Changeset 283102 in webkit for trunk/Source/JavaScriptCore/jit/JIT.cpp

Timestamp:

Sep 27, 2021, 12:52:48 AM (4 years ago)

Author:

[email protected]

Message:

Build an unlinked baseline JIT
​https://bugs.webkit.org/show_bug.cgi?id=229223
<rdar://problem/82321772>

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

This patch adds an "unlinked" baseline JIT to JSVALUE64 platforms. The JIT
code produced by this baseline JIT can be shared between all CodeBlocks that
share an UnlinkedCodeBlock. The benefit of this is, if we're creating a CodeBlock
from an UnlinkedCodeBlock that already compiled an unlinked baseline JIT
instance, this new CodeBlock just starts off executing in the baseline JIT
"for free".

To make this work, the code we emit now needs to be independent of a specific
CodeBlock instance. We use a CodeBlock instance for minimal profiling information
when compiling, but otherwise, the code is tied to the UnlinkedCodeBlock. When
we need CodeBlock specific information, we load it. This usually means things
like we'll load things from the Metadata dynamically. This patch also adds a
"linked constant pool" concept, and anytime we instantiate such a CodeBlock,
we also need to instantiate this "linked constant pool". This contains things
like our inline cache data structures (StructureStubInfo*), JSGlobalObject*,
etc.

Unlinked baseline JIT always runs ICs in the "data" mode. To make this work, I
made data ICs work on x86_64. To do this, we no longer call/ret to the IC.
Instead, we jump to the IC, and the IC jumps back by loading the "done" location
from the StructureStubInfo dynamically. This simplifies the design to not be
based on the arm64 calling convention, and keeps the same performance characteristics.

This patch also adds a new version of InlineAccess that is only used in baseline
JIT (for now). In the future, we can make the DFG/FTL also use this for Data
ICs. But we don't need to do that yet since those tiers don't use data ICs by
default. The baseline JIT now has a pure data IC approach to InlineAccess. So
instead of repatching code, we repatch fields we load dynamically.

This patch also cleans up a few things in OSR exit, where both DFG/FTL were
storing callee saves to the callee saves buffer in a weird place, and separate
from one another. I noticed this code can be simplified if we just store
callee saves at the end of the OSR exit handler, and from common JIT emission
code.

This patch also fixes a bug where we could end up with the wrong (and always
more negative) SP in the baseline JIT. This could happen when we OSR exit
from an inlined getter/setter. The OSR exit code puts the return PC when
returning to the call site of the getter/setter to be the inline cache's
"done location". However, this "done location" didn't used to restore SP.
This patch conservatively makes it so that we restore the SP at these sites.

This is measured as a 1% speedup on Speedometer2.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• bytecode/AccessCase.cpp:

(JSC::AccessCase::fromStructureStubInfo):
(JSC::AccessCase::generateImpl):

• bytecode/BytecodeList.rb:
• bytecode/BytecodeOperandsForCheckpoint.h:

(JSC::valueProfileOffsetFor):

• bytecode/CallLinkInfo.cpp:

(JSC::CallLinkInfo::fastPathStart):
(JSC::CallLinkInfo::emitFastPathImpl):
(JSC::CallLinkInfo::emitFastPath):
(JSC::CallLinkInfo::emitTailCallFastPath):
(JSC::CallLinkInfo::emitDataICFastPath):
(JSC::CallLinkInfo::emitTailCallDataICFastPath):
(JSC::CallLinkInfo::emitDataICSlowPath):
(JSC::CallLinkInfo::initializeDataIC):
(JSC::CallLinkInfo::emitDirectFastPath):
(JSC::CallLinkInfo::emitDirectTailCallFastPath):

• bytecode/CallLinkInfo.h:

(JSC::CallLinkInfo::offsetOfMaxArgumentCountIncludingThis):
(JSC::CallLinkInfo::slowStub): Deleted.
(JSC::CallLinkInfo::addressOfMaxArgumentCountIncludingThis): Deleted.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setupWithUnlinkedBaselineCode):
(JSC::CodeBlock::isConstantOwnedByUnlinkedCodeBlock const):
(JSC::CodeBlock::setConstantRegisters):
(JSC::CodeBlock::finalizeJITInlineCaches):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::frameRegisterCount):
(JSC::CodeBlock::binaryArithProfileForPC):
(JSC::CodeBlock::unaryArithProfileForPC):
(JSC::CodeBlock::findPC):
(JSC::CodeBlock::jitSoon):
(JSC::CodeBlock::jitNextInvocation):
(JSC::CodeBlock::dumpMathICStats):
(JSC::CodeBlock::finalizeBaselineJITInlineCaches): Deleted.
(JSC::CodeBlock::addJITAddIC): Deleted.
(JSC::CodeBlock::addJITMulIC): Deleted.
(JSC::CodeBlock::addJITSubIC): Deleted.
(JSC::CodeBlock::addJITNegIC): Deleted.
(JSC::CodeBlock::setPCToCodeOriginMap): Deleted.
(JSC::CodeBlock::thresholdForJIT): Deleted.
(JSC::CodeBlock::jitAfterWarmUp): Deleted.

• bytecode/CodeBlock.h:

(JSC::CodeBlock::JITData::offsetOfJITConstantPool):
(JSC::CodeBlock::offsetOfJITData):
(JSC::CodeBlock::offsetOfArgumentValueProfiles):
(JSC::CodeBlock::offsetOfConstantsVectorBuffer):
(JSC::CodeBlock::baselineJITConstantPool):
(JSC::CodeBlock::checkIfJITThresholdReached):
(JSC::CodeBlock::dontJITAnytimeSoon):
(JSC::CodeBlock::llintExecuteCounter const):
(JSC::CodeBlock::offsetOfDebuggerRequests):
(JSC::CodeBlock::offsetOfShouldAlwaysBeInlined):
(JSC::CodeBlock::loopHintsAreEligibleForFuzzingEarlyReturn):
(JSC::CodeBlock::addressOfNumParameters): Deleted.
(JSC::CodeBlock::isKnownCell): Deleted.
(JSC::CodeBlock::addMathIC): Deleted.
(JSC::CodeBlock::setJITCodeMap): Deleted.
(JSC::CodeBlock::jitCodeMap): Deleted.
(JSC::CodeBlock::switchJumpTable): Deleted.
(JSC::CodeBlock::stringSwitchJumpTable): Deleted.

• bytecode/CodeBlockInlines.h:

(JSC::CodeBlock::forEachValueProfile):
(JSC::CodeBlock::jitCodeMap):
(JSC::CodeBlock::baselineSwitchJumpTable):
(JSC::CodeBlock::baselineStringSwitchJumpTable):
(JSC::CodeBlock::dfgSwitchJumpTable):
(JSC::CodeBlock::dfgStringSwitchJumpTable):

• bytecode/ExecutableToCodeBlockEdge.h:
• bytecode/ExecutionCounter.cpp:

(JSC::ExecutionCounter<countingVariant>::setThreshold):

• bytecode/ExecutionCounter.h:

(JSC::ExecutionCounter::clippedThreshold):

• bytecode/GetByIdMetadata.h:

(JSC::GetByIdModeMetadataArrayLength::offsetOfArrayProfile):
(JSC::GetByIdModeMetadata::offsetOfMode):

• bytecode/GetByStatus.cpp:

(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):

• bytecode/GetterSetterAccessCase.cpp:

(JSC::GetterSetterAccessCase::emitDOMJITGetter):

• bytecode/InByStatus.cpp:

(JSC::InByStatus::computeForStubInfoWithoutExitSiteFeedback):

