Changeset 230444 in webkit

Timestamp:

Apr 9, 2018, 10:42:01 AM (7 years ago)

Author:

mark.lam@apple.com

Message:

Add pointer profiling to the FTL and supporting code.
​https://bugs.webkit.org/show_bug.cgi?id=184395
<rdar://problem/39264019>

Reviewed by Michael Saboff and Filip Pizlo.

• assembler/CodeLocation.h:

(JSC::CodeLocationLabel::retagged):
(JSC::CodeLocationJump::retagged):

• assembler/LinkBuffer.h:

(JSC::LinkBuffer::locationOf):

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):

• ftl/FTLCompile.cpp:

(JSC::FTL::compile):

• ftl/FTLExceptionTarget.cpp:

(JSC::FTL::ExceptionTarget::label):
(JSC::FTL::ExceptionTarget::jumps):

• ftl/FTLExceptionTarget.h:
• ftl/FTLJITCode.cpp:

(JSC::FTL::JITCode::executableAddressAtOffset):

• ftl/FTLLazySlowPath.cpp:

(JSC::FTL::LazySlowPath::~LazySlowPath):
(JSC::FTL::LazySlowPath::initialize):
(JSC::FTL::LazySlowPath::generate):
(JSC::FTL::LazySlowPath::LazySlowPath): Deleted.

• ftl/FTLLazySlowPath.h:
• ftl/FTLLink.cpp:

(JSC::FTL::link):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::lower):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):

• ftl/FTLOSRExitCompiler.cpp:

(JSC::FTL::compileStub):
(JSC::FTL::compileFTLOSRExit):

• ftl/FTLOSRExitHandle.cpp:

(JSC::FTL::OSRExitHandle::emitExitThunk):

• ftl/FTLOperations.cpp:

(JSC::FTL::compileFTLLazySlowPath):

• ftl/FTLOutput.h:

(JSC::FTL::Output::callWithoutSideEffects):
(JSC::FTL::Output::operation):

• ftl/FTLPatchpointExceptionHandle.cpp:

(JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):

• ftl/FTLSlowPathCall.cpp:

(JSC::FTL::SlowPathCallContext::makeCall):

• ftl/FTLSlowPathCallKey.h:

(JSC::FTL::SlowPathCallKey::withCallTarget):
(JSC::FTL::SlowPathCallKey::callPtrTag const):

• ftl/FTLThunks.cpp:

(JSC::FTL::genericGenerationThunkGenerator):
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::lazySlowPathGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):

• jit/JITMathIC.h:

(JSC::isProfileEmpty):

• jit/Repatch.cpp:

(JSC::readPutICCallTarget):
(JSC::ftlThunkAwareRepatchCall):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::repatchIn):
(JSC::resetGetByID):
(JSC::resetPutByID):
(JSC::readCallTarget): Deleted.

• jit/Repatch.h:
• runtime/PtrTag.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/CodeLocation.h (modified) (3 diffs)
• assembler/LinkBuffer.h (modified) (1 diff)
• dfg/DFGJITCompiler.cpp (modified) (3 diffs)
• ftl/FTLCompile.cpp (modified) (5 diffs)
• ftl/FTLExceptionTarget.cpp (modified) (4 diffs)
• ftl/FTLExceptionTarget.h (modified) (2 diffs)
• ftl/FTLJITCode.cpp (modified) (3 diffs)
• ftl/FTLLazySlowPath.cpp (modified) (2 diffs)
• ftl/FTLLazySlowPath.h (modified) (2 diffs)
• ftl/FTLLink.cpp (modified) (7 diffs)
• ftl/FTLLowerDFGToB3.cpp (modified) (12 diffs)
• ftl/FTLOSRExitCompiler.cpp (modified) (5 diffs)
• ftl/FTLOSRExitHandle.cpp (modified) (2 diffs)
• ftl/FTLOperations.cpp (modified) (2 diffs)
• ftl/FTLOutput.h (modified) (2 diffs)
• ftl/FTLPatchpointExceptionHandle.cpp (modified) (2 diffs)
• ftl/FTLSlowPathCall.cpp (modified) (1 diff)
• ftl/FTLSlowPathCallKey.h (modified) (4 diffs)
• ftl/FTLThunks.cpp (modified) (8 diffs)
• jit/JITMathIC.h (modified) (2 diffs)
• jit/Repatch.cpp (modified) (11 diffs)
• jit/Repatch.h (modified) (1 diff)
• runtime/PtrTag.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-04-08  Mark Lam  <mark.lam@apple.com>
+
+        Add pointer profiling to the FTL and supporting code.
+        https://bugs.webkit.org/show_bug.cgi?id=184395
+        <rdar://problem/39264019>
+
+        Reviewed by Michael Saboff and Filip Pizlo.
+
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationLabel::retagged):
+        (JSC::CodeLocationJump::retagged):
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::locationOf):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::linkOSRExits):
+        (JSC::DFG::JITCompiler::link):
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLExceptionTarget.cpp:
+        (JSC::FTL::ExceptionTarget::label):
+        (JSC::FTL::ExceptionTarget::jumps):
+        * ftl/FTLExceptionTarget.h:
+        * ftl/FTLJITCode.cpp:
+        (JSC::FTL::JITCode::executableAddressAtOffset):
+        * ftl/FTLLazySlowPath.cpp:
+        (JSC::FTL::LazySlowPath::~LazySlowPath):
+        (JSC::FTL::LazySlowPath::initialize):
+        (JSC::FTL::LazySlowPath::generate):
+        (JSC::FTL::LazySlowPath::LazySlowPath): Deleted.
+        * ftl/FTLLazySlowPath.h:
+        * ftl/FTLLink.cpp:
+        (JSC::FTL::link):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::lower):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        (JSC::FTL::DFG::LowerDFGToB3::lazySlowPath):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        (JSC::FTL::compileFTLOSRExit):
+        * ftl/FTLOSRExitHandle.cpp:
+        (JSC::FTL::OSRExitHandle::emitExitThunk):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::compileFTLLazySlowPath):
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::callWithoutSideEffects):
+        (JSC::FTL::Output::operation):
+        * ftl/FTLPatchpointExceptionHandle.cpp:
+        (JSC::FTL::PatchpointExceptionHandle::scheduleExitCreationForUnwind):
+        * ftl/FTLSlowPathCall.cpp:
+        (JSC::FTL::SlowPathCallContext::makeCall):
+        * ftl/FTLSlowPathCallKey.h:
+        (JSC::FTL::SlowPathCallKey::withCallTarget):
+        (JSC::FTL::SlowPathCallKey::callPtrTag const):
+        * ftl/FTLThunks.cpp:
+        (JSC::FTL::genericGenerationThunkGenerator):
+        (JSC::FTL::osrExitGenerationThunkGenerator):
+        (JSC::FTL::lazySlowPathGenerationThunkGenerator):
+        (JSC::FTL::slowPathCallThunkGenerator):
+        * jit/JITMathIC.h:
+        (JSC::isProfileEmpty):
+        * jit/Repatch.cpp:
+        (JSC::readPutICCallTarget):
+        (JSC::ftlThunkAwareRepatchCall):
+        (JSC::tryCacheGetByID):
+        (JSC::repatchGetByID):
+        (JSC::tryCachePutByID):
+        (JSC::repatchPutByID):
+        (JSC::repatchIn):
+        (JSC::resetGetByID):
+        (JSC::resetPutByID):
+        (JSC::readCallTarget): Deleted.
+        * jit/Repatch.h:
+        * runtime/PtrTag.h:
+
 2018-04-08  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/JavaScriptCore/assembler/CodeLocation.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -94 +94 @@
     explicit CodeLocationLabel(void* location)
         : CodeLocationCommon(MacroAssemblerCodePtr(location)) {}
+
+    CodeLocationLabel retagged(PtrTag oldTag, PtrTag newTag) { return CodeLocationLabel(MacroAssemblerCodePtr::retagged(oldTag, newTag)); }
 };
 
