vm.getCTIStub(arityFixupGenerator);
+    auto normalPrologue = vm.getCTIStub(normalPrologueGenerator);
+    auto exceptionHandler = vm.getCTIStub(popThunkStackPreservesAndHandleExceptionGenerator);
+
+    LinkBuffer patchBuffer(*this, GLOBAL_THUNK_ID, LinkBuffer::Profile::ExtraCTIThunk);
+    patchBuffer.link(arityCheckCall, FunctionPtr<OperationPtrTag>(arityCheckOperation));
+    patchBuffer.link(arityFixupCall, FunctionPtr(arityFixup.retaggedCode<NoPtrTag>()));
+    patchBuffer.link(normalPrologueJump, CodeLocationLabel(normalPrologue.retaggedCode<NoPtrTag>()));
+    patchBuffer.link(handleExceptionJump, CodeLocationLabel(exceptionHandler.retaggedCode<NoPtrTag>()));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, thunkName);
+}
+
+#define DEFINE_ARITY_PROGLOGUE_GENERATOR(doesProfiling, isConstructor, hasHugeFrame, name, arityFixupName) \
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::arityFixupName(VM& vm) \
+    { \
+        JIT jit(vm); \
+        return jit.arityFixupPrologueGenerator(vm, isConstructor, name, "Baseline: " #arityFixupName); \
+    }
+
+FOR_EACH_PROLOGUE_GENERATOR(DEFINE_ARITY_PROGLOGUE_GENERATOR)
+#undef DEFINE_ARITY_PROGLOGUE_GENERATOR
+
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
 void JIT::link()
@@ -1047 +1378 @@
 }
 
+#if !ENABLE(EXTRA_CTI_THUNKS)
 void JIT::privateCompileExceptionHandlers()
 {
-#if !ENABLE(EXTRA_CTI_THUNKS)
     if (!m_exceptionChecksWithCallFrameRollback.empty()) {
         m_exceptionChecksWithCallFrameRollback.link(this);
@@ -1074 +1405 @@
         jumpToExceptionHandler(vm());
     }
-#endif // ENABLE(EXTRA_CTI_THUNKS)
-}
+}
+#endif // !ENABLE(EXTRA_CTI_THUNKS)
 
 void JIT::doMainThreadPreparationBeforeCompile()