• bytecode/InlineAccess.cpp:

(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::canGenerateSelfPropertyReplace):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::isCacheableArrayLength):
(JSC::InlineAccess::generateArrayLength):
(JSC::InlineAccess::isCacheableStringLength):
(JSC::InlineAccess::generateStringLength):
(JSC::InlineAccess::generateSelfInAccess):
(JSC::InlineAccess::rewireStubAsJumpInAccess):
(JSC::InlineAccess::resetStubAsJumpInAccess):

• bytecode/InlineAccess.h:
• bytecode/IterationModeMetadata.h:

(JSC::IterationModeMetadata::offsetOfSeenModes):

• bytecode/LLIntCallLinkInfo.h:

(JSC::LLIntCallLinkInfo::offsetOfArrayProfile):

• bytecode/Opcode.h:
• bytecode/PolymorphicAccess.cpp:

(JSC::AccessGenerationState::succeed):
(JSC::AccessGenerationState::calculateLiveRegistersForCallAndExceptionHandling):
(JSC::AccessGenerationState::preserveLiveRegistersToStackForCallWithoutExceptions):
(JSC::PolymorphicAccess::regenerate):

• bytecode/PolymorphicAccess.h:

(JSC::AccessGenerationState::preserveLiveRegistersToStackForCallWithoutExceptions): Deleted.

• bytecode/PutByStatus.cpp:

(JSC::PutByStatus::computeForStubInfo):

• bytecode/StructureStubInfo.cpp:

(JSC::StructureStubInfo::initGetByIdSelf):
(JSC::StructureStubInfo::initPutByIdReplace):
(JSC::StructureStubInfo::initInByIdSelf):
(JSC::StructureStubInfo::addAccessCase):
(JSC::StructureStubInfo::reset):
(JSC::StructureStubInfo::visitWeakReferences):
(JSC::StructureStubInfo::propagateTransitions):
(JSC::StructureStubInfo::initializeFromUnlinkedStructureStubInfo):

• bytecode/StructureStubInfo.h:

(JSC::StructureStubInfo::offsetOfByIdSelfOffset):
(JSC::StructureStubInfo::offsetOfInlineAccessBaseStructure):
(JSC::StructureStubInfo::inlineAccessBaseStructure):
(JSC::StructureStubInfo::offsetOfDoneLocation):

• bytecode/SuperSampler.cpp:

(JSC::printSuperSamplerState):

• bytecode/UnlinkedCodeBlock.cpp:

(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::UnlinkedCodeBlock::hasIdentifier):
(JSC::UnlinkedCodeBlock::thresholdForJIT):
(JSC::UnlinkedCodeBlock::allocateSharedProfiles):

• bytecode/UnlinkedCodeBlock.h:

(JSC::UnlinkedCodeBlock::constantRegister):
(JSC::UnlinkedCodeBlock::instructionAt const):
(JSC::UnlinkedCodeBlock::bytecodeOffset):
(JSC::UnlinkedCodeBlock::instructionsSize const):
(JSC::UnlinkedCodeBlock::loopHintsAreEligibleForFuzzingEarlyReturn):
(JSC::UnlinkedCodeBlock::outOfLineJumpOffset):
(JSC::UnlinkedCodeBlock::binaryArithProfile):
(JSC::UnlinkedCodeBlock::unaryArithProfile):
(JSC::UnlinkedCodeBlock::llintExecuteCounter):

• bytecode/UnlinkedMetadataTable.h:

(JSC::UnlinkedMetadataTable::offsetInMetadataTable):

• bytecode/ValueProfile.h:

(JSC::ValueProfileBase::ValueProfileBase):
(JSC::ValueProfileBase::clearBuckets):
(JSC::ValueProfile::offsetOfFirstBucket):

• dfg/DFGCommonData.h:
• dfg/DFGJITCode.cpp:
• dfg/DFGJITCode.h:
• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::link):

• dfg/DFGOSREntry.cpp:

(JSC::DFG::prepareOSREntry):

• dfg/DFGOSRExit.cpp:

(JSC::DFG::OSRExit::compileExit):

• dfg/DFGOSRExitCompilerCommon.cpp:

(JSC::DFG::handleExitCounts):
(JSC::DFG::callerReturnPC):
(JSC::DFG::reifyInlinedCallFrames):
(JSC::DFG::adjustAndJumpToTarget):

• dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePutPrivateName):
(JSC::DFG::SpeculativeJIT::compileValueAdd):
(JSC::DFG::SpeculativeJIT::compileValueSub):
(JSC::DFG::SpeculativeJIT::compileValueNegate):
(JSC::DFG::SpeculativeJIT::compileValueMul):
(JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• ftl/FTLCompile.cpp:

(JSC::FTL::compile):

• ftl/FTLJITCode.h:
• ftl/FTLLink.cpp:

(JSC::FTL::link):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::addMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):

• generator/Metadata.rb:
• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::storeProperty):
(JSC::AssemblyHelpers::emitVirtualCall):
(JSC::AssemblyHelpers::emitVirtualCallWithoutMovingGlobalObject):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):

• jit/BaselineJITCode.cpp: Added.

(JSC::MathICHolder::addJITAddIC):
(JSC::MathICHolder::addJITMulIC):
(JSC::MathICHolder::addJITSubIC):
(JSC::MathICHolder::addJITNegIC):
(JSC::MathICHolder::adoptMathICs):
(JSC::BaselineJITCode::BaselineJITCode):
(JSC::BaselineJITCode::~BaselineJITCode):

• jit/BaselineJITCode.h: Added.

(JSC::JITConstantPool::add):
(JSC::JITConstantPool::size const):
(JSC::JITConstantPool::at const):

• jit/BaselineJITPlan.cpp:

(JSC::BaselineJITPlan::finalize):

• jit/CCallHelpers.cpp:

(JSC::CCallHelpers::logShadowChickenTailPacketImpl):
(JSC::CCallHelpers::logShadowChickenTailPacket):

• jit/CCallHelpers.h:
• jit/CallFrameShuffleData.cpp:

(JSC::CallFrameShuffleData::setupCalleeSaveRegisters):

• jit/CallFrameShuffleData.h:
• jit/CallFrameShuffler.cpp:

(JSC::CallFrameShuffler::CallFrameShuffler):
(JSC::CallFrameShuffler::prepareForTailCall):

• jit/CallFrameShuffler.h:

(JSC::CallFrameShuffler::snapshot const):

• jit/JIT.cpp:

(JSC::JIT::JIT):
(JSC::JIT::emitEnterOptimizationCheck):
(JSC::JIT::emitNotifyWriteWatchpoint):
(JSC::JIT::emitVarReadOnlyCheck):
(JSC::JIT::assertStackPointerOffset):
(JSC::JIT::resetSP):
(JSC::JIT::emitPutCodeBlockToFrameInPrologue):
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::emitMaterializeMetadataAndConstantPoolRegisters):
(JSC::JIT::emitRestoreCalleeSaves):
(JSC::JIT::compileAndLinkWithoutFinalizing):
(JSC::JIT::link):
(JSC::JIT::finalizeOnMainThread):
(JSC::JIT::privateCompile):
(JSC::JIT::frameRegisterCountFor):
(JSC::JIT::stackPointerOffsetFor):

• jit/JIT.h:
• jit/JITArithmetic.cpp:

(JSC::JIT::emit_compareAndJumpSlowImpl):
(JSC::JIT::emit_compareAndJumpSlow):
(JSC::JIT::emit_op_negate):
(JSC::JIT::emit_op_add):
(JSC::JIT::emitMathICFast):
(JSC::JIT::emitMathICSlow):
(JSC::JIT::emit_op_div):
(JSC::JIT::emit_op_mul):
(JSC::JIT::emit_op_sub):