@@ -103 +105 @@
     explicit CodeLocationJump(void* location)
         : CodeLocationCommon(MacroAssemblerCodePtr(location)) {}
+
+    CodeLocationJump retagged(PtrTag oldTag, PtrTag newTag) { return CodeLocationJump(MacroAssemblerCodePtr::retagged(oldTag, newTag)); }
 };
 

trunk/Source/JavaScriptCore/assembler/LinkBuffer.h

@@ -187 +187 @@
     }
 
-    CodeLocationLabel locationOf(PatchableJump jump)
-    {
-        return CodeLocationLabel(MacroAssembler::getLinkerAddress(code(), applyOffset(jump.m_jump.m_label)));
+    CodeLocationLabel locationOf(PatchableJump jump, PtrTag tag = NoPtrTag)
+    {
+        return CodeLocationLabel(MacroAssembler::getLinkerAddress(code(), applyOffset(jump.m_jump.m_label), tag));
     }
 

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -87 +87 @@
     
     MacroAssemblerCodeRef osrExitThunk = vm()->getCTIStub(osrExitThunkGenerator);
-    CodeLocationLabel osrExitThunkLabel = CodeLocationLabel(osrExitThunk.code());
+    PtrTag osrExitThunkTag = ptrTag(DFGOSRExitPtrTag, vm());
+    CodeLocationLabel osrExitThunkLabel = CodeLocationLabel(osrExitThunk.retaggedCode(osrExitThunkTag, NearJumpPtrTag));
     for (unsigned i = 0; i < m_jitCode->osrExit.size(); ++i) {
         OSRExitCompilationInfo& info = m_exitCompilationInfo[i];
@@ -321 +322 @@
     
     MacroAssemblerCodeRef osrExitThunk = vm()->getCTIStub(osrExitGenerationThunkGenerator);
-    CodeLocationLabel target = CodeLocationLabel(osrExitThunk.code());
+    PtrTag osrExitThunkTag = ptrTag(DFGOSRExitPtrTag, vm());
+    CodeLocationLabel target = CodeLocationLabel(osrExitThunk.retaggedCode(osrExitThunkTag, NearJumpPtrTag));
     for (unsigned i = 0; i < m_jitCode->osrExit.size(); ++i) {
         OSRExitCompilationInfo& info = m_exitCompilationInfo[i];

trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -80 +80 @@
         std::make_unique<RegisterAtOffsetList>(state.proc->calleeSaveRegisterAtOffsetList());
     if (shouldDumpDisassembly())
-        dataLog("Unwind info for ", CodeBlockWithJITType(state.graph.m_codeBlock, JITCode::FTLJIT), ": ", *registerOffsets, "\n");
-    state.graph.m_codeBlock->setCalleeSaveRegisters(WTFMove(registerOffsets));
+        dataLog("Unwind info for ", CodeBlockWithJITType(codeBlock, JITCode::FTLJIT), ": ", *registerOffsets, "\n");
+    codeBlock->setCalleeSaveRegisters(WTFMove(registerOffsets));
     ASSERT(!(state.proc->frameSize() % sizeof(EncodedJSValue)));
     state.jitCode->common.frameRegisterCount = state.proc->frameSize() / sizeof(EncodedJSValue);
@@ -135 +135 @@
     jit.move(MacroAssembler::TrustedImmPtr(&vm), GPRInfo::argumentGPR0);
     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
-    CCallHelpers::Call call = jit.call(NoPtrTag);
+    PtrTag callTag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+    CCallHelpers::Call call = jit.call(callTag);
     jit.jumpToExceptionHandler(vm);
     jit.addLinkTask(
         [=] (LinkBuffer& linkBuffer) {
-            linkBuffer.link(call, FunctionPtr(lookupExceptionHandler));
+            linkBuffer.link(call, FunctionPtr(lookupExceptionHandler, callTag));
         });
 
@@ -153 +154 @@
         codeBlock->setPCToCodeOriginMap(std::make_unique<PCToCodeOriginMap>(PCToCodeOriginMapBuilder(vm, WTFMove(originMap)), *state.finalizer->b3CodeLinkBuffer));
 
