Changeset 238989 in webkit

Timestamp:

Dec 7, 2018 4:25:46 PM (5 years ago)

Author:

Michael Catanzaro

Message:

Merge r236161 - Ensure that ForInContexts are invalidated if their loop local is over-written.
​https://bugs.webkit.org/show_bug.cgi?id=189571
<rdar://problem/44402277>

Reviewed by Saam Barati.

JSTests:

• stress/regress-189571.js: Added.

Source/JavaScriptCore:

Instead of hunting down every place in the BytecodeGenerator that potentially
needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
the bytecode range of the loop body when the ForInContext is popped, and
invalidate the context if we ever find the loop temp variable over-written.

This has 2 benefits:

1. It ensures that every type of opcode that can write to the loop temp will be handled appropriately, not just the op_mov that we've hunted down.
2. It avoids us having to check the BytecodeGenerator's m_forInContextStack every time we emit an op_mov (or other opcodes that can write to a local) even when we're not inside a for-in loop.

JSC benchmarks show that that this change is performance neutral.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::popIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
(JSC::BytecodeGenerator::popStructureForInScope):
(JSC::ForInContext::finalize):
(JSC::StructureForInContext::finalize):
(JSC::IndexedForInContext::finalize):
(JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.

• bytecompiler/BytecodeGenerator.h:

(JSC::ForInContext::ForInContext):
(JSC::ForInContext::bodyBytecodeStartOffset const):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):

• bytecompiler/NodesCodegen.cpp:

(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::EmptyLetExpression::emitBytecode):
(JSC::ForInNode::emitLoopHeader):
(JSC::ForOfNode::emitBytecode):
(JSC::BindingNode::bindValue const):
(JSC::AssignmentElementNode::bindValue const):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

Location:

releases/WebKitGTK/webkit-2.22

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/regress-189571.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (7 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (6 diffs)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (12 diffs)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (2 diffs)

releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog

@@ +1 @@
+2018-09-17  Mark Lam  <mark.lam@apple.com>
+
+        Ensure that ForInContexts are invalidated if their loop local is over-written.
+        https://bugs.webkit.org/show_bug.cgi?id=189571
+        <rdar://problem/44402277>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-189571.js: Added.
+
 2018-08-24  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
 

releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-09-18  Mark Lam  <mark.lam@apple.com>
+
+        Ensure that ForInContexts are invalidated if their loop local is over-written.
+        https://bugs.webkit.org/show_bug.cgi?id=189571
+        <rdar://problem/44402277>
+
+        Reviewed by Saam Barati.
+
+        Instead of hunting down every place in the BytecodeGenerator that potentially
+        needs to invalidate an enclosing ForInContext (if one exists), we simply iterate
+        the bytecode range of the loop body when the ForInContext is popped, and
+        invalidate the context if we ever find the loop temp variable over-written.
+
+        This has 2 benefits:
+        1. It ensures that every type of opcode that can write to the loop temp will be
+           handled appropriately, not just the op_mov that we've hunted down.
+        2. It avoids us having to check the BytecodeGenerator's m_forInContextStack
+           every time we emit an op_mov (or other opcodes that can write to a local)
+           even when we're not inside a for-in loop.
+
+        JSC benchmarks show that that this change is performance neutral.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::pushIndexedForInScope):
+        (JSC::BytecodeGenerator::popIndexedForInScope):
+        (JSC::BytecodeGenerator::pushStructureForInScope):
+        (JSC::BytecodeGenerator::popStructureForInScope):
+        (JSC::ForInContext::finalize):
+        (JSC::StructureForInContext::finalize):
+        (JSC::IndexedForInContext::finalize):
+        (JSC::BytecodeGenerator::invalidateForInContextForLocal): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::ForInContext::ForInContext):
+        (JSC::ForInContext::bodyBytecodeStartOffset const):
+        (JSC::StructureForInContext::StructureForInContext):
+        (JSC::IndexedForInContext::IndexedForInContext):
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::PostfixNode::emitResolve):
+        (JSC::PrefixNode::emitResolve):
+        (JSC::ReadModifyResolveNode::emitBytecode):
+        (JSC::AssignResolveNode::emitBytecode):
+        (JSC::EmptyLetExpression::emitBytecode):
+        (JSC::ForInNode::emitLoopHeader):
+        (JSC::ForOfNode::emitBytecode):
+        (JSC::BindingNode::bindValue const):
+        (JSC::AssignmentElementNode::bindValue const):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
 2018-09-14  Mark Lam  <mark.lam@apple.com>
 

releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -37 +37 @@
 #include "BytecodeGeneratorification.h"
 #include "BytecodeLivenessAnalysis.h"
+#include "BytecodeUseDef.h"
 #include "CatchScope.h"
 #include "DefinePropertyAttributes.h"
@@ -4625 +4626 @@
     if (!localRegister)
         return;
-    m_forInContextStack.append(adoptRef(*new IndexedForInContext(localRegister, indexRegister)));
+    unsigned bodyBytecodeStartOffset = instructions().size();
+    m_forInContextStack.append(adoptRef(*new IndexedForInContext(localRegister, indexRegister, bodyBytecodeStartOffset)));
 }
 
@@ -4632 +4634 @@
     if (!localRegister)
         return;
-    m_forInContextStack.last()->asIndexedForInContext().finalize(*this);
+    unsigned bodyBytecodeEndOffset = instructions().size();
+    m_forInContextStack.last()->asIndexedForInContext().finalize(*this, m_codeBlock.get(), bodyBytecodeEndOffset);
     m_forInContextStack.removeLast();
 }
@@ -4735 +4738 @@
     if (!localRegister)
         return;
-    m_forInContextStack.append(adoptRef(*new StructureForInContext(localRegister, indexRegister, propertyRegister, enumeratorRegister)));
+    unsigned bodyBytecodeStartOffset = instructions().size();
+    m_forInContextStack.append(adoptRef(*new StructureForInContext(localRegister, indexRegister, propertyRegister, enumeratorRegister, bodyBytecodeStartOffset)));
 }
 
@@ -4742 +4746 @@
     if (!localRegister)
         return;
-    m_forInContextStack.last()->asStructureForInContext().finalize(*this);
+    unsigned bodyBytecodeEndOffset = instructions().size();
+    m_forInContextStack.last()->asStructureForInContext().finalize(*this, m_codeBlock.get(), bodyBytecodeEndOffset);
     m_forInContextStack.removeLast();
 }
 