• jit/JITCall.cpp:

(JSC::JIT::emitPutCallResult):
(JSC::JIT::compileSetupFrame):
(JSC::JIT::compileCallEval):
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileTailCall):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
(JSC::JIT::emit_op_iterator_open):
(JSC::JIT::emitSlow_op_iterator_open):
(JSC::JIT::emit_op_iterator_next):
(JSC::JIT::emitSlow_op_iterator_next):

• jit/JITCall32_64.cpp:

(JSC::JIT::emitPutCallResult):
(JSC::JIT::compileSetupFrame):
(JSC::JIT::compileCallEval):
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
(JSC::JIT::emit_op_iterator_open):
(JSC::JIT::emitSlow_op_iterator_open):
(JSC::JIT::emit_op_iterator_next):
(JSC::JIT::emitSlow_op_iterator_next):

• jit/JITCode.h:

(JSC::JITCode::useDataIC):
(JSC::JITCode::pcToCodeOriginMap):

• jit/JITCompilationKey.cpp:

(JSC::JITCompilationKey::dump const):

• jit/JITCompilationKey.h:

(JSC::JITCompilationKey::JITCompilationKey):
(JSC::JITCompilationKey::operator! const):
(JSC::JITCompilationKey::isHashTableDeletedValue const):
(JSC::JITCompilationKey::operator== const):
(JSC::JITCompilationKey::hash const):
(JSC::JITCompilationKey::profiledBlock const): Deleted.

• jit/JITInlineCacheGenerator.cpp:

(JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
(JSC::JITInlineCacheGenerator::finalize):
(JSC::JITInlineCacheGenerator::generateBaselineDataICFastPath):
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
(JSC::generateGetByIdInlineAccess):
(JSC::JITGetByIdGenerator::generateBaselineDataICFastPath):
(JSC::JITGetByIdWithThisGenerator::generateBaselineDataICFastPath):
(JSC::JITPutByIdGenerator::generateBaselineDataICFastPath):
(JSC::JITDelByValGenerator::generateFastPath):
(JSC::JITDelByIdGenerator::generateFastPath):
(JSC::JITInByValGenerator::generateFastPath):
(JSC::JITInByIdGenerator::generateBaselineDataICFastPath):
(JSC::JITInstanceOfGenerator::generateFastPath):
(JSC::JITGetByValGenerator::generateFastPath):
(JSC::JITPutByValGenerator::generateFastPath):
(JSC::JITPrivateBrandAccessGenerator::generateFastPath):

• jit/JITInlineCacheGenerator.h:
• jit/JITInlines.h:

(JSC::JIT::isOperandConstantDouble):
(JSC::JIT::isOperandConstantInt):
(JSC::JIT::isKnownCell):
(JSC::JIT::getConstantOperand):
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
(JSC::JIT::linkSlowCaseIfNotJSCell):
(JSC::JIT::advanceToNextCheckpoint):
(JSC::JIT::emitJumpSlowToHotForCheckpoint):
(JSC::JIT::isOperandConstantChar):
(JSC::JIT::emitValueProfilingSite):
(JSC::JIT::emitValueProfilingSiteIfProfiledOpcode):
(JSC::JIT::emitArrayProfilingSiteWithCell):
(JSC::JIT::emitLoadDouble):
(JSC::JIT::emitJumpSlowCaseIfNotJSCell):
(JSC::JIT::emitGetVirtualRegister):
(JSC::JIT::jumpTarget):
(JSC::JIT::loadPtrFromMetadata):
(JSC::JIT::load32FromMetadata):
(JSC::JIT::load8FromMetadata):
(JSC::JIT::store8ToMetadata):
(JSC::JIT::store32ToMetadata):
(JSC::JIT::materializePointerIntoMetadata):
(JSC::JIT::loadConstant):
(JSC::JIT::loadGlobalObject):
(JSC::JIT::loadCodeBlockConstant):
(JSC::JIT::copiedGetPutInfo): Deleted.
(JSC::JIT::copiedArithProfile): Deleted.

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_mov):
(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emit_op_typeof_is_undefined):
(JSC::JIT::op_ret_handlerGenerator):
(JSC::JIT::emit_op_to_primitive):
(JSC::JIT::emit_op_set_function_name):
(JSC::JIT::emit_op_jfalse):
(JSC::JIT::valueIsFalseyGenerator):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_jeq_ptr):
(JSC::JIT::emit_op_jneq_ptr):
(JSC::JIT::emit_op_jtrue):
(JSC::JIT::valueIsTruthyGenerator):
(JSC::JIT::emit_op_throw):
(JSC::JIT::op_throw_handlerGenerator):
(JSC::JIT::emitSlow_op_jstricteq):
(JSC::JIT::emitSlow_op_jnstricteq):
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_to_numeric):
(JSC::JIT::emit_op_to_object):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emit_op_debug):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_enter):
(JSC::JIT::op_enter_handlerGenerator):
(JSC::JIT::emit_op_to_this):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emitSlow_op_neq):
(JSC::JIT::emitSlow_op_jeq):
(JSC::JIT::emitSlow_op_jneq):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_loop_hint):
(JSC::JIT::emitSlow_op_check_traps):
(JSC::JIT::op_check_traps_handlerGenerator):
(JSC::JIT::emit_op_new_regexp):
(JSC::JIT::emitNewFuncCommon):
(JSC::JIT::emitNewFuncExprCommon):
(JSC::JIT::emit_op_new_array):
(JSC::JIT::emit_op_new_array_with_size):
(JSC::JIT::emit_op_profile_type):
(JSC::JIT::emit_op_log_shadow_chicken_tail):
(JSC::JIT::emit_op_profile_control_flow):
(JSC::JIT::emit_op_get_argument):
(JSC::JIT::emit_op_get_prototype_of):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_new_object):
(JSC::JIT::emitSlow_op_new_object):
(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_typeof_is_undefined):
(JSC::JIT::emit_op_set_function_name):
(JSC::JIT::emit_op_jfalse):
(JSC::JIT::emit_op_jtrue):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_jneq_ptr):
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::compileOpEqJumpSlow):
(JSC::JIT::emitSlow_op_neq):
(JSC::JIT::emitSlow_op_jstricteq):
(JSC::JIT::emitSlow_op_jnstricteq):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_to_number):
(JSC::JIT::emit_op_to_numeric):
(JSC::JIT::emit_op_to_object):
(JSC::JIT::emit_op_catch):
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
(JSC::JIT::emit_op_enter):
(JSC::JIT::emit_op_create_this):
(JSC::JIT::emit_op_to_this):
(JSC::JIT::emit_op_profile_type):
(JSC::JIT::emit_op_log_shadow_chicken_tail):

• jit/JITOperations.cpp:

(JSC::JSC_DEFINE_JIT_OPERATION):

• jit/JITOperations.h:
• jit/JITPlan.cpp:

(JSC::JITPlan::key):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::generateGetByValSlowCase):
(JSC::JIT::slow_op_get_by_val_prepareCallGenerator):
(JSC::JIT::emit_op_get_private_name):
(JSC::JIT::emitSlow_op_get_private_name):
(JSC::JIT::slow_op_get_private_name_prepareCallGenerator):
(JSC::JIT::emit_op_set_private_brand):
(JSC::JIT::emitSlow_op_set_private_brand):
(JSC::JIT::emit_op_check_private_brand):
(JSC::JIT::emitSlow_op_check_private_brand):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::slow_op_put_by_val_prepareCallGenerator):
(JSC::JIT::emit_op_put_private_name):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::slow_op_put_private_name_prepareCallGenerator):
(JSC::JIT::emit_op_put_getter_by_id):
(JSC::JIT::emit_op_put_setter_by_id):
(JSC::JIT::emit_op_put_getter_setter_by_id):
(JSC::JIT::emit_op_put_getter_by_val):
(JSC::JIT::emit_op_put_setter_by_val):
(JSC::JIT::emit_op_del_by_id):
(JSC::JIT::emitSlow_op_del_by_id):
(JSC::JIT::slow_op_del_by_id_prepareCallGenerator):
(JSC::JIT::emit_op_del_by_val):
(JSC::JIT::emitSlow_op_del_by_val):
(JSC::JIT::slow_op_del_by_val_prepareCallGenerator):
(JSC::JIT::emit_op_try_get_by_id):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::slow_op_get_by_id_prepareCallGenerator):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::slow_op_get_by_id_with_this_prepareCallGenerator):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::slow_op_put_by_id_prepareCallGenerator):
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitSlow_op_in_by_val):
(JSC::JIT::emitHasPrivate):
(JSC::JIT::emitHasPrivateSlow):
(JSC::JIT::emitSlow_op_has_private_name):
(JSC::JIT::emitSlow_op_has_private_brand):
(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emitResolveClosure):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::generateOpResolveScopeThunk):
(JSC::JIT::slow_op_resolve_scopeGenerator):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::generateOpGetFromScopeThunk):
(JSC::JIT::slow_op_get_from_scopeGenerator):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::slow_op_put_to_scopeGenerator):
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_get_internal_field):
(JSC::JIT::emit_op_enumerator_next):
(JSC::JIT::emit_op_enumerator_get_by_val):
(JSC::JIT::emit_enumerator_has_propertyImpl):
(JSC::JIT::emitWriteBarrier):
(JSC::JIT::emitPutGlobalVariable): Deleted.
(JSC::JIT::emitPutGlobalVariableIndirect): Deleted.
(JSC::JIT::emitPutClosureVar): Deleted.

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_put_getter_by_id):
(JSC::JIT::emit_op_put_setter_by_id):
(JSC::JIT::emit_op_put_getter_setter_by_id):
(JSC::JIT::emit_op_put_getter_by_val):
(JSC::JIT::emit_op_put_setter_by_val):
(JSC::JIT::emit_op_del_by_id):
(JSC::JIT::emit_op_del_by_val):
(JSC::JIT::emitSlow_op_del_by_val):
(JSC::JIT::emitSlow_op_del_by_id):
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_get_private_name):
(JSC::JIT::emitSlow_op_get_private_name):
(JSC::JIT::emit_op_put_private_name):
(JSC::JIT::emitSlow_op_put_private_name):
(JSC::JIT::emit_op_set_private_brand):
(JSC::JIT::emitSlow_op_set_private_brand):
(JSC::JIT::emit_op_check_private_brand):
(JSC::JIT::emitSlow_op_check_private_brand):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::emit_op_try_get_by_id):
(JSC::JIT::emitSlow_op_try_get_by_id):
(JSC::JIT::emit_op_get_by_id_direct):
(JSC::JIT::emitSlow_op_get_by_id_direct):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::emitSlow_op_get_by_id_with_this):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::emit_op_in_by_id):
(JSC::JIT::emitSlow_op_in_by_id):
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitSlow_op_in_by_val):
(JSC::JIT::emitHasPrivate):
(JSC::JIT::emitHasPrivateSlow):
(JSC::JIT::emitVarInjectionCheck):
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::emit_op_get_from_arguments):
(JSC::JIT::emit_op_get_internal_field):

• jit/Repatch.cpp:

(JSC::tryCacheGetBy):
(JSC::tryCachePutBy):
(JSC::tryCacheInBy):
(JSC::unlinkCall):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::jitCompileAndSetHeuristics):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CacheableIdentifier.h:
• runtime/CacheableIdentifierInlines.h:

(JSC::CacheableIdentifier::createFromIdentifierOwnedByCodeBlock):

• runtime/CachedTypes.cpp:

(JSC::CachedCodeBlock::numBinaryArithProfiles const):
(JSC::CachedCodeBlock::numUnaryArithProfiles const):
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::CachedCodeBlock<CodeBlockType>::encode):

• runtime/CommonSlowPaths.cpp:

(JSC::updateArithProfileForUnaryArithOp):

• runtime/FunctionExecutable.h:
• runtime/Options.cpp:

(JSC::Options::recomputeDependentOptions):

• runtime/OptionsList.h:
• runtime/ScriptExecutable.cpp:

(JSC::ScriptExecutable::prepareForExecutionImpl):

• wasm/WasmLLIntTierUpCounter.h:

(JSC::Wasm::LLIntTierUpCounter::optimizeAfterWarmUp):
(JSC::Wasm::LLIntTierUpCounter::optimizeSoon):

• wasm/WasmTierUpCount.cpp:

(JSC::Wasm::TierUpCount::TierUpCount):

• wasm/WasmTierUpCount.h:

(JSC::Wasm::TierUpCount::optimizeAfterWarmUp):
(JSC::Wasm::TierUpCount::optimizeNextInvocation):
(JSC::Wasm::TierUpCount::optimizeSoon):

Source/WTF:

• wtf/Bag.h:
• wtf/Packed.h:

(WTF::PackedAlignedPtr::operator* const):

Tools:

• Scripts/run-jsc-stress-tests:

File:

• trunk/Source/JavaScriptCore/jit/JIT.cpp (modified) (27 diffs)

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -70 +70 @@
 
 JIT::JIT(VM& vm, CodeBlock* codeBlock, BytecodeIndex loopOSREntryBytecodeIndex)
-    : JSInterfaceJIT(&vm, codeBlock)
+    : JSInterfaceJIT(&vm, nullptr)
     , m_interpreter(vm.interpreter)
     , m_labels(codeBlock ? codeBlock->instructions().size() : 0)
@@ -78 +78 @@
     , m_loopOSREntryBytecodeIndex(loopOSREntryBytecodeIndex)
 {
+    m_globalObjectConstant = m_constantPool.add(JITConstantPool::Type::GlobalObject);
+    m_profiledCodeBlock = codeBlock;
+    m_unlinkedCodeBlock = codeBlock->unlinkedCodeBlock();
 }
 
@@ -91 +94 @@
 
     JumpList skipOptimize;
-    
-    skipOptimize.append(branchAdd32(Signed, TrustedImm32(Options::executionCounterIncrementForEntry()), AbsoluteAddress(m_codeBlock->addressOfJITExecuteCounter())));
+    loadPtr(addressFor(CallFrameSlot::codeBlock), regT0);
+    skipOptimize.append(branchAdd32(Signed, TrustedImm32(Options::executionCounterIncrementForEntry()), Address(regT0, CodeBlock::offsetOfJITExecuteCounter())));
     ASSERT(!m_bytecodeIndex.offset());
 
