[JSC] Always create StructureStubInfo for op_get_by_val

Constellation · Constellation · commit 3576f09fd2b9 · 2022-06-16T23:08:33.000Z
https://bugs.webkit.org/show_bug.cgi?id=241669 rdar://75146284 Reviewed by Saam Barati and Mark Lam. DFG OSR exit requires StructureStubInfo for getter / setter calls. However very generic baseline JIT op_get_by_val does not create StructureStubInfo. It is possible that OSR exit crashes because of this missing StructureStubInfo. Let's consider the following edge case. 1. Now, Baseline detects that this is very generic op_get_by_val. So we do not create StructureStubInfo. 2. This function is inlined in DFG. And DFG emits IC for this GetByVal. 3. (2)'s DFG function collects information in DFG-level IC. And luckily, in this inlined call path, it was not so generic. 4. Then, due to different OSR exit or something, we recreate DFG code for this function with (2)'s inlining. 5. DFG detects that DFG-level IC has more specialized information. So it can inline getter call in this op_get_by_val. 6. Inside this getter, we perform OSR exit. 7. Looking into Baseline, and we found that there is no StructureStubInfo! We always create StructureStubInfo. In very generic op_get_by_val case, we create this with tookSlowPath = true. And we emit empty inline path to record doneLocation. So, OSR exit can jump to this place. We also clean up StructureStubInfo code. 1. "start" is renamed to startLocation. And we do not record it in DataIC case since it is not necessary. 2. Rename inlineSize to inlineCodeSize. 3. Add some assertions to ensure that this path is not used for DataIC case. 4. We also record opcode value in the crashing RELEASE_ASSERT to get more information if this does not fix the issue. * Source/JavaScriptCore/bytecode/InlineAccess.cpp: (JSC::linkCodeInline): (JSC::InlineAccess::generateArrayLength): (JSC::InlineAccess::generateStringLength): (JSC::InlineAccess::rewireStubAsJumpInAccessNotUsingInlineAccess): (JSC::InlineAccess::rewireStubAsJumpInAccess): (JSC::InlineAccess::resetStubAsJumpInAccess): * Source/JavaScriptCore/bytecode/StructureStubInfo.cpp: (JSC::StructureStubInfo::initializeFromUnlinkedStructureStubInfo): (JSC::StructureStubInfo::initializeFromDFGUnlinkedStructureStubInfo): * Source/JavaScriptCore/bytecode/StructureStubInfo.h: (JSC::StructureStubInfo::inlineCodeSize const): (JSC::StructureStubInfo::inlineSize const): Deleted. * Source/JavaScriptCore/dfg/DFGInlineCacheWrapperInlines.h: (JSC::DFG::InlineCacheWrapper<GeneratorType>::finalize): * Source/JavaScriptCore/dfg/DFGJITCode.h: * Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::callerReturnPC): * Source/JavaScriptCore/jit/JIT.cpp: (JSC::JIT::link): * Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp: (JSC::JITInlineCacheGenerator::finalize): (JSC::JITGetByValGenerator::generateEmptyPath): * Source/JavaScriptCore/jit/JITInlineCacheGenerator.h: * Source/JavaScriptCore/jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_get_by_val): * JSTests/stress/get-by-val-generic-structurestubinfo.js: Added. (let.program): (runMono.let.o.get x): (runMono): (runPoly): Canonical link: https://commits.webkit.org/251619@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@295614 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/stress/get-by-val-generic-structurestubinfo.js b/JSTests/stress/get-by-val-generic-structurestubinfo.js