-void BytecodeGenerator::invalidateForInContextForLocal(RegisterID* localRegister)
+RegisterID* BytecodeGenerator::emitRestParameter(RegisterID* result, unsigned numParametersToSkip)
+{
+    RefPtr<RegisterID> restArrayLength = newTemporary();
+    emitOpcode(op_get_rest_length);
+    instructions().append(restArrayLength->index());
+    instructions().append(numParametersToSkip);
+
+    emitOpcode(op_create_rest);
+    instructions().append(result->index());
+    instructions().append(restArrayLength->index());
+    instructions().append(numParametersToSkip);
+
+    return result;
+}
+
+void BytecodeGenerator::emitRequireObjectCoercible(RegisterID* value, const String& error)
+{
+    // FIXME: op_jneq_null treats "undetectable" objects as null/undefined. RequireObjectCoercible
+    // thus incorrectly throws a TypeError for interfaces like HTMLAllCollection.
+    Ref<Label> target = newLabel();
+    size_t begin = instructions().size();
+    emitOpcode(op_jneq_null);
+    instructions().append(value->index());
+    instructions().append(target->bind(begin, instructions().size()));
+    emitThrowTypeError(error);
+    emitLabel(target.get());
+}
+
+void BytecodeGenerator::emitYieldPoint(RegisterID* argument, JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason result)
+{
+    Ref<Label> mergePoint = newLabel();
+    unsigned yieldPointIndex = m_yieldPoints++;
+    emitGeneratorStateChange(yieldPointIndex + 1);
+
+    if (parseMode() == SourceParseMode::AsyncGeneratorBodyMode) {
+        int suspendReason = static_cast<int32_t>(result);
+        emitPutById(generatorRegister(), propertyNames().builtinNames().asyncGeneratorSuspendReasonPrivateName(), emitLoad(nullptr, jsNumber(suspendReason)));
+    }
+
+    // Split the try range here.
+    Ref<Label> savePoint = newEmittedLabel();
+    for (unsigned i = m_tryContextStack.size(); i--;) {
+        TryContext& context = m_tryContextStack[i];
+        m_tryRanges.append(TryRange {
+            context.start.copyRef(),
+            savePoint.copyRef(),
+            context.tryData
+        });
+        // Try range will be restared at the merge point.
+        context.start = mergePoint.get();
+    }
+    Vector<TryContext> savedTryContextStack;
+    m_tryContextStack.swap(savedTryContextStack);
+
+    emitOpcode(op_yield);
+    instructions().append(generatorFrameRegister()->index());
+    instructions().append(yieldPointIndex);
+    instructions().append(argument->index());
+
+    // Restore the try contexts, which start offset is updated to the merge point.
+    m_tryContextStack.swap(savedTryContextStack);
+    emitLabel(mergePoint.get());
+}
+
+RegisterID* BytecodeGenerator::emitYield(RegisterID* argument, JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason result)
+{
+    emitYieldPoint(argument, result);
+
+    Ref<Label> normalLabel = newLabel();
+    RefPtr<RegisterID> condition = newTemporary();
+    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::NormalMode))));
+    emitJumpIfTrue(condition.get(), normalLabel.get());
+
+    Ref<Label> throwLabel = newLabel();
+    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::ThrowMode))));
+    emitJumpIfTrue(condition.get(), throwLabel.get());
+    // Return.
+    {
+        RefPtr<RegisterID> returnRegister = generatorValueRegister();
+        bool hasFinally = emitReturnViaFinallyIfNeeded(returnRegister.get());
+        if (!hasFinally)
+            emitReturn(returnRegister.get());
+    }
+
+    // Throw.
+    emitLabel(throwLabel.get());
+    emitThrow(generatorValueRegister());
+
+    // Normal.
+    emitLabel(normalLabel.get());
+    return generatorValueRegister();
+}
+
+RegisterID* BytecodeGenerator::emitCallIterator(RegisterID* iterator, RegisterID* argument, ThrowableExpressionData* node)
+{
+    CallArguments args(*this, nullptr);
+    move(args.thisRegister(), argument);
+    emitCall(iterator, iterator, NoExpectedFunction, args, node->divot(), node->divotStart(), node->divotEnd(), DebuggableCall::No);
+
+    return iterator;
+}
+
+void BytecodeGenerator::emitAwait(RegisterID* value)
+{
+    emitYield(value, JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason::Await);
+    move(value, generatorValueRegister());
+}
+
+RegisterID* BytecodeGenerator::emitGetIterator(RegisterID* argument, ThrowableExpressionData* node)
+{
+    RefPtr<RegisterID> iterator = emitGetById(newTemporary(), argument, propertyNames().iteratorSymbol);
+    emitCallIterator(iterator.get(), argument, node);
+
+    return iterator.get();
+}
+
+RegisterID* BytecodeGenerator::emitGetAsyncIterator(RegisterID* argument, ThrowableExpressionData* node)
+{
+    RefPtr<RegisterID> iterator = emitGetById(newTemporary(), argument, propertyNames().asyncIteratorSymbol);
+    Ref<Label> asyncIteratorNotFound = newLabel();
+    Ref<Label> asyncIteratorFound = newLabel();
+    Ref<Label> iteratorReceived = newLabel();
+
+    emitJumpIfTrue(emitUnaryOp(op_eq_null, newTemporary(), iterator.get()), asyncIteratorNotFound.get());
+
+    emitJump(asyncIteratorFound.get());
+    emitLabel(asyncIteratorNotFound.get());
+
+    RefPtr<RegisterID> commonIterator = emitGetIterator(argument, node);
+    move(iterator.get(), commonIterator.get());
+
+    RefPtr<RegisterID> nextMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().next);
+
+    auto varCreateAsyncFromSyncIterator = variable(propertyNames().builtinNames().createAsyncFromSyncIteratorPrivateName());
+    RefPtr<RegisterID> scope = newTemporary();
+    move(scope.get(), emitResolveScope(scope.get(), varCreateAsyncFromSyncIterator));
+    RefPtr<RegisterID> createAsyncFromSyncIterator = emitGetFromScope(newTemporary(), scope.get(), varCreateAsyncFromSyncIterator, ThrowIfNotFound);
+
+    CallArguments args(*this, nullptr, 2);
+    emitLoad(args.thisRegister(), jsUndefined());
+
+    move(args.argumentRegister(0), iterator.get());
+    move(args.argumentRegister(1), nextMethod.get());
+
+    JSTextPosition divot(m_scopeNode->firstLine(), m_scopeNode->startOffset(), m_scopeNode->lineStartOffset());
+    emitCall(iterator.get(), createAsyncFromSyncIterator.get(), NoExpectedFunction, args, divot, divot, divot, DebuggableCall::No);
+
+    emitJump(iteratorReceived.get());
+
+    emitLabel(asyncIteratorFound.get());
+    emitCallIterator(iterator.get(), argument, node);
+    emitLabel(iteratorReceived.get());
+
+    return iterator.get();
+}
+
+RegisterID* BytecodeGenerator::emitDelegateYield(RegisterID* argument, ThrowableExpressionData* node)
+{
+    RefPtr<RegisterID> value = newTemporary();
+    {
+        RefPtr<RegisterID> iterator = parseMode() == SourceParseMode::AsyncGeneratorBodyMode ? emitGetAsyncIterator(argument, node) : emitGetIterator(argument, node);
+        RefPtr<RegisterID> nextMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().next);
+
+        Ref<Label> loopDone = newLabel();
+        {
+            Ref<Label> nextElement = newLabel();
+            emitLoad(value.get(), jsUndefined());
+
+            emitJump(nextElement.get());
+
+            Ref<Label> loopStart = newLabel();
+            emitLabel(loopStart.get());
+            emitLoopHint();
+
+            Ref<Label> branchOnResult = newLabel();
+            {
+                emitYieldPoint(value.get(), JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason::Yield);
+
+                Ref<Label> normalLabel = newLabel();
+                Ref<Label> returnLabel = newLabel();
+                {
+                    RefPtr<RegisterID> condition = newTemporary();
+                    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::NormalMode))));
+                    emitJumpIfTrue(condition.get(), normalLabel.get());
+
+                    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::ReturnMode))));