@@ -114 +117 @@
 }
 
-void JIT::emitNotifyWrite(GPRReg pointerToSet)
-{
+void JIT::emitNotifyWriteWatchpoint(GPRReg pointerToSet)
+{
+    auto ok = branchTestPtr(Zero, pointerToSet);
     addSlowCase(branch8(NotEqual, Address(pointerToSet, WatchpointSet::offsetOfState()), TrustedImm32(IsInvalidated)));
-}
-
-void JIT::emitVarReadOnlyCheck(ResolveType resolveType)
-{
-    if (resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks)
-        addSlowCase(branch8(Equal, AbsoluteAddress(m_codeBlock->globalObject()->varReadOnlyWatchpoint()->addressOfState()), TrustedImm32(IsInvalidated)));
+    ok.link(this);
+}
+
+void JIT::emitVarReadOnlyCheck(ResolveType resolveType, GPRReg scratchGPR)
+{
+    if (resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks) {
+        loadGlobalObject(scratchGPR);
+        loadPtr(Address(scratchGPR, OBJECT_OFFSETOF(JSGlobalObject, m_varReadOnlyWatchpoint)), scratchGPR);
+        addSlowCase(branch8(Equal, Address(scratchGPR, WatchpointSet::offsetOfState()), TrustedImm32(IsInvalidated)));
+    }
 }
 
@@ -130 +138 @@
         return;
     
-    addPtr(TrustedImm32(stackPointerOffsetFor(m_codeBlock) * sizeof(Register)), callFrameRegister, regT0);
+    addPtr(TrustedImm32(stackPointerOffsetFor(m_unlinkedCodeBlock) * sizeof(Register)), callFrameRegister, regT0);
     Jump ok = branchPtr(Equal, regT0, stackPointerRegister);
     breakpoint();
     ok.link(this);
+}
+
+void JIT::resetSP()
+{
+    addPtr(TrustedImm32(stackPointerOffsetFor(m_unlinkedCodeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister);
+    checkStackPointerAlignment();
 }
 
@@ -182 +196 @@
 }
 
+void JIT::emitPutCodeBlockToFrameInPrologue(GPRReg result)
+{
+    RELEASE_ASSERT(m_unlinkedCodeBlock->codeType() == FunctionCode);
+    emitGetFromCallFrameHeaderPtr(CallFrameSlot::callee, result);
+    loadPtr(Address(result, JSFunction::offsetOfExecutableOrRareData()), result);
+    auto hasExecutable = branchTestPtr(Zero, result, CCallHelpers::TrustedImm32(JSFunction::rareDataTag));
+    loadPtr(Address(result, FunctionRareData::offsetOfExecutable() - JSFunction::rareDataTag), result);
+    hasExecutable.link(this);
+    if (m_unlinkedCodeBlock->isConstructor())
+        loadPtr(Address(result, FunctionExecutable::offsetOfCodeBlockForConstruct()), result);
+    else
+        loadPtr(Address(result, FunctionExecutable::offsetOfCodeBlockForCall()), result);
+
+    loadPtr(Address(result, ExecutableToCodeBlockEdge::offsetOfCodeBlock()), result);
+    emitPutToCallFrameHeader(result, CallFrameSlot::codeBlock);
+
+#if ASSERT_ENABLED
+    probeDebug([=] (Probe::Context& ctx) {
+        CodeBlock* codeBlock = ctx.fp<CallFrame*>()->codeBlock();
+        RELEASE_ASSERT(codeBlock->jitType() == JITType::BaselineJIT);
+    });
+#endif
+}
+
 void JIT::privateCompileMainPass()
 {
     if (JITInternal::verbose)
-        dataLog("Compiling ", *m_codeBlock, "\n");
+        dataLog("Compiling ", *m_profiledCodeBlock, "\n");
     
     jitAssertTagsInPlace();
     jitAssertArgumentCountSane();
     
-    auto& instructions = m_codeBlock->instructions();
-    unsigned instructionCount = m_codeBlock->instructions().size();
+    auto& instructions = m_unlinkedCodeBlock->instructions();
+    unsigned instructionCount = m_unlinkedCodeBlock->instructions().size();
 
     m_callLinkInfoIndex = 0;
 
-    VM& vm = m_codeBlock->vm();
     BytecodeIndex startBytecodeIndex(0);
-    if (m_loopOSREntryBytecodeIndex && (m_codeBlock->inherits<ProgramCodeBlock>(vm) || m_codeBlock->inherits<ModuleProgramCodeBlock>(vm))) {
-        // We can only do this optimization because we execute ProgramCodeBlock's exactly once.
-        // This optimization would be invalid otherwise. When the LLInt determines it wants to
-        // do OSR entry into the baseline JIT in a loop, it will pass in the bytecode offset it
-        // was executing at when it kicked off our compilation. We only need to compile code for
-        // anything reachable from that bytecode offset.
-
-        // We only bother building the bytecode graph if it could save time and executable
-        // memory. We pick an arbitrary offset where we deem this is profitable.
-        if (m_loopOSREntryBytecodeIndex.offset() >= 200) {
-            // As a simplification, we don't find all bytecode ranges that are unreachable.
-            // Instead, we just find the minimum bytecode offset that is reachable, and
-            // compile code from that bytecode offset onwards.
-
-            BytecodeGraph graph(m_codeBlock, m_codeBlock->instructions());
-            BytecodeBasicBlock* block = graph.findBasicBlockForBytecodeOffset(m_loopOSREntryBytecodeIndex.offset());
-            RELEASE_ASSERT(block);
-
-            GraphNodeWorklist<BytecodeBasicBlock*> worklist;
-            startBytecodeIndex = BytecodeIndex();
-            worklist.push(block);
-
-            while (BytecodeBasicBlock* block = worklist.pop()) {
-                startBytecodeIndex = BytecodeIndex(std::min(startBytecodeIndex.offset(), block->leaderOffset()));
-                for (unsigned successorIndex : block->successors())
-                    worklist.push(&graph[successorIndex]);
-
-                // Also add catch blocks for bytecodes that throw.
-                if (m_codeBlock->numberOfExceptionHandlers()) {
-                    for (unsigned bytecodeOffset = block->leaderOffset(); bytecodeOffset < block->leaderOffset() + block->totalLength();) {
-                        auto instruction = instructions.at(bytecodeOffset);
-                        if (auto* handler = m_codeBlock->handlerForBytecodeIndex(BytecodeIndex(bytecodeOffset)))
-                            worklist.push(graph.findBasicBlockWithLeaderOffset(handler->target));
-
-                        bytecodeOffset += instruction->size();
-                    }
-                }
-            }
-        }
-    }
 
     m_bytecodeCountHavingSlowCase = 0;
@@ -279 +276 @@
         unsigned bytecodeOffset = m_bytecodeIndex.offset();
         if (UNLIKELY(Options::traceBaselineJITExecution())) {
-            CodeBlock* codeBlock = m_codeBlock;
             probeDebug([=] (Probe::Context& ctx) {
+                CodeBlock* codeBlock = ctx.fp<CallFrame*>()->codeBlock();
                 dataLogLn("JIT [", bytecodeOffset, "] ", opcodeNames[opcodeID], " cfr ", RawPointer(ctx.fp()), " @ ", codeBlock);
             });
         }
+
+        if (opcodeID != op_catch)
+            assertStackPointerOffset();
 
         switch (opcodeID) {
@@ -529 +529 @@
         BytecodeIndex firstTo = m_bytecodeIndex;
 
-        const Instruction* currentInstruction = m_codeBlock->instructions().at(m_bytecodeIndex).ptr();
+        const Instruction* currentInstruction = m_unlinkedCodeBlock->instructions().at(m_bytecodeIndex).ptr();
         
         if (JITInternal::verbose)
@@ -547 +547 @@
         if (UNLIKELY(Options::traceBaselineJITExecution())) {
             unsigned bytecodeOffset = m_bytecodeIndex.offset();
-            CodeBlock* codeBlock = m_codeBlock;
             probeDebug([=] (Probe::Context& ctx) {
+                CodeBlock* codeBlock = ctx.fp<CallFrame*>()->codeBlock();
                 dataLogLn("JIT [", bytecodeOffset, "] SLOW ", opcodeNames[opcodeID], " cfr ", RawPointer(ctx.fp()), " @ ", codeBlock);
             });
@@ -676 +676 @@
 }
 