@@ -0,0 +1,55 @@
+//@ requireOptions("--getByValICMaxNumberOfIdentifiers=2")
+
+let program = `
+    function shouldBe(actual, expected) {
+        if (actual !== expected)
+            throw new Error('bad value: ' + actual);
+    }
+    noInline(shouldBe);
+
+    function foo(o, p) {
+        return o[p];
+    }
+    noInline(foo);
+
+    function runMono() {
+        let o = {
+            get x() {
+                if ($vm.ftlTrue()) OSRExit();
+                return 42;
+            }
+        };
+        for (let i = 0; i < 1000000; ++i) {
+            shouldBe(foo(o, "x"), 42);
+        }
+    }
+
+    function runPoly() {
+        let o = {
+            a: 1,
+            b: 2,
+            c: 4,
+            d: 4,
+            e: 4,
+            f: 4,
+            g: 4,
+        };
+        for (let i = 0; i < 1000000; ++i) {
+            foo(o, "a");
+            foo(o, "b");
+            foo(o, "c");
+            foo(o, "d");
+            foo(o, "e");
+            foo(o, "f");
+            foo(o, "g");
+            foo(o, "h");
+            foo(o, "i");
+        }
+    }
+`;
+
+let g1 = runString(program);
+g1.runPoly();
+
+let g2 = runString(program);
+g2.runMono();
diff --git a/Source/JavaScriptCore/bytecode/InlineAccess.cpp b/Source/JavaScriptCore/bytecode/InlineAccess.cpp
@@ -152,9 +152,9 @@ void InlineAccess::dumpCacheSizesAndCrash()
 template <typename Function>
 ALWAYS_INLINE static bool linkCodeInline(const char* name, CCallHelpers& jit, StructureStubInfo& stubInfo, const Function& function)
 {
-    if (jit.m_assembler.buffer().codeSize() <= stubInfo.inlineSize()) {
+    if (jit.m_assembler.buffer().codeSize() <= stubInfo.inlineCodeSize()) {
         bool needsBranchCompaction = true;
-        LinkBuffer linkBuffer(jit, stubInfo.start, stubInfo.inlineSize(), LinkBuffer::Profile::InlineCache, JITCompilationMustSucceed, needsBranchCompaction);
+        LinkBuffer linkBuffer(jit, stubInfo.startLocation, stubInfo.inlineCodeSize(), LinkBuffer::Profile::InlineCache, JITCompilationMustSucceed, needsBranchCompaction);
         ASSERT(linkBuffer.isValid());
         function(linkBuffer);
         FINALIZE_CODE(linkBuffer, NoPtrTag, "InlineAccessType: '%s'", name);
@@ -169,7 +169,7 @@ ALWAYS_INLINE static bool linkCodeInline(const char* name, CCallHelpers& jit, St
     constexpr bool failIfCantInline = false;
     if (failIfCantInline) {
         dataLog("Failure for: ", name, "\n");
-        dataLog("real size: ", jit.m_assembler.buffer().codeSize(), " inline size:", stubInfo.inlineSize(), "\n");
+        dataLog("real size: ", jit.m_assembler.buffer().codeSize(), " inline size:", stubInfo.inlineCodeSize(), "\n");
         CRASH();
     }
 