+                    emitJumpIfTrue(condition.get(), returnLabel.get());
+
+                    // Fallthrough to ThrowMode.
+                }
+
+                // Throw.
+                {
+                    Ref<Label> throwMethodFound = newLabel();
+                    RefPtr<RegisterID> throwMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().throwKeyword);
+                    emitJumpIfFalse(emitIsUndefined(newTemporary(), throwMethod.get()), throwMethodFound.get());
+
+                    EmitAwait emitAwaitInIteratorClose = parseMode() == SourceParseMode::AsyncGeneratorBodyMode ? EmitAwait::Yes : EmitAwait::No;
+                    emitIteratorClose(iterator.get(), node, emitAwaitInIteratorClose);
+
+                    emitThrowTypeError("Delegated generator does not have a 'throw' method."_s);
+
+                    emitLabel(throwMethodFound.get());
+                    CallArguments throwArguments(*this, nullptr, 1);
+                    move(throwArguments.thisRegister(), iterator.get());
+                    move(throwArguments.argumentRegister(0), generatorValueRegister());
+                    emitCall(value.get(), throwMethod.get(), NoExpectedFunction, throwArguments, node->divot(), node->divotStart(), node->divotEnd(), DebuggableCall::No);
+
+                    emitJump(branchOnResult.get());
+                }
+
+                // Return.
+                emitLabel(returnLabel.get());
+                {
+                    Ref<Label> returnMethodFound = newLabel();
+                    RefPtr<RegisterID> returnMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().returnKeyword);
+                    emitJumpIfFalse(emitIsUndefined(newTemporary(), returnMethod.get()), returnMethodFound.get());
+
+                    move(value.get(), generatorValueRegister());
+
+                    Ref<Label> returnSequence = newLabel();
+                    emitJump(returnSequence.get());
+
+                    emitLabel(returnMethodFound.get());
+                    CallArguments returnArguments(*this, nullptr, 1);
+                    move(returnArguments.thisRegister(), iterator.get());
+                    move(returnArguments.argumentRegister(0), generatorValueRegister());
+                    emitCall(value.get(), returnMethod.get(), NoExpectedFunction, returnArguments, node->divot(), node->divotStart(), node->divotEnd(), DebuggableCall::No);
+
+                    if (parseMode() == SourceParseMode::AsyncGeneratorBodyMode)
+                        emitAwait(value.get());
+
+                    Ref<Label> returnIteratorResultIsObject = newLabel();
+                    emitJumpIfTrue(emitIsObject(newTemporary(), value.get()), returnIteratorResultIsObject.get());
+                    emitThrowTypeError("Iterator result interface is not an object."_s);
+
+                    emitLabel(returnIteratorResultIsObject.get());
+
+                    Ref<Label> returnFromGenerator = newLabel();
+                    emitJumpIfTrue(emitGetById(newTemporary(), value.get(), propertyNames().done), returnFromGenerator.get());
+
+                    emitGetById(value.get(), value.get(), propertyNames().value);
+                    emitJump(loopStart.get());
+
+                    emitLabel(returnFromGenerator.get());
+                    emitGetById(value.get(), value.get(), propertyNames().value);
+
+                    emitLabel(returnSequence.get());
+                    bool hasFinally = emitReturnViaFinallyIfNeeded(value.get());
+                    if (!hasFinally)
+                        emitReturn(value.get());
+                }
+
+                // Normal.
+                emitLabel(normalLabel.get());
+                move(value.get(), generatorValueRegister());
+            }
+
+            emitLabel(nextElement.get());
+            emitIteratorNextWithValue(value.get(), nextMethod.get(), iterator.get(), value.get(), node);
+
+            emitLabel(branchOnResult.get());
+
+            if (parseMode() == SourceParseMode::AsyncGeneratorBodyMode)
+                emitAwait(value.get());
+
+            Ref<Label> iteratorValueIsObject = newLabel();
+            emitJumpIfTrue(emitIsObject(newTemporary(), value.get()), iteratorValueIsObject.get());
+            emitThrowTypeError("Iterator result interface is not an object."_s);
+            emitLabel(iteratorValueIsObject.get());
+
+            emitJumpIfTrue(emitGetById(newTemporary(), value.get(), propertyNames().done), loopDone.get());
+            emitGetById(value.get(), value.get(), propertyNames().value);
+
+            emitJump(loopStart.get());
+        }
+        emitLabel(loopDone.get());
+    }
+
+    emitGetById(value.get(), value.get(), propertyNames().value);
+    return value.get();
+}
+
+
+void BytecodeGenerator::emitGeneratorStateChange(int32_t state)
+{
+    RegisterID* completedState = emitLoad(nullptr, jsNumber(state));
+    emitPutById(generatorRegister(), propertyNames().builtinNames().generatorStatePrivateName(), completedState);
+}
+
+bool BytecodeGenerator::emitJumpViaFinallyIfNeeded(int targetLabelScopeDepth, Label& jumpTarget)
+{
+    ASSERT(labelScopeDepth() - targetLabelScopeDepth >= 0);
+    size_t numberOfScopesToCheckForFinally = labelScopeDepth() - targetLabelScopeDepth;
+    ASSERT(numberOfScopesToCheckForFinally <= m_controlFlowScopeStack.size());
+    if (!numberOfScopesToCheckForFinally)
+        return false;
+
+    FinallyContext* innermostFinallyContext = nullptr;
+    FinallyContext* outermostFinallyContext = nullptr;
+    size_t scopeIndex = m_controlFlowScopeStack.size() - 1;
+    while (numberOfScopesToCheckForFinally--) {
+        ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex--];
+        if (scope->isFinallyScope()) {
+            FinallyContext* finallyContext = &scope->finallyContext;
+            if (!innermostFinallyContext)
+                innermostFinallyContext = finallyContext;
+            outermostFinallyContext = finallyContext;
+            finallyContext->incNumberOfBreaksOrContinues();
+        }
+    }
+    if (!outermostFinallyContext)
+        return false; // No finallys to thread through.
+
+    auto jumpID = bytecodeOffsetToJumpID(instructions().size());
+    int lexicalScopeIndex = labelScopeDepthToLexicalScopeIndex(targetLabelScopeDepth);
+    outermostFinallyContext->registerJump(jumpID, lexicalScopeIndex, jumpTarget);
+
+    emitSetCompletionType(jumpID);
+    emitJump(*innermostFinallyContext->finallyLabel());
+    return true; // We'll be jumping to a finally block.
+}
+
+bool BytecodeGenerator::emitReturnViaFinallyIfNeeded(RegisterID* returnRegister)
+{
+    size_t numberOfScopesToCheckForFinally = m_controlFlowScopeStack.size();
+    if (!numberOfScopesToCheckForFinally)
+        return false;
+
+    FinallyContext* innermostFinallyContext = nullptr;
+    while (numberOfScopesToCheckForFinally) {
+        size_t scopeIndex = --numberOfScopesToCheckForFinally;
+        ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex];
+        if (scope->isFinallyScope()) {
+            FinallyContext* finallyContext = &scope->finallyContext;
+            if (!innermostFinallyContext)
+                innermostFinallyContext = finallyContext;
+            finallyContext->setHandlesReturns();
+        }
+    }
+    if (!innermostFinallyContext)
+        return false; // No finallys to thread through.
+
+    emitSetCompletionType(CompletionType::Return);
+    emitSetCompletionValue(returnRegister);
+    emitJump(*innermostFinallyContext->finallyLabel());
+    return true; // We'll be jumping to a finally block.
+}
+
+void BytecodeGenerator::emitFinallyCompletion(FinallyContext& context, RegisterID* completionTypeRegister, Label& normalCompletionLabel)
+{