+void JIT::emitMaterializeMetadataAndConstantPoolRegisters()
+{
+    loadPtr(addressFor(CallFrameSlot::codeBlock), regT0);
+    loadPtr(Address(regT0, CodeBlock::offsetOfMetadataTable()), s_metadataGPR);
+    loadPtr(Address(regT0, CodeBlock::offsetOfJITData()), regT0);
+    loadPtr(Address(regT0, CodeBlock::JITData::offsetOfJITConstantPool()), s_constantsGPR);
+}
+
+void JIT::emitRestoreCalleeSaves()
+{
+    Base::emitRestoreCalleeSavesFor(&RegisterAtOffsetList::llintBaselineCalleeSaveRegisters());
+}
+
 void JIT::compileAndLinkWithoutFinalizing(JITCompilationEffort effort)
 {
-    DFG::CapabilityLevel level = m_codeBlock->capabilityLevel();
+    DFG::CapabilityLevel level = m_profiledCodeBlock->capabilityLevel();
     switch (level) {
     case DFG::CannotCompile:
         m_canBeOptimized = false;
-        m_canBeOptimizedOrInlined = false;
         m_shouldEmitProfiling = false;
         break;
@@ -688 +700 @@
     case DFG::CanCompileAndInline:
         m_canBeOptimized = true;
-        m_canBeOptimizedOrInlined = true;
         m_shouldEmitProfiling = true;
         break;
@@ -695 +706 @@
         break;
     }
-    
-    switch (m_codeBlock->codeType()) {
-    case GlobalCode:
-    case ModuleCode:
-    case EvalCode:
-        m_codeBlock->m_shouldAlwaysBeInlined = false;
-        break;
-    case FunctionCode:
-        // We could have already set it to false because we detected an uninlineable call.
-        // Don't override that observation.
-        m_codeBlock->m_shouldAlwaysBeInlined &= canInline(level) && DFG::mightInlineFunction(m_codeBlock);
-        break;
-    }
-
-    if (m_codeBlock->numberOfUnlinkedSwitchJumpTables() || m_codeBlock->numberOfUnlinkedStringSwitchJumpTables()) {
-        ConcurrentJSLocker locker(m_codeBlock->m_lock);
-        if (m_codeBlock->numberOfUnlinkedSwitchJumpTables())
-            m_codeBlock->ensureJITData(locker).m_switchJumpTables = FixedVector<SimpleJumpTable>(m_codeBlock->numberOfUnlinkedSwitchJumpTables());
-        if (m_codeBlock->numberOfUnlinkedStringSwitchJumpTables())
-            m_codeBlock->ensureJITData(locker).m_stringSwitchJumpTables = FixedVector<StringJumpTable>(m_codeBlock->numberOfUnlinkedStringSwitchJumpTables());
-    }
-
-    if (UNLIKELY(Options::dumpDisassembly() || (m_vm->m_perBytecodeProfiler && Options::disassembleBaselineForProfiler())))
-        m_disassembler = makeUnique<JITDisassembler>(m_codeBlock);
+
+    if (m_unlinkedCodeBlock->numberOfUnlinkedSwitchJumpTables() || m_unlinkedCodeBlock->numberOfUnlinkedStringSwitchJumpTables()) {
+        if (m_unlinkedCodeBlock->numberOfUnlinkedSwitchJumpTables())
+            m_switchJumpTables = FixedVector<SimpleJumpTable>(m_unlinkedCodeBlock->numberOfUnlinkedSwitchJumpTables());
+        if (m_unlinkedCodeBlock->numberOfUnlinkedStringSwitchJumpTables())
+            m_stringSwitchJumpTables = FixedVector<StringJumpTable>(m_unlinkedCodeBlock->numberOfUnlinkedStringSwitchJumpTables());
+    }
+
+    if (UNLIKELY(Options::dumpDisassembly() || (m_vm->m_perBytecodeProfiler && Options::disassembleBaselineForProfiler()))) {
+        // FIXME: build a disassembler off of UnlinkedCodeBlock.
+        m_disassembler = makeUnique<JITDisassembler>(m_profiledCodeBlock);
+    }
     if (UNLIKELY(m_vm->m_perBytecodeProfiler)) {
+        // FIXME: build profiler disassembler off UnlinkedCodeBlock.
         m_compilation = adoptRef(
             new Profiler::Compilation(
-                m_vm->m_perBytecodeProfiler->ensureBytecodesFor(m_codeBlock),
+                m_vm->m_perBytecodeProfiler->ensureBytecodesFor(m_profiledCodeBlock),
                 Profiler::Baseline));
-        m_compilation->addProfiledBytecodes(*m_vm->m_perBytecodeProfiler, m_codeBlock);
+        m_compilation->addProfiledBytecodes(*m_vm->m_perBytecodeProfiler, m_profiledCodeBlock);
     }
     
@@ -744 +744 @@
 
     emitFunctionPrologue();
-    emitPutToCallFrameHeader(m_codeBlock, CallFrameSlot::codeBlock);
+    if (m_unlinkedCodeBlock->codeType() == FunctionCode)
+        emitPutCodeBlockToFrameInPrologue();
 
     Label beginLabel(this);
 
-    int frameTopOffset = stackPointerOffsetFor(m_codeBlock) * sizeof(Register);
+    int frameTopOffset = stackPointerOffsetFor(m_unlinkedCodeBlock) * sizeof(Register);
     unsigned maxFrameSize = -frameTopOffset;
     addPtr(TrustedImm32(frameTopOffset), callFrameRegister, regT1);
@@ -759 +760 @@
     checkStackPointerAlignment();
 
-    emitSaveCalleeSaves();
+    emitSaveCalleeSavesFor(&RegisterAtOffsetList::llintBaselineCalleeSaveRegisters());
     emitMaterializeTagCheckRegisters();
-
-    if (m_codeBlock->codeType() == FunctionCode) {
+    emitMaterializeMetadataAndConstantPoolRegisters();
+
+    if (m_unlinkedCodeBlock->codeType() == FunctionCode) {
         ASSERT(!m_bytecodeIndex);
-        if (shouldEmitProfiling()) {
-            for (unsigned argument = 0; argument < m_codeBlock->numParameters(); ++argument) {
+        if (shouldEmitProfiling() && (!m_unlinkedCodeBlock->isConstructor() || m_unlinkedCodeBlock->numParameters() > 1)) {
+            emitGetFromCallFrameHeaderPtr(CallFrameSlot::codeBlock, regT2);
+            loadPtr(Address(regT2, CodeBlock::offsetOfArgumentValueProfiles() + FixedVector<ValueProfile>::offsetOfStorage()), regT2);
+
+            for (unsigned argument = 0; argument < m_unlinkedCodeBlock->numParameters(); ++argument) {
                 // If this is a constructor, then we want to put in a dummy profiling site (to
                 // keep things consistent) but we don't actually want to record the dummy value.
-                if (m_codeBlock->isConstructor() && !argument)
+                if (m_unlinkedCodeBlock->isConstructor() && !argument)
                     continue;
                 int offset = CallFrame::argumentOffsetIncludingThis(argument) * static_cast<int>(sizeof(Register));
@@ -779 +784 @@
                 load32(Address(callFrameRegister, offset + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultRegs.tagGPR());
 #endif
-                emitValueProfilingSite(m_codeBlock->valueProfileForArgument(argument), resultRegs);
+                storeValue(resultRegs, Address(regT2, argument * sizeof(ValueProfile) + ValueProfile::offsetOfFirstBucket()));
             }
         }
     }
     