@@ -310,6 +310,7 @@ bool InlineAccess::isCacheableArrayLength(CodeBlock* codeBlock, StructureStubInf
 
 bool InlineAccess::generateArrayLength(CodeBlock* codeBlock, StructureStubInfo& stubInfo, JSArray* array)
 {
+    ASSERT_UNUSED(codeBlock, !codeBlock->useDataIC());
     ASSERT_UNUSED(codeBlock, isCacheableArrayLength(codeBlock, stubInfo, array));
 
     if (!stubInfo.hasConstantIdentifier)
@@ -348,6 +349,7 @@ bool InlineAccess::isCacheableStringLength(CodeBlock* codeBlock, StructureStubIn
 
 bool InlineAccess::generateStringLength(CodeBlock* codeBlock, StructureStubInfo& stubInfo)
 {
+    ASSERT_UNUSED(codeBlock, !codeBlock->useDataIC());
     ASSERT_UNUSED(codeBlock, isCacheableStringLength(codeBlock, stubInfo));
 
     if (!stubInfo.hasConstantIdentifier)
@@ -416,7 +418,7 @@ void InlineAccess::rewireStubAsJumpInAccessNotUsingInlineAccess(CodeBlock* codeB
         return;
     }
 
-    CCallHelpers::emitJITCodeOver(stubInfo.start.retagged<JSInternalPtrTag>(), scopedLambda<void(CCallHelpers&)>([&](CCallHelpers& jit) {
+    CCallHelpers::emitJITCodeOver(stubInfo.startLocation.retagged<JSInternalPtrTag>(), scopedLambda<void(CCallHelpers&)>([&](CCallHelpers& jit) {
         // We don't need a nop sled here because nobody should be jumping into the middle of an IC.
         auto jump = jit.jump();
         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
@@ -433,7 +435,7 @@ void InlineAccess::rewireStubAsJumpInAccess(CodeBlock* codeBlock, StructureStubI
         return;
     }
 
-    CCallHelpers::emitJITCodeOver(stubInfo.start.retagged<JSInternalPtrTag>(), scopedLambda<void(CCallHelpers&)>([&](CCallHelpers& jit) {
+    CCallHelpers::emitJITCodeOver(stubInfo.startLocation.retagged<JSInternalPtrTag>(), scopedLambda<void(CCallHelpers&)>([&](CCallHelpers& jit) {
         // We don't need a nop sled here because nobody should be jumping into the middle of an IC.
         auto jump = jit.jump();
         jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
@@ -450,7 +452,7 @@ void InlineAccess::resetStubAsJumpInAccess(CodeBlock* codeBlock, StructureStubIn
         return;
     }
 
-    CCallHelpers::emitJITCodeOver(stubInfo.start.retagged<JSInternalPtrTag>(), scopedLambda<void(CCallHelpers&)>([&](CCallHelpers& jit) {
+    CCallHelpers::emitJITCodeOver(stubInfo.startLocation.retagged<JSInternalPtrTag>(), scopedLambda<void(CCallHelpers&)>([&](CCallHelpers& jit) {
         // We don't need a nop sled here because nobody should be jumping into the middle of an IC.
         auto jump = jit.jump();
         auto slowPathStartLocation = stubInfo.slowPathStartLocation;
diff --git a/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp b/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp
@@ -487,13 +487,13 @@ static FunctionPtr<OperationPtrTag> slowOperationFromUnlinkedStructureStubInfo(c
 void StructureStubInfo::initializeFromUnlinkedStructureStubInfo(const BaselineUnlinkedStructureStubInfo& unlinkedStubInfo)
 {
     accessType = unlinkedStubInfo.accessType;
-    start = unlinkedStubInfo.start;
     doneLocation = unlinkedStubInfo.doneLocation;
     slowPathStartLocation = unlinkedStubInfo.slowPathStartLocation;
     callSiteIndex = CallSiteIndex(BytecodeIndex(unlinkedStubInfo.bytecodeIndex.offset()));
     codeOrigin = CodeOrigin(unlinkedStubInfo.bytecodeIndex);
     m_codePtr = slowPathStartLocation;
     propertyIsInt32 = unlinkedStubInfo.propertyIsInt32;
+    tookSlowPath = unlinkedStubInfo.tookSlowPath;
     useDataIC = true;
 
     usedRegisters = RegisterSet::stubUnavailableRegisters();
@@ -654,7 +654,6 @@ void StructureStubInfo::initializeFromUnlinkedStructureStubInfo(const BaselineUn
 void StructureStubInfo::initializeFromDFGUnlinkedStructureStubInfo(const DFG::UnlinkedStructureStubInfo& unlinkedStubInfo)
 {
     accessType = unlinkedStubInfo.accessType;
-    start = unlinkedStubInfo.start;
     doneLocation = unlinkedStubInfo.doneLocation;
     slowPathStartLocation = unlinkedStubInfo.slowPathStartLocation;
     callSiteIndex = unlinkedStubInfo.callSiteIndex;
@@ -666,6 +665,7 @@ void StructureStubInfo::initializeFromDFGUnlinkedStructureStubInfo(const DFG::Un
     propertyIsString = unlinkedStubInfo.propertyIsString;
     prototypeIsKnownObject = unlinkedStubInfo.prototypeIsKnownObject;
     hasConstantIdentifier = unlinkedStubInfo.hasConstantIdentifier;
+    tookSlowPath = unlinkedStubInfo.tookSlowPath;
     useDataIC = true;
 
     usedRegisters = unlinkedStubInfo.usedRegisters;
diff --git a/Source/JavaScriptCore/bytecode/StructureStubInfo.h b/Source/JavaScriptCore/bytecode/StructureStubInfo.h
@@ -153,9 +153,11 @@ class StructureStubInfo {
 
     bool containsPC(void* pc) const;
 