+    if (context.numberOfBreaksOrContinues() || context.handlesReturns()) {
+        emitJumpIf(op_stricteq, completionTypeRegister, CompletionType::Normal, normalCompletionLabel);
+
+        FinallyContext* outerContext = context.outerContext();
+
+        size_t numberOfJumps = context.numberOfJumps();
+        ASSERT(outerContext || numberOfJumps == context.numberOfBreaksOrContinues());
+
+        for (size_t i = 0; i < numberOfJumps; i++) {
+            Ref<Label> nextLabel = newLabel();
+            auto& jump = context.jumps(i);
+            emitJumpIf(op_nstricteq, completionTypeRegister, jump.jumpID, nextLabel.get());
+
+            restoreScopeRegister(jump.targetLexicalScopeIndex);
+            emitSetCompletionType(CompletionType::Normal);
+            emitJump(jump.targetLabel.get());
+
+            emitLabel(nextLabel.get());
+        }
+
+        if (outerContext) {
+            // We are not the outermost finally.
+            bool hasBreaksOrContinuesNotCoveredByJumps = context.numberOfBreaksOrContinues() > numberOfJumps;
+            if (hasBreaksOrContinuesNotCoveredByJumps || context.handlesReturns())
+                emitJumpIf(op_nstricteq, completionTypeRegister, CompletionType::Throw, *outerContext->finallyLabel());
+
+        } else {
+            // We are the outermost finally.
+            if (context.handlesReturns()) {
+                Ref<Label> notReturnLabel = newLabel();
+                emitJumpIf(op_nstricteq, completionTypeRegister, CompletionType::Return, notReturnLabel.get());
+
+                emitWillLeaveCallFrameDebugHook();
+                emitReturn(completionValueRegister(), ReturnFrom::Finally);
+                
+                emitLabel(notReturnLabel.get());
+            }
+        }
+    }
+    emitJumpIf(op_nstricteq, completionTypeRegister, CompletionType::Throw, normalCompletionLabel);
+    emitThrow(completionValueRegister());
+}
+
+bool BytecodeGenerator::allocateCompletionRecordRegisters()
+{
+    if (m_completionTypeRegister)
+        return false;
+
+    ASSERT(!m_completionValueRegister);
+    m_completionTypeRegister = newTemporary();
+    m_completionValueRegister = newTemporary();
+
+    emitSetCompletionType(CompletionType::Normal);
+    moveEmptyValue(m_completionValueRegister.get());
+    return true;
+}
+
+void BytecodeGenerator::releaseCompletionRecordRegisters()
+{
+    ASSERT(m_completionTypeRegister && m_completionValueRegister);
+    m_completionTypeRegister = nullptr;
+    m_completionValueRegister = nullptr;
+}
+
+void BytecodeGenerator::emitJumpIf(OpcodeID compareOpcode, RegisterID* completionTypeRegister, CompletionType type, Label& jumpTarget)
+{
+    RefPtr<RegisterID> tempRegister = newTemporary();
+    RegisterID* valueConstant = addConstantValue(jsNumber(static_cast<int>(type)));
+    OperandTypes operandTypes = OperandTypes(ResultType::numberTypeIsInt32(), ResultType::unknownType());
+
+    auto equivalenceResult = emitBinaryOp(compareOpcode, tempRegister.get(), valueConstant, completionTypeRegister, operandTypes);
+    emitJumpIfTrue(equivalenceResult, jumpTarget);
+}
+
+void ForInContext::finalize(BytecodeGenerator& generator, UnlinkedCodeBlock* codeBlock, unsigned bodyBytecodeEndOffset)
 {
     // Lexically invalidating ForInContexts is kind of weak sauce, but it only occurs if
@@ -4759 +5189 @@
     // reassigned, or we'd have to resort to runtime checks to see if the variable had been
     // reassigned from its original value.
-    for (size_t i = m_forInContextStack.size(); i--; ) {
-        ForInContext& context = m_forInContextStack[i].get();
-        if (context.local() == localRegister)
-            context.invalidate();
-    }
-}
-
-RegisterID* BytecodeGenerator::emitRestParameter(RegisterID* result, unsigned numParametersToSkip)
-{
-    RefPtr<RegisterID> restArrayLength = newTemporary();
-    emitOpcode(op_get_rest_length);
-    instructions().append(restArrayLength->index());
-    instructions().append(numParametersToSkip);
-
-    emitOpcode(op_create_rest);
-    instructions().append(result->index());
-    instructions().append(restArrayLength->index());
-    instructions().append(numParametersToSkip);
-
-    return result;
-}
-
-void BytecodeGenerator::emitRequireObjectCoercible(RegisterID* value, const String& error)
-{
-    // FIXME: op_jneq_null treats "undetectable" objects as null/undefined. RequireObjectCoercible
-    // thus incorrectly throws a TypeError for interfaces like HTMLAllCollection.
-    Ref<Label> target = newLabel();
-    size_t begin = instructions().size();
-    emitOpcode(op_jneq_null);
-    instructions().append(value->index());
-    instructions().append(target->bind(begin, instructions().size()));
-    emitThrowTypeError(error);
-    emitLabel(target.get());
-}
-
-void BytecodeGenerator::emitYieldPoint(RegisterID* argument, JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason result)
-{
-    Ref<Label> mergePoint = newLabel();
-    unsigned yieldPointIndex = m_yieldPoints++;
-    emitGeneratorStateChange(yieldPointIndex + 1);
-
-    if (parseMode() == SourceParseMode::AsyncGeneratorBodyMode) {
-        int suspendReason = static_cast<int32_t>(result);
-        emitPutById(generatorRegister(), propertyNames().builtinNames().asyncGeneratorSuspendReasonPrivateName(), emitLoad(nullptr, jsNumber(suspendReason)));
-    }
-
-    // Split the try range here.
-    Ref<Label> savePoint = newEmittedLabel();
-    for (unsigned i = m_tryContextStack.size(); i--;) {
-        TryContext& context = m_tryContextStack[i];
-        m_tryRanges.append(TryRange {
-            context.start.copyRef(),
-            savePoint.copyRef(),
-            context.tryData
+
+    for (unsigned offset = bodyBytecodeStartOffset(); isValid() && offset < bodyBytecodeEndOffset;) {
+        UnlinkedInstruction* instruction = &generator.instructions()[offset];
+        OpcodeID opcodeID = instruction->u.opcode;
+        unsigned opcodeLength = opcodeLengths[opcodeID];
+
+        ASSERT(opcodeID != op_enter);
+        computeDefsForBytecodeOffset(codeBlock, opcodeID, instruction, [&] (UnlinkedCodeBlock*, UnlinkedInstruction*, OpcodeID, int operand) {
+            if (local()->index() == operand)
+                invalidate();
         });
-        // Try range will be restared at the merge point.
-        context.start = mergePoint.get();
-    }
-    Vector<TryContext> savedTryContextStack;
-    m_tryContextStack.swap(savedTryContextStack);
-
-    emitOpcode(op_yield);
-    instructions().append(generatorFrameRegister()->index());
-    instructions().append(yieldPointIndex);
-    instructions().append(argument->index());
-
-    // Restore the try contexts, which start offset is updated to the merge point.
-    m_tryContextStack.swap(savedTryContextStack);
-    emitLabel(mergePoint.get());
-}
-
-RegisterID* BytecodeGenerator::emitYield(RegisterID* argument, JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason result)
-{
-    emitYieldPoint(argument, result);
-
-    Ref<Label> normalLabel = newLabel();
-    RefPtr<RegisterID> condition = newTemporary();
-    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::NormalMode))));
-    emitJumpIfTrue(condition.get(), normalLabel.get());
-
-    Ref<Label> throwLabel = newLabel();
-    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::ThrowMode))));
-    emitJumpIfTrue(condition.get(), throwLabel.get());
-    // Return.
-    {
-        RefPtr<RegisterID> returnRegister = generatorValueRegister();
-        bool hasFinally = emitReturnViaFinallyIfNeeded(returnRegister.get());
-        if (!hasFinally)
-            emitReturn(returnRegister.get());
-    }
-
-    // Throw.
-    emitLabel(throwLabel.get());
-    emitThrow(generatorValueRegister());
-
-    // Normal.