-    CodeLocationLabel label = state.finalizer->b3CodeLinkBuffer->locationOf(state.proc->entrypointLabel(0));
+    PtrTag entryTag = ptrTag(FTLCodePtrTag, codeBlock);
+    CodeLocationLabel label = state.finalizer->b3CodeLinkBuffer->locationOf(state.proc->entrypointLabel(0), entryTag);
     state.generatedFunction = label.executableAddress<GeneratedFunction>();
     state.jitCode->initializeB3Byproducts(state.proc->releaseByproducts());
@@ -162 +164 @@
         Vector<FlushFormat> argumentFormats = state.graph.m_argumentFormats[entrypointIndex];
         state.jitCode->common.appendCatchEntrypoint(
-            catchBytecodeOffset, state.finalizer->b3CodeLinkBuffer->locationOf(state.proc->entrypointLabel(entrypointIndex)).executableAddress(), WTFMove(argumentFormats));
+            catchBytecodeOffset, state.finalizer->b3CodeLinkBuffer->locationOf(state.proc->entrypointLabel(entrypointIndex), ExceptionHandlerPtrTag).executableAddress(), WTFMove(argumentFormats));
     }
     state.jitCode->common.finalizeCatchEntrypoints();

trunk/Source/JavaScriptCore/ftl/FTLExceptionTarget.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
 }
 
-CodeLocationLabel ExceptionTarget::label(LinkBuffer& linkBuffer)
+CodeLocationLabel ExceptionTarget::label(LinkBuffer& linkBuffer, PtrTag handlerTag)
 {
     if (m_isDefaultHandler)
-        return linkBuffer.locationOf(*m_defaultHandler);
-    return linkBuffer.locationOf(m_handle->label);
+        return linkBuffer.locationOf(*m_defaultHandler, handlerTag);
+    return linkBuffer.locationOf(m_handle->label, handlerTag);
 }
 
@@ -51 +51 @@
         jit.addLinkTask(
             [=] (LinkBuffer& linkBuffer) {
-                linkBuffer.link(*result, linkBuffer.locationOf(*defaultHandler));
+                linkBuffer.link(*result, linkBuffer.locationOf(*defaultHandler, ExceptionHandlerPtrTag));
             });
     } else {
@@ -57 +57 @@
         jit.addLinkTask(
             [=] (LinkBuffer& linkBuffer) {
-                linkBuffer.link(*result, linkBuffer.locationOf(handle->label));
+                linkBuffer.link(*result, linkBuffer.locationOf(handle->label, DFGOSRExitPtrTag));
             });
     }

trunk/Source/JavaScriptCore/ftl/FTLExceptionTarget.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44 +44 @@
 
     // It's OK to call this during linking, but not any sooner.
-    CodeLocationLabel label(LinkBuffer&);
+    CodeLocationLabel label(LinkBuffer&, PtrTag handlerTag);
 
     // Or, you can get a JumpList at any time. Anything you add to this JumpList will be linked to

trunk/Source/JavaScriptCore/ftl/FTLJITCode.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 
 #include "FTLState.h"
+#include "PtrTag.h"
 
 namespace JSC { namespace FTL {
@@ -86 +87 @@
 {
     return m_addressForCall.executableAddress<char*>() + offset;
+    assertIsTaggedWith(m_addressForCall.executableAddress(), CodeEntryPtrTag);
+    if (!offset)
+        return m_addressForCall.executableAddress();
+
+    char* executableAddress = untagCodePtr<char*>(m_addressForCall.executableAddress(), CodeEntryPtrTag);
+    return tagCodePtr(executableAddress + offset, CodeEntryPtrTag);
 }
 

trunk/Source/JavaScriptCore/ftl/FTLLazySlowPath.cpp

@@ -34 +34 @@
 namespace JSC { namespace FTL {
 
-LazySlowPath::LazySlowPath(
+LazySlowPath::~LazySlowPath()
+{
+}
+
+void LazySlowPath::initialize(
     CodeLocationJump patchableJump, CodeLocationLabel done,
     CodeLocationLabel exceptionTarget,
     const RegisterSet& usedRegisters, CallSiteIndex callSiteIndex, RefPtr<Generator> generator
     )
-    : m_patchableJump(patchableJump)
-    , m_done(done)
-    , m_exceptionTarget(exceptionTarget)
-    , m_usedRegisters(usedRegisters)
-    , m_callSiteIndex(callSiteIndex)
-    , m_generator(generator)
 {
-}
-
-LazySlowPath::~LazySlowPath()
-{
+    m_patchableJump = patchableJump;
+    m_done = done;
+    m_exceptionTarget = exceptionTarget;
+    m_usedRegisters = usedRegisters;
+    m_callSiteIndex = callSiteIndex;
+    m_generator = generator;
 }
 
@@ -64 +64 @@
     m_generator->run(jit, params);
 
+    PtrTag slowPathTag = ptrTag(FTLLazySlowPathPtrTag, bitwise_cast<PtrTag>(this));
     LinkBuffer linkBuffer(jit, codeBlock, JITCompilationMustSucceed);
-    linkBuffer.link(params.doneJumps, m_done);
+    linkBuffer.link(params.doneJumps, m_done.retagged(slowPathTag, NearJumpPtrTag));
     if (m_exceptionTarget)
-        linkBuffer.link(exceptionJumps, m_exceptionTarget);
-    m_stub = FINALIZE_CODE_FOR(codeBlock, linkBuffer, NoPtrTag, "Lazy slow path call stub");
+        linkBuffer.link(exceptionJumps, m_exceptionTarget.retagged(slowPathTag, NearJumpPtrTag));
+    m_stub = FINALIZE_CODE_FOR(codeBlock, linkBuffer, slowPathTag, "Lazy slow path call stub");
 