-    uint32_t inlineSize() const
+    uint32_t inlineCodeSize() const
     {
-        int32_t inlineSize = MacroAssembler::differenceBetweenCodePtr(start, doneLocation);
+        if (useDataIC)
+            return 0;
+        int32_t inlineSize = MacroAssembler::differenceBetweenCodePtr(startLocation, doneLocation);
         ASSERT(inlineSize >= 0);
         return inlineSize;
     }
@@ -382,7 +384,9 @@ class StructureStubInfo {
     // That's not so bad - we'll get rid of the redundant ones once we regenerate.
     HashSet<BufferedStructure, BufferedStructure::Hash, BufferedStructure::KeyTraits> m_bufferedStructures WTF_GUARDED_BY_LOCK(m_bufferedStructuresLock);
 public:
-    CodeLocationLabel<JITStubRoutinePtrTag> start; // This is either the start of the inline IC for *byId caches. or the location of patchable jump for 'instanceof' caches.
+    // This is either the start of the inline IC for *byId caches. or the location of patchable jump for 'instanceof' caches.
+    // If useDataIC is true, then it is nullptr.
+    CodeLocationLabel<JITStubRoutinePtrTag> startLocation;
     CodeLocationLabel<JSInternalPtrTag> doneLocation;
     CodeLocationLabel<JITStubRoutinePtrTag> slowPathStartLocation;
 
@@ -480,11 +484,11 @@ struct UnlinkedStructureStubInfo {
     PutKind putKind { PutKind::Direct };
     PrivateFieldPutKind privateFieldPutKind { PrivateFieldPutKind::none() };
     ECMAMode ecmaMode { ECMAMode::sloppy() };
-    bool propertyIsInt32 { false };
-    bool propertyIsString { false };
-    bool propertyIsSymbol { false };
-    bool prototypeIsKnownObject { false };
-    CodeLocationLabel<JITStubRoutinePtrTag> start; // This is either the start of the inline IC for *byId caches. or the location of patchable jump for 'instanceof' caches.
+    bool propertyIsInt32 : 1 { false };
+    bool propertyIsString : 1 { false };
+    bool propertyIsSymbol : 1 { false };
+    bool prototypeIsKnownObject : 1 { false };
+    bool tookSlowPath : 1 { false };
     CodeLocationLabel<JSInternalPtrTag> doneLocation;
     CodeLocationLabel<JITStubRoutinePtrTag> slowPathStartLocation;
 };
diff --git a/Source/JavaScriptCore/dfg/DFGInlineCacheWrapperInlines.h b/Source/JavaScriptCore/dfg/DFGInlineCacheWrapperInlines.h
@@ -37,7 +37,6 @@ void InlineCacheWrapper<GeneratorType>::finalize(LinkBuffer& fastPath, LinkBuffe
 {
     m_generator.reportSlowPathCall(m_slowPath->label(), m_slowPath->call());
     if (m_generator.m_unlinkedStubInfo) {
-        m_generator.m_unlinkedStubInfo->start = fastPath.locationOf<JITStubRoutinePtrTag>(m_generator.m_start);
         m_generator.m_unlinkedStubInfo->doneLocation = fastPath.locationOf<JSInternalPtrTag>(m_generator.m_done);
         m_generator.m_unlinkedStubInfo->slowPathStartLocation = fastPath.locationOf<JITStubRoutinePtrTag>(m_generator.m_slowPathBegin);
     } else
diff --git a/Source/JavaScriptCore/dfg/DFGJITCode.h b/Source/JavaScriptCore/dfg/DFGJITCode.h
@@ -53,8 +53,8 @@ class JITCompiler;
 