-    RELEASE_ASSERT(!JITCode::isJIT(m_codeBlock->jitType()));
+    RELEASE_ASSERT(!JITCode::isJIT(m_profiledCodeBlock->jitType()));
 
     if (UNLIKELY(sizeMarker))
@@ -801 +806 @@
     if (maxFrameExtentForSlowPathCall)
         addPtr(TrustedImm32(-static_cast<int32_t>(maxFrameExtentForSlowPathCall)), stackPointerRegister);
-    callOperationWithCallFrameRollbackOnException(operationThrowStackOverflowError, m_codeBlock);
+    emitGetFromCallFrameHeaderPtr(CallFrameSlot::codeBlock, regT0);
+    callOperationWithCallFrameRollbackOnException(operationThrowStackOverflowError, regT0);
 
     // If the number of parameters is 1, we never require arity fixup.
-    bool requiresArityFixup = m_codeBlock->m_numParameters != 1;
-    if (m_codeBlock->codeType() == FunctionCode && requiresArityFixup) {
+    bool requiresArityFixup = m_unlinkedCodeBlock->numParameters() != 1;
+    if (m_unlinkedCodeBlock->codeType() == FunctionCode && requiresArityFixup) {
         m_arityCheck = label();
-        store8(TrustedImm32(0), &m_codeBlock->m_shouldAlwaysBeInlined);
+
         emitFunctionPrologue();
-        emitPutToCallFrameHeader(m_codeBlock, CallFrameSlot::codeBlock);
+        emitPutCodeBlockToFrameInPrologue(regT0);
+        store8(TrustedImm32(0), Address(regT0, CodeBlock::offsetOfShouldAlwaysBeInlined()));
 
         load32(payloadFor(CallFrameSlot::argumentCountIncludingThis), regT1);
-        branch32(AboveOrEqual, regT1, TrustedImm32(m_codeBlock->m_numParameters)).linkTo(beginLabel, this);
+        branch32(AboveOrEqual, regT1, TrustedImm32(m_unlinkedCodeBlock->numParameters())).linkTo(beginLabel, this);
 
         m_bytecodeIndex = BytecodeIndex(0);
@@ -818 +825 @@
         if (maxFrameExtentForSlowPathCall)
             addPtr(TrustedImm32(-static_cast<int32_t>(maxFrameExtentForSlowPathCall)), stackPointerRegister);
-        callOperationWithCallFrameRollbackOnException(m_codeBlock->isConstructor() ? operationConstructArityCheck : operationCallArityCheck, m_codeBlock->globalObject());
+        loadPtr(Address(regT0, CodeBlock::offsetOfGlobalObject()), argumentGPR0);
+        callOperationWithCallFrameRollbackOnException(m_unlinkedCodeBlock->isConstructor() ? operationConstructArityCheck : operationCallArityCheck, argumentGPR0);
         if (maxFrameExtentForSlowPathCall)
             addPtr(TrustedImm32(maxFrameExtentForSlowPathCall), stackPointerRegister);
@@ -841 +849 @@
     m_pcToCodeOriginMapBuilder.appendItem(label(), PCToCodeOriginMapBuilder::defaultCodeOrigin());
 
-    m_linkBuffer = std::unique_ptr<LinkBuffer>(new LinkBuffer(*this, m_codeBlock, LinkBuffer::Profile::BaselineJIT, effort));
+    m_linkBuffer = std::unique_ptr<LinkBuffer>(new LinkBuffer(*this, m_unlinkedCodeBlock, LinkBuffer::Profile::BaselineJIT, effort));
     link();
 }
@@ -860 +868 @@
         case SwitchRecord::Immediate:
         case SwitchRecord::Character: {
-            const UnlinkedSimpleJumpTable& unlinkedTable = m_codeBlock->unlinkedSwitchJumpTable(tableIndex);
-            SimpleJumpTable& linkedTable = m_codeBlock->switchJumpTable(tableIndex);
+            const UnlinkedSimpleJumpTable& unlinkedTable = m_unlinkedCodeBlock->unlinkedSwitchJumpTable(tableIndex);
+            SimpleJumpTable& linkedTable = m_switchJumpTables[tableIndex];
             linkedTable.m_ctiDefault = patchBuffer.locationOf<JSSwitchPtrTag>(m_labels[bytecodeOffset + record.defaultOffset]);
             for (unsigned j = 0; j < unlinkedTable.m_branchOffsets.size(); ++j) {
@@ -873 +881 @@
 
         case SwitchRecord::String: {
-            const UnlinkedStringJumpTable& unlinkedTable = m_codeBlock->unlinkedStringSwitchJumpTable(tableIndex);
-            StringJumpTable& linkedTable = m_codeBlock->stringSwitchJumpTable(tableIndex);
+            const UnlinkedStringJumpTable& unlinkedTable = m_unlinkedCodeBlock->unlinkedStringSwitchJumpTable(tableIndex);
+            StringJumpTable& linkedTable = m_stringSwitchJumpTables[tableIndex];
             auto ctiDefault = patchBuffer.locationOf<JSSwitchPtrTag>(m_labels[bytecodeOffset + record.defaultOffset]);
             for (auto& location : unlinkedTable.m_offsetTable.values()) {
@@ -908 +916 @@
     }
 
+#if USE(JSVALUE64)
+    auto finalizeICs = [&] (auto& generators) {
+        for (auto& gen : generators) {
+            gen.m_unlinkedStubInfo->start = patchBuffer.locationOf<JITStubRoutinePtrTag>(gen.m_start);
+            gen.m_unlinkedStubInfo->doneLocation = patchBuffer.locationOf<JSInternalPtrTag>(gen.m_done);
+            gen.m_unlinkedStubInfo->slowPathStartLocation = patchBuffer.locationOf<JITStubRoutinePtrTag>(gen.m_slowPathBegin);
+        }
+    };
+
+    finalizeICs(m_getByIds);
+    finalizeICs(m_getByVals);
+    finalizeICs(m_getByIdsWithThis);
+    finalizeICs(m_putByIds);
+    finalizeICs(m_putByVals);
+    finalizeICs(m_delByIds);
+    finalizeICs(m_delByVals);
+    finalizeICs(m_inByIds);
+    finalizeICs(m_inByVals);
+    finalizeICs(m_instanceOfs);
+    finalizeICs(m_privateBrandAccesses);
+#else
     finalizeInlineCaches(m_getByIds, patchBuffer);
     finalizeInlineCaches(m_getByVals, patchBuffer);
@@ -919 +948 @@
     finalizeInlineCaches(m_instanceOfs, patchBuffer);
     finalizeInlineCaches(m_privateBrandAccesses, patchBuffer);
+#endif
 
     for (auto& compilationInfo : m_callCompilationInfo) {
+#if USE(JSVALUE64)
+        UnlinkedCallLinkInfo& info = *compilationInfo.unlinkedCallLinkInfo;
+        info.doneLocation = patchBuffer.locationOf<JSInternalPtrTag>(compilationInfo.doneLocation);
+#else
         CallLinkInfo& info = *compilationInfo.callLinkInfo;
         info.setCodeLocations(
             patchBuffer.locationOf<JSInternalPtrTag>(compilationInfo.slowPathStart),
             patchBuffer.locationOf<JSInternalPtrTag>(compilationInfo.doneLocation));
-    }
-
-    {
-        JITCodeMapBuilder jitCodeMapBuilder;
-        for (unsigned bytecodeOffset = 0; bytecodeOffset < m_labels.size(); ++bytecodeOffset) {
-            if (m_labels[bytecodeOffset].isSet())
-                jitCodeMapBuilder.append(BytecodeIndex(bytecodeOffset), patchBuffer.locationOf<JSEntryPtrTag>(m_labels[bytecodeOffset]));
-        }
-        m_codeBlock->setJITCodeMap(jitCodeMapBuilder.finalize());
+#endif
+
+    }
+
+    JITCodeMapBuilder jitCodeMapBuilder;
+    for (unsigned bytecodeOffset = 0; bytecodeOffset < m_labels.size(); ++bytecodeOffset) {
+        if (m_labels[bytecodeOffset].isSet())
+            jitCodeMapBuilder.append(BytecodeIndex(bytecodeOffset), patchBuffer.locationOf<JSEntryPtrTag>(m_labels[bytecodeOffset]));
     }
 