-    MacroAssembler::repatchJump(m_patchableJump, CodeLocationLabel(m_stub.code()));
+    MacroAssembler::repatchJump(m_patchableJump.retagged(slowPathTag, NearJumpPtrTag), CodeLocationLabel(m_stub.retaggedCode(slowPathTag, NearJumpPtrTag)));
 }
 

trunk/Source/JavaScriptCore/ftl/FTLLazySlowPath.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -64 +64 @@
         return createSharedTask<GeneratorFunction>(functor);
     }
-    
-    LazySlowPath(
+
+    LazySlowPath() = default;
+
+    ~LazySlowPath();
+
+    void initialize(
         CodeLocationJump patchableJump, CodeLocationLabel done,
         CodeLocationLabel exceptionTarget, const RegisterSet& usedRegisters,
         CallSiteIndex, RefPtr<Generator>
         );
-
-    ~LazySlowPath();
 
     CodeLocationJump patchableJump() const { return m_patchableJump; }

trunk/Source/JavaScriptCore/ftl/FTLLink.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -141 +141 @@
             jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
             jit.storePtr(GPRInfo::callFrameRegister, &vm.topCallFrame);
-            CCallHelpers::Call callArityCheck = jit.call(NoPtrTag);
+            PtrTag callTag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+            CCallHelpers::Call callArityCheck = jit.call(callTag);
 
             auto noException = jit.branch32(CCallHelpers::GreaterThanOrEqual, GPRInfo::returnValueGPR, CCallHelpers::TrustedImm32(0));
@@ -147 +148 @@
             jit.move(CCallHelpers::TrustedImmPtr(&vm), GPRInfo::argumentGPR0);
             jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
-            CCallHelpers::Call callLookupExceptionHandlerFromCallerFrame = jit.call(NoPtrTag);
+            PtrTag lookupTag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+            CCallHelpers::Call callLookupExceptionHandlerFromCallerFrame = jit.call(lookupTag);
             jit.jumpToExceptionHandler(vm);
             noException.link(&jit);
@@ -158 +160 @@
             jit.move(GPRInfo::returnValueGPR, GPRInfo::argumentGPR0);
             jit.emitFunctionEpilogue();
+            jit.untagReturnAddress();
             mainPathJumps.append(jit.branchTest32(CCallHelpers::Zero, GPRInfo::argumentGPR0));
             jit.emitFunctionPrologue();
-            CCallHelpers::Call callArityFixup = jit.call(NoPtrTag);
+            CCallHelpers::Call callArityFixup = jit.nearCall();
             jit.emitFunctionEpilogue();
+            jit.untagReturnAddress();
             mainPathJumps.append(jit.jump());
 
@@ -169 +173 @@
                 return;
             }
-            linkBuffer->link(callArityCheck, codeBlock->m_isConstructor ? operationConstructArityCheck : operationCallArityCheck);
-            linkBuffer->link(callLookupExceptionHandlerFromCallerFrame, lookupExceptionHandlerFromCallerFrame);
-            linkBuffer->link(callArityFixup, FunctionPtr((vm.getCTIStub(arityFixupGenerator)).code()));
+            linkBuffer->link(callArityCheck, FunctionPtr(codeBlock->m_isConstructor ? operationConstructArityCheck : operationCallArityCheck, callTag));
+            linkBuffer->link(callLookupExceptionHandlerFromCallerFrame, FunctionPtr(lookupExceptionHandlerFromCallerFrame, lookupTag));
+            linkBuffer->link(callArityFixup, FunctionPtr(vm.getCTIStub(arityFixupGenerator).retaggedCode(ptrTag(ArityFixupPtrTag, &vm), NearCallPtrTag)));
             linkBuffer->link(mainPathJumps, CodeLocationLabel(bitwise_cast<void*>(state.generatedFunction)));
         }
         
-        state.jitCode->initializeAddressForCall(MacroAssemblerCodePtr(bitwise_cast<void*>(state.generatedFunction)));
+        PtrTag entryTag = ptrTag(FTLCodePtrTag, codeBlock);
+        state.jitCode->initializeAddressForCall(MacroAssemblerCodePtr(retagCodePtr<void*>(state.generatedFunction, entryTag, CodeEntryPtrTag)));
         break;
     }
@@ -186 +191 @@
         CCallHelpers::Label start = jit.label();
         jit.emitFunctionEpilogue();
+        jit.untagReturnAddress();
         CCallHelpers::Jump mainPathJump = jit.jump();
         
@@ -195 +201 @@
         linkBuffer->link(mainPathJump, CodeLocationLabel(bitwise_cast<void*>(state.generatedFunction)));
 
-        state.jitCode->initializeAddressForCall(linkBuffer->locationOf(start));
+        state.jitCode->initializeAddressForCall(linkBuffer->locationOf(start, CodeEntryPtrTag));
         break;
     }

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -287 +287 @@
                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
                     jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()), GPRInfo::argumentGPR1);
-                    CCallHelpers::Call throwCall = jit.call(NoPtrTag);
+                    PtrTag throwTag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+                    CCallHelpers::Call throwCall = jit.call(throwTag);
 
                     jit.move(CCallHelpers::TrustedImmPtr(vm), GPRInfo::argumentGPR0);
                     jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR1);
-                    CCallHelpers::Call lookupExceptionHandlerCall = jit.call(NoPtrTag);
+                    PtrTag lookupTag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+                    CCallHelpers::Call lookupExceptionHandlerCall = jit.call(lookupTag);
                     jit.jumpToExceptionHandler(*vm);
 
                     jit.addLinkTask(
                         [=] (LinkBuffer& linkBuffer) {
-                            linkBuffer.link(throwCall, FunctionPtr(operationThrowStackOverflowError));
-                            linkBuffer.link(lookupExceptionHandlerCall, FunctionPtr(lookupExceptionHandlerFromCallerFrame));
+                            linkBuffer.link(throwCall, FunctionPtr(operationThrowStackOverflowError, throwTag));
+                            linkBuffer.link(lookupExceptionHandlerCall, FunctionPtr(lookupExceptionHandlerFromCallerFrame, lookupTag));
                     });
                 });
@@ -364 +366 @@
                 jit.addLinkTask(
                     [=] (LinkBuffer& linkBuffer) {
-                        linkBuffer.link(jump, linkBuffer.locationOf(*exceptionHandler));
+                        linkBuffer.link(jump, linkBuffer.locationOf(*exceptionHandler, ExceptionHandlerPtrTag));
                     });
             });
@@ -7146 +7148 @@
                 jit.addLinkTask(
                     [=] (LinkBuffer& linkBuffer) {
+                        PtrTag linkTag = ptrTag(LinkCallPtrTag, vm);
                         MacroAssemblerCodePtr linkCall =
-                            vm->getCTIStub(linkCallThunkGenerator).code();
+                            vm->getCTIStub(linkCallThunkGenerator).retaggedCode(linkTag, NearCallPtrTag);
                         linkBuffer.link(slowCall, FunctionPtr(linkCall));
 