 struct UnlinkedStructureStubInfo : JSC::UnlinkedStructureStubInfo {
     CodeOrigin codeOrigin;
-    CallSiteIndex callSiteIndex;
     RegisterSet usedRegisters;
+    CallSiteIndex callSiteIndex;
     GPRReg m_baseGPR { InvalidGPRReg };
     GPRReg m_valueGPR { InvalidGPRReg };
     GPRReg m_extraGPR { InvalidGPRReg };
diff --git a/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp b/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
@@ -214,7 +214,7 @@ static MacroAssemblerCodePtr<JSEntryPtrTag> callerReturnPC(CodeBlock* baselineCo
         case InlineCallFrame::GetterCall:
         case InlineCallFrame::SetterCall: {
             StructureStubInfo* stubInfo = baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
-            RELEASE_ASSERT(stubInfo);
+            RELEASE_ASSERT(stubInfo, callInstruction.opcodeID());
             jumpTarget = stubInfo->doneLocation.retagged<JSEntryPtrTag>();
             break;
         }
diff --git a/Source/JavaScriptCore/jit/JIT.cpp b/Source/JavaScriptCore/jit/JIT.cpp
@@ -946,7 +946,6 @@ void JIT::link()
 
     auto finalizeICs = [&] (auto& generators) {
         for (auto& gen : generators) {
-            gen.m_unlinkedStubInfo->start = patchBuffer.locationOf<JITStubRoutinePtrTag>(gen.m_start);
             gen.m_unlinkedStubInfo->doneLocation = patchBuffer.locationOf<JSInternalPtrTag>(gen.m_done);
             gen.m_unlinkedStubInfo->slowPathStartLocation = patchBuffer.locationOf<JITStubRoutinePtrTag>(gen.m_slowPathBegin);
         }
diff --git a/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp b/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp
@@ -63,7 +63,7 @@ void JITInlineCacheGenerator::finalize(
     LinkBuffer& fastPath, LinkBuffer& slowPath, CodeLocationLabel<JITStubRoutinePtrTag> start)
 {
     ASSERT(m_stubInfo);
-    m_stubInfo->start = start;
+    m_stubInfo->startLocation = start;
     m_stubInfo->doneLocation = fastPath.locationOf<JSInternalPtrTag>(m_done);
 
     if (!m_stubInfo->useDataIC)
@@ -534,6 +534,12 @@ void JITGetByValGenerator::generateFastPath(CCallHelpers& jit)
     m_done = jit.label();
 }
 
+void JITGetByValGenerator::generateEmptyPath(CCallHelpers& jit)
+{
+    m_start = jit.label();
+    m_done = jit.label();
+}
+
 void JITGetByValGenerator::finalize(LinkBuffer& fastPath, LinkBuffer& slowPath)
 {
     ASSERT(m_stubInfo);
diff --git a/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h b/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h
@@ -558,6 +558,8 @@ class JITGetByValGenerator final : public JITInlineCacheGenerator {
     
     void generateFastPath(CCallHelpers&);
 
+    void generateEmptyPath(CCallHelpers&);
+
     template<typename StubInfo>
     static void setUpStubInfo(StubInfo& stubInfo,
         AccessType accessType, CodeOrigin codeOrigin, CallSiteIndex callSiteIndex, const RegisterSet& usedRegisters,
diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
@@ -62,41 +62,44 @@ void JIT::emit_op_get_by_val(const JSInstruction* currentInstruction)
     emitGetVirtualRegister(base, baseJSR);
     emitGetVirtualRegister(property, propertyJSR);
 