-    emitLabel(normalLabel.get());
-    return generatorValueRegister();
-}
-
-RegisterID* BytecodeGenerator::emitCallIterator(RegisterID* iterator, RegisterID* argument, ThrowableExpressionData* node)
-{
-    CallArguments args(*this, nullptr);
-    move(args.thisRegister(), argument);
-    emitCall(iterator, iterator, NoExpectedFunction, args, node->divot(), node->divotStart(), node->divotEnd(), DebuggableCall::No);
-
-    return iterator;
-}
-
-void BytecodeGenerator::emitAwait(RegisterID* value)
-{
-    emitYield(value, JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason::Await);
-    move(value, generatorValueRegister());
-}
-
-RegisterID* BytecodeGenerator::emitGetIterator(RegisterID* argument, ThrowableExpressionData* node)
-{
-    RefPtr<RegisterID> iterator = emitGetById(newTemporary(), argument, propertyNames().iteratorSymbol);
-    emitCallIterator(iterator.get(), argument, node);
-
-    return iterator.get();
-}
-
-RegisterID* BytecodeGenerator::emitGetAsyncIterator(RegisterID* argument, ThrowableExpressionData* node)
-{
-    RefPtr<RegisterID> iterator = emitGetById(newTemporary(), argument, propertyNames().asyncIteratorSymbol);
-    Ref<Label> asyncIteratorNotFound = newLabel();
-    Ref<Label> asyncIteratorFound = newLabel();
-    Ref<Label> iteratorReceived = newLabel();
-
-    emitJumpIfTrue(emitUnaryOp(op_eq_null, newTemporary(), iterator.get()), asyncIteratorNotFound.get());
-
-    emitJump(asyncIteratorFound.get());
-    emitLabel(asyncIteratorNotFound.get());
-
-    RefPtr<RegisterID> commonIterator = emitGetIterator(argument, node);
-    move(iterator.get(), commonIterator.get());
-
-    RefPtr<RegisterID> nextMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().next);
-
-    auto varCreateAsyncFromSyncIterator = variable(propertyNames().builtinNames().createAsyncFromSyncIteratorPrivateName());
-    RefPtr<RegisterID> scope = newTemporary();
-    move(scope.get(), emitResolveScope(scope.get(), varCreateAsyncFromSyncIterator));
-    RefPtr<RegisterID> createAsyncFromSyncIterator = emitGetFromScope(newTemporary(), scope.get(), varCreateAsyncFromSyncIterator, ThrowIfNotFound);
-
-    CallArguments args(*this, nullptr, 2);
-    emitLoad(args.thisRegister(), jsUndefined());
-
-    move(args.argumentRegister(0), iterator.get());
-    move(args.argumentRegister(1), nextMethod.get());
-
-    JSTextPosition divot(m_scopeNode->firstLine(), m_scopeNode->startOffset(), m_scopeNode->lineStartOffset());
-    emitCall(iterator.get(), createAsyncFromSyncIterator.get(), NoExpectedFunction, args, divot, divot, divot, DebuggableCall::No);
-
-    emitJump(iteratorReceived.get());
-
-    emitLabel(asyncIteratorFound.get());
-    emitCallIterator(iterator.get(), argument, node);
-    emitLabel(iteratorReceived.get());
-
-    return iterator.get();
-}
-
-RegisterID* BytecodeGenerator::emitDelegateYield(RegisterID* argument, ThrowableExpressionData* node)
-{
-    RefPtr<RegisterID> value = newTemporary();
-    {
-        RefPtr<RegisterID> iterator = parseMode() == SourceParseMode::AsyncGeneratorBodyMode ? emitGetAsyncIterator(argument, node) : emitGetIterator(argument, node);
-        RefPtr<RegisterID> nextMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().next);
-
-        Ref<Label> loopDone = newLabel();
-        {
-            Ref<Label> nextElement = newLabel();
-            emitLoad(value.get(), jsUndefined());
-
-            emitJump(nextElement.get());
-
-            Ref<Label> loopStart = newLabel();
-            emitLabel(loopStart.get());
-            emitLoopHint();
-
-            Ref<Label> branchOnResult = newLabel();
-            {
-                emitYieldPoint(value.get(), JSAsyncGeneratorFunction::AsyncGeneratorSuspendReason::Yield);
-
-                Ref<Label> normalLabel = newLabel();
-                Ref<Label> returnLabel = newLabel();
-                {
-                    RefPtr<RegisterID> condition = newTemporary();
-                    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::NormalMode))));
-                    emitJumpIfTrue(condition.get(), normalLabel.get());
-
-                    emitEqualityOp(op_stricteq, condition.get(), generatorResumeModeRegister(), emitLoad(nullptr, jsNumber(static_cast<int32_t>(JSGeneratorFunction::GeneratorResumeMode::ReturnMode))));
-                    emitJumpIfTrue(condition.get(), returnLabel.get());
-
-                    // Fallthrough to ThrowMode.
-                }
-
-                // Throw.
-                {
-                    Ref<Label> throwMethodFound = newLabel();
-                    RefPtr<RegisterID> throwMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().throwKeyword);
-                    emitJumpIfFalse(emitIsUndefined(newTemporary(), throwMethod.get()), throwMethodFound.get());
-
-                    EmitAwait emitAwaitInIteratorClose = parseMode() == SourceParseMode::AsyncGeneratorBodyMode ? EmitAwait::Yes : EmitAwait::No;
-                    emitIteratorClose(iterator.get(), node, emitAwaitInIteratorClose);
-
-                    emitThrowTypeError("Delegated generator does not have a 'throw' method."_s);
-
-                    emitLabel(throwMethodFound.get());
-                    CallArguments throwArguments(*this, nullptr, 1);
-                    move(throwArguments.thisRegister(), iterator.get());
-                    move(throwArguments.argumentRegister(0), generatorValueRegister());
-                    emitCall(value.get(), throwMethod.get(), NoExpectedFunction, throwArguments, node->divot(), node->divotStart(), node->divotEnd(), DebuggableCall::No);
-
-                    emitJump(branchOnResult.get());
-                }
-
-                // Return.
-                emitLabel(returnLabel.get());
-                {
-                    Ref<Label> returnMethodFound = newLabel();
-                    RefPtr<RegisterID> returnMethod = emitGetById(newTemporary(), iterator.get(), propertyNames().returnKeyword);
-                    emitJumpIfFalse(emitIsUndefined(newTemporary(), returnMethod.get()), returnMethodFound.get());
-
-                    move(value.get(), generatorValueRegister());
-
-                    Ref<Label> returnSequence = newLabel();
-                    emitJump(returnSequence.get());
-
-                    emitLabel(returnMethodFound.get());
-                    CallArguments returnArguments(*this, nullptr, 1);
-                    move(returnArguments.thisRegister(), iterator.get());
-                    move(returnArguments.argumentRegister(0), generatorValueRegister());
-                    emitCall(value.get(), returnMethod.get(), NoExpectedFunction, returnArguments, node->divot(), node->divotStart(), node->divotEnd(), DebuggableCall::No);
-
-                    if (parseMode() == SourceParseMode::AsyncGeneratorBodyMode)
-                        emitAwait(value.get());
-
-                    Ref<Label> returnIteratorResultIsObject = newLabel();
-                    emitJumpIfTrue(emitIsObject(newTemporary(), value.get()), returnIteratorResultIsObject.get());
-                    emitThrowTypeError("Iterator result interface is not an object."_s);
-
-                    emitLabel(returnIteratorResultIsObject.get());
-
-                    Ref<Label> returnFromGenerator = newLabel();
-                    emitJumpIfTrue(emitGetById(newTemporary(), value.get(), propertyNames().done), returnFromGenerator.get());
-
-                    emitGetById(value.get(), value.get(), propertyNames().value);
-                    emitJump(loopStart.get());
-
-                    emitLabel(returnFromGenerator.get());
-                    emitGetById(value.get(), value.get(), propertyNames().value);
-
-                    emitLabel(returnSequence.get());
-                    bool hasFinally = emitReturnViaFinallyIfNeeded(value.get());