@@ -7295 +7298 @@
                             CodeLocationLabel patchableJumpLocation = linkBuffer.locationOf(patchableJump);
                             CodeLocationNearCall callLocation = linkBuffer.locationOfNearCall(call);
-                            CodeLocationLabel slowPathLocation = linkBuffer.locationOf(slowPath);
+                            CodeLocationLabel slowPathLocation = linkBuffer.locationOf(slowPath, SlowPathPtrTag);
                             
                             callLinkInfo->setCallLocations(
@@ -7343 +7346 @@
                             [=] (LinkBuffer& linkBuffer) {
                                 CodeLocationNearCall callLocation = linkBuffer.locationOfNearCall(call);
-                                CodeLocationLabel slowPathLocation = linkBuffer.locationOf(slowPath);
+                                CodeLocationLabel slowPathLocation = linkBuffer.locationOf(slowPath, NearCallPtrTag);
                                 
                                 linkBuffer.link(call, slowPathLocation);
@@ -7467 +7470 @@
                 jit.addLinkTask(
                     [=] (LinkBuffer& linkBuffer) {
+                        PtrTag linkTag = ptrTag(LinkCallPtrTag, vm);
                         MacroAssemblerCodePtr linkCall =
-                            vm->getCTIStub(linkCallThunkGenerator).code();
+                            vm->getCTIStub(linkCallThunkGenerator).retaggedCode(linkTag, NearCallPtrTag);
                         linkBuffer.link(slowCall, FunctionPtr(linkCall));
 
@@ -7611 +7615 @@
 
                 auto callWithExceptionCheck = [&] (void* callee) {
-                    jit.move(CCallHelpers::TrustedImmPtr(callee), GPRInfo::nonPreservedNonArgumentGPR0);
-                    jit.call(GPRInfo::nonPreservedNonArgumentGPR0, NoPtrTag);
+                    PtrTag tag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+                    jit.move(CCallHelpers::TrustedImmPtr(tagCFunctionPtr(callee, tag)), GPRInfo::nonPreservedNonArgumentGPR0);
+                    jit.call(GPRInfo::nonPreservedNonArgumentGPR0, tag);
                     exceptions->append(jit.emitExceptionCheck(*vm, AssemblyHelpers::NormalExceptionCheck, AssemblyHelpers::FarJumpWidth));
                 };
@@ -7766 +7771 @@
                 jit.addLinkTask(
                     [=] (LinkBuffer& linkBuffer) {
+                        PtrTag linkTag = ptrTag(LinkCallPtrTag, vm);
                         MacroAssemblerCodePtr linkCall =
-                            vm->getCTIStub(linkCallThunkGenerator).code();
+                            vm->getCTIStub(linkCallThunkGenerator).retaggedCode(linkTag, NearCallPtrTag);
                         linkBuffer.link(slowCall, FunctionPtr(linkCall));
                         
@@ -7950 +7956 @@
 
                 auto callWithExceptionCheck = [&] (void* callee) {
-                    jit.move(CCallHelpers::TrustedImmPtr(callee), GPRInfo::nonPreservedNonArgumentGPR0);
-                    jit.call(GPRInfo::nonPreservedNonArgumentGPR0, NoPtrTag);
+                    PtrTag tag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+                    jit.move(CCallHelpers::TrustedImmPtr(tagCFunctionPtr(callee, tag)), GPRInfo::nonPreservedNonArgumentGPR0);
+                    jit.call(GPRInfo::nonPreservedNonArgumentGPR0, tag);
                     exceptions->append(jit.emitExceptionCheck(*vm, AssemblyHelpers::NormalExceptionCheck, AssemblyHelpers::FarJumpWidth));
                 };
@@ -8049 +8056 @@
                 jit.addLinkTask(
                     [=] (LinkBuffer& linkBuffer) {
+                        PtrTag linkTag = ptrTag(LinkCallPtrTag, vm);
                         MacroAssemblerCodePtr linkCall =
-                            vm->getCTIStub(linkCallThunkGenerator).code();
+                            vm->getCTIStub(linkCallThunkGenerator).retaggedCode(linkTag, NearCallPtrTag);
                         linkBuffer.link(slowCall, FunctionPtr(linkCall));
                         
@@ -8138 +8146 @@
                 jit.subPtr(CCallHelpers::TrustedImm32(requiredBytes), CCallHelpers::stackPointerRegister);
                 jit.setupArguments<decltype(operationCallEval)>(GPRInfo::regT1);
-                jit.move(CCallHelpers::TrustedImmPtr(bitwise_cast<void*>(operationCallEval)), GPRInfo::nonPreservedNonArgumentGPR0);
-                jit.call(GPRInfo::nonPreservedNonArgumentGPR0, NoPtrTag);
+                PtrTag tag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+                jit.move(CCallHelpers::TrustedImmPtr(tagCFunctionPtr(operationCallEval, tag)), GPRInfo::nonPreservedNonArgumentGPR0);
+                jit.call(GPRInfo::nonPreservedNonArgumentGPR0, tag);
                 exceptions->append(jit.emitExceptionCheck(state->vm(), AssemblyHelpers::NormalExceptionCheck, AssemblyHelpers::FarJumpWidth));
                 
@@ -13958 +13967 @@
                         jit.addLinkTask(
                             [=] (LinkBuffer& linkBuffer) {
+                                PtrTag thunkTag = ptrTag(FTLLazySlowPathPtrTag, vm);
                                 linkBuffer.link(
                                     generatorJump, CodeLocationLabel(
                                         vm->getCTIStub(
-                                            lazySlowPathGenerationThunkGenerator).code()));
+                                            lazySlowPathGenerationThunkGenerator).retaggedCode(thunkTag, NearJumpPtrTag)));
                                 