+    auto [ stubInfo, stubInfoIndex ] = addUnlinkedStructureStubInfo();
+    JITGetByValGenerator gen(
+        nullptr, stubInfo, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), AccessType::GetByVal, RegisterSet::stubUnavailableRegisters(),
+        baseJSR, propertyJSR, resultJSR, stubInfoGPR);
+    if (isOperandConstantInt(property))
+        stubInfo->propertyIsInt32 = true;
+    gen.m_unlinkedStubInfoConstantIndex = stubInfoIndex;
+
     if (bytecode.metadata(m_profiledCodeBlock).m_seenIdentifiers.count() > Options::getByValICMaxNumberOfIdentifiers()) {
+        stubInfo->tookSlowPath = true;
+
         auto notCell = branchIfNotCell(baseJSR);
         emitArrayProfilingSiteWithCell(bytecode, baseJSR.payloadGPR(), scratchGPR);
         notCell.link(this);
         loadGlobalObject(scratchGPR);
-        callOperationWithProfile(bytecode, operationGetByVal, dst, scratchGPR, baseJSR, propertyJSR);
+        callOperationWithResult(operationGetByVal, resultJSR, scratchGPR, baseJSR, propertyJSR);
+
+        gen.generateEmptyPath(*this);
     } else {
         emitJumpSlowCaseIfNotJSCell(baseJSR, base);
         emitArrayProfilingSiteWithCell(bytecode, baseJSR.payloadGPR(), scratchGPR);
 
-        auto [ stubInfo, stubInfoIndex ] = addUnlinkedStructureStubInfo();
-        JITGetByValGenerator gen(
-            nullptr, stubInfo, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), AccessType::GetByVal, RegisterSet::stubUnavailableRegisters(),
-            baseJSR, propertyJSR, resultJSR, stubInfoGPR);
-        if (isOperandConstantInt(property))
-            stubInfo->propertyIsInt32 = true;
-        gen.m_unlinkedStubInfoConstantIndex = stubInfoIndex;
-
         gen.generateBaselineDataICFastPath(*this, stubInfoIndex, stubInfoGPR);
-        resetSP(); // We might OSR exit here, so we need to conservatively reset SP
+    }
 
-        addSlowCase();
-        m_getByVals.append(gen);
+    addSlowCase();
+    m_getByVals.append(gen);
 
-        setFastPathResumePoint();
-        emitValueProfilingSite(bytecode, resultJSR);
-        emitPutVirtualRegister(dst, resultJSR);
-    }
+    resetSP(); // We might OSR exit here, so we need to conservatively reset SP
+    setFastPathResumePoint();
+    emitValueProfilingSite(bytecode, resultJSR);
+    emitPutVirtualRegister(dst, resultJSR);
 }
 
 template<typename OpcodeType>
 void JIT::generateGetByValSlowCase(const OpcodeType& bytecode, Vector<SlowCaseEntry>::iterator& iter)
 {
-    if (!hasAnySlowCases(iter))
-        return;
+    ASSERT(hasAnySlowCases(iter));
 
     uint32_t bytecodeOffset = m_bytecodeIndex.offset();
     ASSERT(BytecodeIndex(bytecodeOffset) == m_bytecodeIndex);
@@ -109,11 +112,13 @@ void JIT::generateGetByValSlowCase(const OpcodeType& bytecode, Vector<SlowCaseEn
     Label coldPathBegin = label();
     linkAllSlowCases(iter);
 
-    move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
-    loadConstant(gen.m_unlinkedStubInfoConstantIndex, stubInfoGPR);
-    materializePointerIntoMetadata(bytecode, OpcodeType::Metadata::offsetOfArrayProfile(), profileGPR);
+    if (!gen.m_unlinkedStubInfo->tookSlowPath) {
+        move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
+        loadConstant(gen.m_unlinkedStubInfoConstantIndex, stubInfoGPR);
+        materializePointerIntoMetadata(bytecode, OpcodeType::Metadata::offsetOfArrayProfile(), profileGPR);
 