-                    if (!hasFinally)
-                        emitReturn(value.get());
-                }
-
-                // Normal.
-                emitLabel(normalLabel.get());
-                move(value.get(), generatorValueRegister());
-            }
-
-            emitLabel(nextElement.get());
-            emitIteratorNextWithValue(value.get(), nextMethod.get(), iterator.get(), value.get(), node);
-
-            emitLabel(branchOnResult.get());
-
-            if (parseMode() == SourceParseMode::AsyncGeneratorBodyMode)
-                emitAwait(value.get());
-
-            Ref<Label> iteratorValueIsObject = newLabel();
-            emitJumpIfTrue(emitIsObject(newTemporary(), value.get()), iteratorValueIsObject.get());
-            emitThrowTypeError("Iterator result interface is not an object."_s);
-            emitLabel(iteratorValueIsObject.get());
-
-            emitJumpIfTrue(emitGetById(newTemporary(), value.get(), propertyNames().done), loopDone.get());
-            emitGetById(value.get(), value.get(), propertyNames().value);
-
-            emitJump(loopStart.get());
-        }
-        emitLabel(loopDone.get());
-    }
-
-    emitGetById(value.get(), value.get(), propertyNames().value);
-    return value.get();
-}
-
-
-void BytecodeGenerator::emitGeneratorStateChange(int32_t state)
-{
-    RegisterID* completedState = emitLoad(nullptr, jsNumber(state));
-    emitPutById(generatorRegister(), propertyNames().builtinNames().generatorStatePrivateName(), completedState);
-}
-
-bool BytecodeGenerator::emitJumpViaFinallyIfNeeded(int targetLabelScopeDepth, Label& jumpTarget)
-{
-    ASSERT(labelScopeDepth() - targetLabelScopeDepth >= 0);
-    size_t numberOfScopesToCheckForFinally = labelScopeDepth() - targetLabelScopeDepth;
-    ASSERT(numberOfScopesToCheckForFinally <= m_controlFlowScopeStack.size());
-    if (!numberOfScopesToCheckForFinally)
-        return false;
-
-    FinallyContext* innermostFinallyContext = nullptr;
-    FinallyContext* outermostFinallyContext = nullptr;
-    size_t scopeIndex = m_controlFlowScopeStack.size() - 1;
-    while (numberOfScopesToCheckForFinally--) {
-        ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex--];
-        if (scope->isFinallyScope()) {
-            FinallyContext* finallyContext = &scope->finallyContext;
-            if (!innermostFinallyContext)
-                innermostFinallyContext = finallyContext;
-            outermostFinallyContext = finallyContext;
-            finallyContext->incNumberOfBreaksOrContinues();
-        }
-    }
-    if (!outermostFinallyContext)
-        return false; // No finallys to thread through.
-
-    auto jumpID = bytecodeOffsetToJumpID(instructions().size());
-    int lexicalScopeIndex = labelScopeDepthToLexicalScopeIndex(targetLabelScopeDepth);
-    outermostFinallyContext->registerJump(jumpID, lexicalScopeIndex, jumpTarget);
-
-    emitSetCompletionType(jumpID);
-    emitJump(*innermostFinallyContext->finallyLabel());
-    return true; // We'll be jumping to a finally block.
-}
-
-bool BytecodeGenerator::emitReturnViaFinallyIfNeeded(RegisterID* returnRegister)
-{
-    size_t numberOfScopesToCheckForFinally = m_controlFlowScopeStack.size();
-    if (!numberOfScopesToCheckForFinally)
-        return false;
-
-    FinallyContext* innermostFinallyContext = nullptr;
-    while (numberOfScopesToCheckForFinally) {
-        size_t scopeIndex = --numberOfScopesToCheckForFinally;
-        ControlFlowScope* scope = &m_controlFlowScopeStack[scopeIndex];
-        if (scope->isFinallyScope()) {
-            FinallyContext* finallyContext = &scope->finallyContext;
-            if (!innermostFinallyContext)
-                innermostFinallyContext = finallyContext;
-            finallyContext->setHandlesReturns();
-        }
-    }
-    if (!innermostFinallyContext)
-        return false; // No finallys to thread through.
-
-    emitSetCompletionType(CompletionType::Return);
-    emitSetCompletionValue(returnRegister);
-    emitJump(*innermostFinallyContext->finallyLabel());
-    return true; // We'll be jumping to a finally block.
-}
-
-void BytecodeGenerator::emitFinallyCompletion(FinallyContext& context, RegisterID* completionTypeRegister, Label& normalCompletionLabel)
-{
-    if (context.numberOfBreaksOrContinues() || context.handlesReturns()) {
-        emitJumpIf(op_stricteq, completionTypeRegister, CompletionType::Normal, normalCompletionLabel);
-
-        FinallyContext* outerContext = context.outerContext();
-
-        size_t numberOfJumps = context.numberOfJumps();
-        ASSERT(outerContext || numberOfJumps == context.numberOfBreaksOrContinues());
-
-        for (size_t i = 0; i < numberOfJumps; i++) {
-            Ref<Label> nextLabel = newLabel();
-            auto& jump = context.jumps(i);
-            emitJumpIf(op_nstricteq, completionTypeRegister, jump.jumpID, nextLabel.get());
-
-            restoreScopeRegister(jump.targetLexicalScopeIndex);
-            emitSetCompletionType(CompletionType::Normal);
-            emitJump(jump.targetLabel.get());
-
-            emitLabel(nextLabel.get());
-        }
-
-        if (outerContext) {
-            // We are not the outermost finally.
-            bool hasBreaksOrContinuesNotCoveredByJumps = context.numberOfBreaksOrContinues() > numberOfJumps;
-            if (hasBreaksOrContinuesNotCoveredByJumps || context.handlesReturns())
-                emitJumpIf(op_nstricteq, completionTypeRegister, CompletionType::Throw, *outerContext->finallyLabel());
-
-        } else {
-            // We are the outermost finally.
-            if (context.handlesReturns()) {
-                Ref<Label> notReturnLabel = newLabel();
-                emitJumpIf(op_nstricteq, completionTypeRegister, CompletionType::Return, notReturnLabel.get());
-
-                emitWillLeaveCallFrameDebugHook();
-                emitReturn(completionValueRegister(), ReturnFrom::Finally);
-                
-                emitLabel(notReturnLabel.get());
-            }
-        }
-    }
-    emitJumpIf(op_nstricteq, completionTypeRegister, CompletionType::Throw, normalCompletionLabel);
-    emitThrow(completionValueRegister());
-}
-
-bool BytecodeGenerator::allocateCompletionRecordRegisters()
-{
-    if (m_completionTypeRegister)
-        return false;
-
-    ASSERT(!m_completionValueRegister);
-    m_completionTypeRegister = newTemporary();
-    m_completionValueRegister = newTemporary();
-
-    emitSetCompletionType(CompletionType::Normal);
-    moveEmptyValue(m_completionValueRegister.get());
-    return true;
-}
-
-void BytecodeGenerator::releaseCompletionRecordRegisters()
-{
-    ASSERT(m_completionTypeRegister && m_completionValueRegister);
-    m_completionTypeRegister = nullptr;
-    m_completionValueRegister = nullptr;
-}
-
-void BytecodeGenerator::emitJumpIf(OpcodeID compareOpcode, RegisterID* completionTypeRegister, CompletionType type, Label& jumpTarget)
-{
-    RefPtr<RegisterID> tempRegister = newTemporary();
-    RegisterID* valueConstant = addConstantValue(jsNumber(static_cast<int>(type)));
-    OperandTypes operandTypes = OperandTypes(ResultType::numberTypeIsInt32(), ResultType::unknownType());
-
-    auto equivalenceResult = emitBinaryOp(compareOpcode, tempRegister.get(), valueConstant, completionTypeRegister, operandTypes);
-    emitJumpIfTrue(equivalenceResult, jumpTarget);
-}
-
-void StructureForInContext::finalize(BytecodeGenerator& generator)
-{
+        offset += opcodeLength;
+    }
+}
+
+void StructureForInContext::finalize(BytecodeGenerator& generator, UnlinkedCodeBlock* codeBlock, unsigned bodyBytecodeEndOffset)
+{
+    Base::finalize(generator, codeBlock, bodyBytecodeEndOffset);
     if (isValid())
         return;
@@ -5220 +5234 @@
 }
 