+                                std::unique_ptr<LazySlowPath> lazySlowPath = std::make_unique<LazySlowPath>();
+
+                                PtrTag slowPathTag = ptrTag(FTLLazySlowPathPtrTag, bitwise_cast<PtrTag>(lazySlowPath.get()));
                                 CodeLocationJump linkedPatchableJump = CodeLocationJump(
-                                    linkBuffer.locationOf(patchableJump));
-                                CodeLocationLabel linkedDone = linkBuffer.locationOf(done);
+                                    linkBuffer.locationOf(patchableJump, slowPathTag));
+
+                                CodeLocationLabel linkedDone = linkBuffer.locationOf(done, slowPathTag);
 
                                 CallSiteIndex callSiteIndex =
                                     jitCode->common.addUniqueCallSiteIndex(origin);
                                     
-                                std::unique_ptr<LazySlowPath> lazySlowPath =
-                                    std::make_unique<LazySlowPath>(
+                                lazySlowPath->initialize(
                                         linkedPatchableJump, linkedDone,
-                                        exceptionTarget->label(linkBuffer), usedRegisters,
+                                        exceptionTarget->label(linkBuffer, slowPathTag), usedRegisters,
                                         callSiteIndex, generator);
                                     

trunk/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

@@ -177 +177 @@
 
 static void compileStub(
-    unsigned exitID, JITCode* jitCode, OSRExit& exit, VM* vm, CodeBlock* codeBlock)
+    unsigned exitID, JITCode* jitCode, OSRExit& exit, VM* vm, CodeBlock* codeBlock, PtrTag exitSiteTag)
 {
     // This code requires framePointerRegister is the same as callFrameRegister
@@ -339 +339 @@
                 CCallHelpers::TrustedImmPtr(materialization),
                 CCallHelpers::TrustedImmPtr(materializationArguments));
-            jit.move(CCallHelpers::TrustedImmPtr(bitwise_cast<void*>(operationMaterializeObjectInOSR)), GPRInfo::nonArgGPR0);
-            jit.call(GPRInfo::nonArgGPR0, NoPtrTag);
+            PtrTag tag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+            jit.move(CCallHelpers::TrustedImmPtr(tagCFunctionPtr(operationMaterializeObjectInOSR, tag)), GPRInfo::nonArgGPR0);
+            jit.call(GPRInfo::nonArgGPR0, tag);
             jit.storePtr(GPRInfo::returnValueGPR, materializationToPointer.get(materialization));
 
@@ -367 +368 @@
             CCallHelpers::TrustedImmPtr(materializationToPointer.get(materialization)),
             CCallHelpers::TrustedImmPtr(materializationArguments));
-        jit.move(CCallHelpers::TrustedImmPtr(bitwise_cast<void*>(operationPopulateObjectInOSR)), GPRInfo::nonArgGPR0);
-        jit.call(GPRInfo::nonArgGPR0, NoPtrTag);
+        PtrTag tag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+        jit.move(CCallHelpers::TrustedImmPtr(tagCFunctionPtr(operationPopulateObjectInOSR, tag)), GPRInfo::nonArgGPR0);
+        jit.call(GPRInfo::nonArgGPR0, tag);
     }
 
@@ -495 +497 @@
     exit.m_code = FINALIZE_CODE_IF(
         shouldDumpDisassembly() || Options::verboseOSR() || Options::verboseFTLOSRExit(),
-        patchBuffer, NoPtrTag,
+        patchBuffer, exitSiteTag,
         "FTL OSR exit #%u (%s, %s) from %s, with operands = %s",
             exitID, toCString(exit.m_codeOrigin).data(),
@@ -543 +545 @@
     prepareCodeOriginForOSRExit(exec, exit.m_codeOrigin);
 
-    compileStub(exitID, jitCode, exit, &vm, codeBlock);
+    PtrTag thunkTag = ptrTag(FTLOSRExitPtrTag, &exit);
+    compileStub(exitID, jitCode, exit, &vm, codeBlock, thunkTag);
 
     MacroAssembler::repatchJump(
-        exit.codeLocationForRepatch(codeBlock), CodeLocationLabel(exit.m_code.code()));
-    
-    return exit.m_code.code().executableAddress();
+        exit.codeLocationForRepatch(codeBlock), CodeLocationLabel(exit.m_code.retaggedCode(thunkTag, NearJumpPtrTag)));
+    
+    return exit.m_code.retaggedCode(thunkTag, bitwise_cast<PtrTag>(exec)).executableAddress();
 }
 

trunk/Source/JavaScriptCore/ftl/FTLOSRExitHandle.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -50 +50 @@
             self->exit.m_patchableJump = CodeLocationJump(linkBuffer.locationOf(jump));
 
+            PtrTag thunkTag = ptrTag(FTLOSRExitPtrTag, &vm);
             linkBuffer.link(
                 jump.m_jump,
-                CodeLocationLabel(vm.getCTIStub(osrExitGenerationThunkGenerator).code()));
+                CodeLocationLabel(vm.getCTIStub(osrExitGenerationThunkGenerator).retaggedCode(thunkTag, NearJumpPtrTag)));
             if (compilation)
                 compilation->addOSRExitSite({ linkBuffer.locationOf(myLabel).executableAddress() });

trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -582 +582 @@
     lazySlowPath.generate(codeBlock);
 