-    emitNakedNearCall(vm().getCTIStub(slow_op_get_by_val_callSlowOperationThenCheckExceptionGenerator).retaggedCode<NoPtrTag>());
+        emitNakedNearCall(vm().getCTIStub(slow_op_get_by_val_callSlowOperationThenCheckExceptionGenerator).retaggedCode<NoPtrTag>());
+    }
 
     gen.reportSlowPathCall(coldPathBegin, Call());
 }

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,6 @@ void InlineCacheWrapper<GeneratorType>::finalize(LinkBuffer& fastPath, LinkBuffe`
`37`	`37`	`{`
`38`	`38`	`m_generator.reportSlowPathCall(m_slowPath->label(), m_slowPath->call());`
`39`	`39`	`if (m_generator.m_unlinkedStubInfo) {`
`40`		`- m_generator.m_unlinkedStubInfo->start = fastPath.locationOf<JITStubRoutinePtrTag>(m_generator.m_start);`
`41`	`40`	`m_generator.m_unlinkedStubInfo->doneLocation = fastPath.locationOf<JSInternalPtrTag>(m_generator.m_done);`
`42`	`41`	`m_generator.m_unlinkedStubInfo->slowPathStartLocation = fastPath.locationOf<JITStubRoutinePtrTag>(m_generator.m_slowPathBegin);`
`43`	`42`	`} else`
Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ static MacroAssemblerCodePtr<JSEntryPtrTag> callerReturnPC(CodeBlock* baselineCo`
`214`	`214`	`case InlineCallFrame::GetterCall:`
`215`	`215`	`case InlineCallFrame::SetterCall: {`
`216`	`216`	`StructureStubInfo* stubInfo = baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));`
`217`		`- RELEASE_ASSERT(stubInfo);`
	`217`	`+ RELEASE_ASSERT(stubInfo, callInstruction.opcodeID());`
`218`	`218`	`jumpTarget = stubInfo->doneLocation.retagged<JSEntryPtrTag>();`
`219`	`219`	`break;`
`220`	`220`	`}`
Original file line number	Diff line number	Diff line change
`@@ -946,7 +946,6 @@ void JIT::link()`
`946`	`946`
`947`	`947`	`auto finalizeICs = [&] (auto& generators) {`
`948`	`948`	`for (auto& gen : generators) {`
`949`		`- gen.m_unlinkedStubInfo->start = patchBuffer.locationOf<JITStubRoutinePtrTag>(gen.m_start);`
`950`	`949`	`gen.m_unlinkedStubInfo->doneLocation = patchBuffer.locationOf<JSInternalPtrTag>(gen.m_done);`
`951`	`950`	`gen.m_unlinkedStubInfo->slowPathStartLocation = patchBuffer.locationOf<JITStubRoutinePtrTag>(gen.m_slowPathBegin);`
`952`	`951`	`}`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ void JITInlineCacheGenerator::finalize(`
`63`	`63`	`LinkBuffer& fastPath, LinkBuffer& slowPath, CodeLocationLabel<JITStubRoutinePtrTag> start)`
`64`	`64`	`{`
`65`	`65`	`ASSERT(m_stubInfo);`
`66`		`- m_stubInfo->start = start;`
	`66`	`+ m_stubInfo->startLocation = start;`
`67`	`67`	`m_stubInfo->doneLocation = fastPath.locationOf<JSInternalPtrTag>(m_done);`
`68`	`68`
`69`	`69`	`if (!m_stubInfo->useDataIC)`
`@@ -534,6 +534,12 @@ void JITGetByValGenerator::generateFastPath(CCallHelpers& jit)`
`534`	`534`	`m_done = jit.label();`
`535`	`535`	`}`
`536`	`536`
	`537`	`+void JITGetByValGenerator::generateEmptyPath(CCallHelpers& jit)`
	`538`	`+{`
	`539`	`+ m_start = jit.label();`
	`540`	`+ m_done = jit.label();`
	`541`	`+}`
	`542`	`+`
`537`	`543`	`void JITGetByValGenerator::finalize(LinkBuffer& fastPath, LinkBuffer& slowPath)`
`538`	`544`	`{`
`539`	`545`	`ASSERT(m_stubInfo);`