-void IndexedForInContext::finalize(BytecodeGenerator& generator)
-{
+void IndexedForInContext::finalize(BytecodeGenerator& generator, UnlinkedCodeBlock* codeBlock, unsigned bodyBytecodeEndOffset)
+{
+    Base::finalize(generator, codeBlock, bodyBytecodeEndOffset);
     if (isValid())
         return;

releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -212 +212 @@
 
     protected:
-        ForInContext(RegisterID* localRegister, Type type)
+        ForInContext(RegisterID* localRegister, Type type, unsigned bodyBytecodeStartOffset)
             : m_localRegister(localRegister)
             , m_type(type)
+            , m_bodyBytecodeStartOffset(bodyBytecodeStartOffset)
         { }
+
+        unsigned bodyBytecodeStartOffset() const { return m_bodyBytecodeStartOffset; }
+
+        void finalize(BytecodeGenerator&, UnlinkedCodeBlock*, unsigned bodyBytecodeEndOffset);
 
     private:
@@ -221 +226 @@
         bool m_isValid { true };
         Type m_type;
+        unsigned m_bodyBytecodeStartOffset;
     };
 
     class StructureForInContext : public ForInContext {
+        using Base = ForInContext;
     public:
         using GetInst = std::tuple<unsigned, int, UnlinkedValueProfile>;
 