-    return lazySlowPath.stub().code().executableAddress();
+    PtrTag slowPathTag = ptrTag(FTLLazySlowPathPtrTag, bitwise_cast<PtrTag>(&lazySlowPath));
+    return lazySlowPath.stub().retaggedCode(slowPathTag, bitwise_cast<PtrTag>(exec)).executableAddress();
 }
 

trunk/Source/JavaScriptCore/ftl/FTLOutput.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -402 +402 @@
     {
         return m_block->appendNew<B3::CCallValue>(m_proc, type, origin(), B3::Effects::none(),
-            constIntPtr(bitwise_cast<void*>(function)), arg1, args...);
-    }
-
+            constIntPtr(tagCFunctionPtr<void*>(function, B3CCallPtrTag)), arg1, args...);
+    }
+
+    // FIXME: Consider enhancing this to allow the client to choose the target PtrTag to use.
+    // https://bugs.webkit.org/show_bug.cgi?id=184324
     template<typename FunctionType>
-    LValue operation(FunctionType function) { return constIntPtr(bitwise_cast<void*>(function)); }
+    LValue operation(FunctionType function) { return constIntPtr(tagCFunctionPtr<void*>(function, B3CCallPtrTag)); }
 
     void jump(LBasicBlock);

trunk/Source/JavaScriptCore/ftl/FTLPatchpointExceptionHandle.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -92 +92 @@
                     newHandler.start = callSiteIndex.bits();
                     newHandler.end = callSiteIndex.bits() + 1;
-                    newHandler.nativeCode = linkBuffer.locationOf(handle->label);
+                    newHandler.nativeCode = linkBuffer.locationOf(handle->label, ExceptionHandlerPtrTag);
                     codeBlock->appendExceptionHandler(newHandler);
                 });

trunk/Source/JavaScriptCore/ftl/FTLSlowPathCall.cpp

@@ -123 +123 @@
     void* executableAddress = callTarget.executableAddress();
     assertIsCFunctionPtr(executableAddress);
-    SlowPathCall result = SlowPathCall(m_jit.call(NoPtrTag), keyWithTarget(executableAddress));
+    SlowPathCallKey key = keyWithTarget(executableAddress);
+    PtrTag callTag = key.callPtrTag();
+    SlowPathCall result = SlowPathCall(m_jit.call(callTag), key);
 
     m_jit.addLinkTask(

trunk/Source/JavaScriptCore/ftl/FTLSlowPathCallKey.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(FTL_JIT)
 
+#include "PtrTag.h"
 #include "RegisterSet.h"
 
@@ -67 +68 @@
     SlowPathCallKey withCallTarget(void* callTarget)
     {
+        assertIsTaggedWith(callTarget, CFunctionPtrTag);
         return SlowPathCallKey(usedRegisters(), callTarget, argumentRegisters(), offset());
     }
@@ -103 +105 @@
     }
 
+    PtrTag callPtrTag() const
+    {
+        // We should only include factors which are invariant for the same slow path site.
+        // m_callTarget can vary and should be excluded.
+        return ptrTag(FTLSlowPathPtrTag, m_usedRegisters.hash(), m_offset);
+    }
+
 private:
     RegisterSet m_usedRegisters;

trunk/Source/JavaScriptCore/ftl/FTLThunks.cpp

@@ -48 +48 @@
 
 static MacroAssemblerCodeRef genericGenerationThunkGenerator(
-    VM* vm, FunctionPtr generationFunction, const char* name, unsigned extraPopsToRestore, FrameAndStackAdjustmentRequirement frameAndStackAdjustmentRequirement)
+    VM* vm, FunctionPtr generationFunction, PtrTag resultThunkTag, const char* name, unsigned extraPopsToRestore, FrameAndStackAdjustmentRequirement frameAndStackAdjustmentRequirement)
 {
     AssemblyHelpers jit(nullptr);
@@ -87 +87 @@
         GPRInfo::argumentGPR1,
         (stackMisalignment - MacroAssembler::pushToSaveByteOffset()) / sizeof(void*));
-    MacroAssembler::Call functionCall = jit.call(NoPtrTag);
+    PtrTag generatorCallTag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
+    MacroAssembler::Call functionCall = jit.call(generatorCallTag);
     
     // At this point we want to make a tail call to what was returned to us in the
@@ -116 +117 @@
     restoreAllRegisters(jit, buffer);
 
+#if CPU(ARM64) && USE(POINTER_PROFILING)
+    jit.untagPtr(AssemblyHelpers::linkRegister, GPRInfo::callFrameRegister);
+    jit.tagReturnAddress();
+#endif
     jit.ret();
     
     LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID);
-    patchBuffer.link(functionCall, generationFunction);
-    return FINALIZE_CODE(patchBuffer, NoPtrTag, "%s", name);
+    patchBuffer.link(functionCall, FunctionPtr(generationFunction, generatorCallTag));
+    return FINALIZE_CODE(patchBuffer, resultThunkTag, "%s", name);
 }
 
@@ -126 +131 @@
 {
     unsigned extraPopsToRestore = 0;
-    PtrTag tag = ptrTag(JITThunkPtrTag, nextPtrTagID());
+    PtrTag thunkTag = ptrTag(FTLOSRExitPtrTag, vm);
     return genericGenerationThunkGenerator(
-        vm, FunctionPtr(compileFTLOSRExit, tag), "FTL OSR exit generation thunk", extraPopsToRestore, FrameAndStackAdjustmentRequirement::Needed);
+        vm, FunctionPtr(compileFTLOSRExit), thunkTag, "FTL OSR exit generation thunk", extraPopsToRestore, FrameAndStackAdjustmentRequirement::Needed);
 }
 
@@ -134 +139 @@
 {
     unsigned extraPopsToRestore = 1;
-    PtrTag tag = ptrTag(JITThunkPtrTag, nextPtrTagID());
+    PtrTag thunkTag = ptrTag(FTLLazySlowPathPtrTag, vm);
     return genericGenerationThunkGenerator(
-        vm, FunctionPtr(compileFTLLazySlowPath, tag), "FTL lazy slow path generation thunk", extraPopsToRestore, FrameAndStackAdjustmentRequirement::NotNeeded);
+        vm, FunctionPtr(compileFTLLazySlowPath), thunkTag, "FTL lazy slow path generation thunk", extraPopsToRestore, FrameAndStackAdjustmentRequirement::NotNeeded);
 }
 
@@ -170 +175 @@
 {
     AssemblyHelpers jit(nullptr);
-    
+    jit.tagReturnAddress();
+
     // We want to save the given registers at the given offset, then we want to save the
     // old return address somewhere past that offset, and then finally we want to make the
@@ -200 +206 @@
     registerClobberCheck(jit, key.argumentRegisters());
     