@@ -942 +975 @@
 
     if (UNLIKELY(m_compilation)) {
+        // FIXME: should we make the bytecode profiler know about UnlinkedCodeBlock?
         if (Options::disassembleBaselineForProfiler())
             m_disassembler->reportToProfiler(m_compilation.get(), patchBuffer);
-        m_vm->m_perBytecodeProfiler->addCompilation(m_codeBlock, *m_compilation);
+        m_vm->m_perBytecodeProfiler->addCompilation(m_profiledCodeBlock, *m_compilation);
     }
 
@@ -950 +984 @@
         m_pcToCodeOriginMap = makeUnique<PCToCodeOriginMap>(WTFMove(m_pcToCodeOriginMapBuilder), patchBuffer);
     
+    // FIXME: Make a version of CodeBlockWithJITType that knows about UnlinkedCodeBlock.
     CodeRef<JSEntryPtrTag> result = FINALIZE_CODE(
         patchBuffer, JSEntryPtrTag,
-        "Baseline JIT code for %s", toCString(CodeBlockWithJITType(m_codeBlock, JITType::BaselineJIT)).data());
+        "Baseline JIT code for %s", toCString(CodeBlockWithJITType(m_profiledCodeBlock, JITType::BaselineJIT)).data());
     
     MacroAssemblerCodePtr<JSEntryPtrTag> withArityCheck = patchBuffer.locationOf<JSEntryPtrTag>(m_arityCheck);
-    m_jitCode = adoptRef(*new DirectJITCode(result, withArityCheck, JITType::BaselineJIT));
+    m_jitCode = adoptRef(*new BaselineJITCode(result, withArityCheck));
+
+    m_jitCode->m_unlinkedCalls = WTFMove(m_unlinkedCalls);
+    m_jitCode->m_evalCallLinkInfos = WTFMove(m_evalCallLinkInfos);
+    m_jitCode->m_unlinkedStubInfos = WTFMove(m_unlinkedStubInfos);
+    m_jitCode->m_switchJumpTables = WTFMove(m_switchJumpTables);
+    m_jitCode->m_stringSwitchJumpTables = WTFMove(m_stringSwitchJumpTables);
+    m_jitCode->m_jitCodeMap = jitCodeMapBuilder.finalize();
+    m_jitCode->adoptMathICs(m_mathICs);
+    m_jitCode->m_constantPool = WTFMove(m_constantPool);
+#if USE(JSVALUE64)
+    m_jitCode->m_isShareable = m_isShareable;
+#else
+    m_jitCode->m_isShareable = false;
+#endif
 
     if (JITInternal::verbose)
-        dataLogF("JIT generated code for %p at [%p, %p).\n", m_codeBlock, result.executableMemory()->start().untaggedPtr(), result.executableMemory()->end().untaggedPtr());
-}
-
-CompilationResult JIT::finalizeOnMainThread()
+        dataLogF("JIT generated code for %p at [%p, %p).\n", m_unlinkedCodeBlock, result.executableMemory()->start().untaggedPtr(), result.executableMemory()->end().untaggedPtr());
+}
+
+CompilationResult JIT::finalizeOnMainThread(CodeBlock* codeBlock)
 {
     RELEASE_ASSERT(!isCompilationThread());
@@ -970 +1019 @@
     m_linkBuffer->runMainThreadFinalizationTasks();
 
-    {
-        ConcurrentJSLocker locker(m_codeBlock->m_lock);
-        m_codeBlock->shrinkToFit(locker, CodeBlock::ShrinkMode::LateShrink);
-    }
-
-    for (size_t i = 0; i < m_codeBlock->numberOfExceptionHandlers(); ++i) {
-        HandlerInfo& handler = m_codeBlock->exceptionHandler(i);
-        // FIXME: <rdar://problem/39433318>.
-        handler.nativeCode = m_codeBlock->jitCodeMap().find(BytecodeIndex(handler.target)).retagged<ExceptionHandlerPtrTag>();
-    }
-
     if (m_pcToCodeOriginMap)
-        m_codeBlock->setPCToCodeOriginMap(WTFMove(m_pcToCodeOriginMap));
+        m_jitCode->m_pcToCodeOriginMap = WTFMove(m_pcToCodeOriginMap);
 
     m_vm->machineCodeBytesPerBytecodeWordForBaselineJIT->add(
         static_cast<double>(m_jitCode->size()) /
-        static_cast<double>(m_codeBlock->instructionsSize()));
-
-    m_codeBlock->setJITCode(m_jitCode.releaseNonNull());
+        static_cast<double>(m_unlinkedCodeBlock->instructionsSize()));
+
+    codeBlock->setupWithUnlinkedBaselineCode(m_jitCode.releaseNonNull());
 
     return CompilationSuccessful;
@@ -1000 +1038 @@
 }
 
-CompilationResult JIT::privateCompile(JITCompilationEffort effort)
+CompilationResult JIT::privateCompile(CodeBlock* codeBlock, JITCompilationEffort effort)
 {
     doMainThreadPreparationBeforeCompile();
     compileAndLinkWithoutFinalizing(effort);
-    return finalizeOnMainThread();
+    return finalizeOnMainThread(codeBlock);
 }
 
@@ -1044 +1082 @@
 }
 
+unsigned JIT::frameRegisterCountFor(UnlinkedCodeBlock* codeBlock)
+{
+    ASSERT(static_cast<unsigned>(codeBlock->numCalleeLocals()) == WTF::roundUpToMultipleOf(stackAlignmentRegisters(), static_cast<unsigned>(codeBlock->numCalleeLocals())));
+
+    return roundLocalRegisterCountForFramePointerOffset(codeBlock->numCalleeLocals() + maxFrameExtentForSlowPathCallInRegisters);
+}
+
 unsigned JIT::frameRegisterCountFor(CodeBlock* codeBlock)
 {
-    ASSERT(static_cast<unsigned>(codeBlock->numCalleeLocals()) == WTF::roundUpToMultipleOf(stackAlignmentRegisters(), static_cast<unsigned>(codeBlock->numCalleeLocals())));
-
-    return roundLocalRegisterCountForFramePointerOffset(codeBlock->numCalleeLocals() + maxFrameExtentForSlowPathCallInRegisters);
+    return frameRegisterCountFor(codeBlock->unlinkedCodeBlock());
+}
+
+int JIT::stackPointerOffsetFor(UnlinkedCodeBlock* codeBlock)
+{
+    return virtualRegisterForLocal(frameRegisterCountFor(codeBlock) - 1).offset();
 }
 
 int JIT::stackPointerOffsetFor(CodeBlock* codeBlock)
 {
-    return virtualRegisterForLocal(frameRegisterCountFor(codeBlock) - 1).offset();
+    return stackPointerOffsetFor(codeBlock->unlinkedCodeBlock());
 }