-        StructureForInContext(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
-            : ForInContext(localRegister, Type::StructureForIn)
+        StructureForInContext(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister, unsigned bodyBytecodeStartOffset)
+            : ForInContext(localRegister, Type::StructureForIn, bodyBytecodeStartOffset)
             , m_indexRegister(indexRegister)
             , m_propertyRegister(propertyRegister)
@@ -244 +251 @@
         }
 
-        void finalize(BytecodeGenerator&);
+        void finalize(BytecodeGenerator&, UnlinkedCodeBlock*, unsigned bodyBytecodeEndOffset);
 
     private:
@@ -254 +261 @@
 
     class IndexedForInContext : public ForInContext {
+        using Base = ForInContext;
     public:
-        IndexedForInContext(RegisterID* localRegister, RegisterID* indexRegister)
-            : ForInContext(localRegister, Type::IndexedForIn)
+        IndexedForInContext(RegisterID* localRegister, RegisterID* indexRegister, unsigned bodyBytecodeStartOffset)
+            : ForInContext(localRegister, Type::IndexedForIn, bodyBytecodeStartOffset)
             , m_indexRegister(indexRegister)
         {
@@ -263 +271 @@
         RegisterID* index() const { return m_indexRegister.get(); }
 
-        void finalize(BytecodeGenerator&);
+        void finalize(BytecodeGenerator&, UnlinkedCodeBlock*, unsigned bodyBytecodeEndOffset);
         void addGetInst(unsigned instIndex, int propertyIndex) { m_getInsts.append({ instIndex, propertyIndex }); }
 
@@ -939 +947 @@
         void pushStructureForInScope(RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator);
         void popStructureForInScope(RegisterID* local);
-        void invalidateForInContextForLocal(RegisterID* local);
 
         LabelScope* breakTarget(const Identifier&);

releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1557 +1557 @@
             localReg = generator.move(generator.tempDestination(dst), local);
         }
-        generator.invalidateForInContextForLocal(local);
         RefPtr<RegisterID> oldValue = emitPostIncOrDec(generator, generator.finalDestination(dst), localReg.get(), m_operator);
         generator.emitProfileType(localReg.get(), var, divotStart(), divotEnd());
@@ -1770 +1769 @@
             localReg = generator.move(generator.tempDestination(dst), localReg.get());
         } else if (generator.vm()->typeProfiler()) {
-            generator.invalidateForInContextForLocal(local);
             RefPtr<RegisterID> tempDst = generator.tempDestination(dst);
             generator.move(tempDst.get(), localReg.get());
@@ -1778 +1776 @@
             return generator.move(dst, tempDst.get());
         }
-        generator.invalidateForInContextForLocal(local);
         emitIncOrDec(generator, localReg.get(), m_operator);
         return generator.move(dst, localReg.get());
@@ -2442 +2439 @@
             emitReadModifyAssignment(generator, result.get(), result.get(), m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
             generator.move(local, result.get());
-            generator.invalidateForInContextForLocal(local);
             generator.emitProfileType(local, divotStart(), divotEnd());
             return generator.move(dst, result.get());
@@ -2448 +2444 @@
         
         RegisterID* result = emitReadModifyAssignment(generator, local, local, m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
-        generator.invalidateForInContextForLocal(local);
         generator.emitProfileType(result, divotStart(), divotEnd());
         return generator.move(dst, result);
@@ -2506 +2501 @@
             generator.move(local, tempDst.get());
             generator.emitProfileType(local, var, divotStart(), divotEnd());
-            generator.invalidateForInContextForLocal(local);
             result = generator.move(dst, tempDst.get());
         } else {
             RegisterID* right = generator.emitNode(local, m_right);
             generator.emitProfileType(right, var, divotStart(), divotEnd());
-            generator.invalidateForInContextForLocal(local);
             result = generator.move(dst, right);
         }
@@ -2753 +2746 @@
     if (RegisterID* local = var.local()) {
         generator.emitLoad(local, jsUndefined());
-        generator.invalidateForInContextForLocal(local);
         generator.emitProfileType(local, var, position(), JSTextPosition(-1, position().offset + m_ident.length(), -1));
     } else {
@@ -2967 +2959 @@
                 generator.emitReadOnlyExceptionIfNeeded(var);
             generator.move(local, propertyName);
-            generator.invalidateForInContextForLocal(local);
         } else {
             if (generator.isStrictMode())
@@ -3035 +3026 @@
         }
         generator.move(var.local(), propertyName);
-        generator.invalidateForInContextForLocal(var.local());
         generator.emitProfileType(propertyName, var, simpleBinding->divotStart(), simpleBinding->divotEnd());
         return;
@@ -3226 +3216 @@
                     generator.emitReadOnlyExceptionIfNeeded(var);
                 generator.move(local, value);
-                generator.invalidateForInContextForLocal(local);
             } else {
                 if (generator.isStrictMode())
@@ -4400 +4389 @@
         }
         generator.move(local, value);
-        generator.invalidateForInContextForLocal(local);
         generator.emitProfileType(local, var, divotStart(), divotEnd());
         if (m_bindingContext == AssignmentContext::DeclarationStatement || m_bindingContext == AssignmentContext::ConstDeclarationStatement)
@@ -4449 +4437 @@
                 generator.emitReadOnlyExceptionIfNeeded(var);
             else {
-                generator.invalidateForInContextForLocal(local);
                 generator.move(local, value);
                 generator.emitProfileType(local, divotStart(), divotEnd());

releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -811 +811 @@
     CHECK_EXCEPTION();
     JSValue property = OP(3).jsValue();
+    ASSERT(property.isString());
     JSString* string = asString(property);
     auto propertyName = string->toIdentifier(exec);
@@ -822 +823 @@
     JSValue baseValue = OP_C(2).jsValue();
     JSValue property = OP(3).jsValue();
+    ASSERT(property.isString());
     JSString* string = asString(property);
     auto propertyName = string->toIdentifier(exec);