-    PtrTag callTag = ptrTag(JITThunkPtrTag, nextPtrTagID());
+    PtrTag callTag = ptrTag(FTLOperationPtrTag, nextPtrTagID());
     AssemblyHelpers::Call call = jit.call(callTag);
 
@@ -228 +234 @@
     LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID);
     patchBuffer.link(call, FunctionPtr(key.callTarget(), callTag));
-    return FINALIZE_CODE(patchBuffer, NoPtrTag, "FTL slow path call thunk for %s", toCString(key).data());
+    return FINALIZE_CODE(patchBuffer, key.callPtrTag(), "FTL slow path call thunk for %s", toCString(key).data());
 }
 

trunk/Source/JavaScriptCore/jit/JITMathIC.h

@@ -145 +145 @@
 
         auto replaceCall = [&] () {
-            PtrTag tag = ptrTag(MathICPtrTag, m_instruction);
-            ftlThunkAwareRepatchCall(codeBlock, slowPathCallLocation(), FunctionPtr(callReplacement, tag));
+            PtrTag callTag = ptrTag(MathICPtrTag, m_instruction);
+            ftlThunkAwareRepatchCall(codeBlock, slowPathCallLocation(), callReplacement, callTag);
         };
 
@@ -229 +229 @@
             start, linkBuffer.locationOf(state.slowPathCall));
         m_deltaFromStartToSlowPathStart = MacroAssembler::differenceBetweenCodePtr(
-            start, linkBuffer.locationOf(state.slowPathStart, NoPtrTag));
+            start, linkBuffer.locationOf(state.slowPathStart));
     }
 

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -67 +67 @@
 namespace JSC {
 
-static FunctionPtr readCallTarget(CodeBlock* codeBlock, CodeLocationCall call)
-{
-    FunctionPtr result = MacroAssembler::readCallTarget(call);
+static FunctionPtr readPutICCallTarget(CodeBlock* codeBlock, CodeLocationCall call)
+{
+    FunctionPtr target = MacroAssembler::readCallTarget(call);
 #if ENABLE(FTL_JIT)
     if (codeBlock->jitType() == JITCode::FTLJIT) {
-        return FunctionPtr(codeBlock->vm()->ftlThunks->keyForSlowPathCallThunk(
-            MacroAssemblerCodePtr::createFromExecutableAddress(
-                result.executableAddress())).callTarget(), CodeEntryPtrTag);
+        MacroAssemblerCodePtr slowPathThunk = MacroAssemblerCodePtr::createFromExecutableAddress(target.executableAddress());
+        auto* callTarget = codeBlock->vm()->ftlThunks->keyForSlowPathCallThunk(slowPathThunk).callTarget();
+        return FunctionPtr(callTarget, CFunctionPtrTag);
     }
 #else
     UNUSED_PARAM(codeBlock);
 #endif // ENABLE(FTL_JIT)
-    return result;
-}
-
-void ftlThunkAwareRepatchCall(CodeBlock* codeBlock, CodeLocationCall call, FunctionPtr newCalleeFunction)
+    return FunctionPtr(untagCFunctionPtr(target.executableAddress(), PutPropertyPtrTag), CFunctionPtrTag);
+}
+
+void ftlThunkAwareRepatchCall(CodeBlock* codeBlock, CodeLocationCall call, FunctionPtr newCalleeFunction, PtrTag callTag)
 {
 #if ENABLE(FTL_JIT)
@@ -88 +88 @@
         VM& vm = *codeBlock->vm();
         FTL::Thunks& thunks = *vm.ftlThunks;
-        FTL::SlowPathCallKey key = thunks.keyForSlowPathCallThunk(
-            MacroAssemblerCodePtr::createFromExecutableAddress(
-                MacroAssembler::readCallTarget(call).executableAddress()));
+        FunctionPtr target = MacroAssembler::readCallTarget(call);
+        MacroAssemblerCodePtr slowPathThunk = MacroAssemblerCodePtr::createFromExecutableAddress(target.executableAddress());
+        FTL::SlowPathCallKey key = thunks.keyForSlowPathCallThunk(slowPathThunk);
         key = key.withCallTarget(newCalleeFunction.executableAddress());
         newCalleeFunction = FunctionPtr(thunks.getSlowPathCallThunk(key).code());
+        assertIsTaggedWith(newCalleeFunction.executableAddress(), key.callPtrTag());
+        MacroAssembler::repatchCall(call, newCalleeFunction);
+        return;
     }
 #else // ENABLE(FTL_JIT)
     UNUSED_PARAM(codeBlock);
 #endif // ENABLE(FTL_JIT)
-    MacroAssembler::repatchCall(call, newCalleeFunction);
+    MacroAssembler::repatchCall(call, FunctionPtr(newCalleeFunction, callTag));
 }
 
@@ -208 +211 @@
                     bool generatedCodeInline = InlineAccess::generateArrayLength(stubInfo, jsCast<JSArray*>(baseCell));
                     if (generatedCodeInline) {
-                        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), FunctionPtr(appropriateOptimizingGetByIdFunction(kind), GetPropertyPtrTag));
+                        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), appropriateOptimizingGetByIdFunction(kind), GetPropertyPtrTag);
                         stubInfo.initArrayLength();
                         return RetryCacheLater;
@@ -265 +268 @@
                     LOG_IC((ICEvent::GetByIdSelfPatch, structure->classInfo(), propertyName));
                     structure->startWatchingPropertyForReplacements(vm, slot.cachedOffset());
-                    ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), FunctionPtr(appropriateOptimizingGetByIdFunction(kind), GetPropertyPtrTag));
+                    ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), appropriateOptimizingGetByIdFunction(kind), GetPropertyPtrTag);
                     stubInfo.initGetByIdSelf(codeBlock, structure, slot.cachedOffset());
                     return RetryCacheLater;
@@ -389 +392 @@
     if (tryCacheGetByID(exec, baseValue, propertyName, slot, stubInfo, kind) == GiveUpOnCache) {
         CodeBlock* codeBlock = exec->codeBlock();
-        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), FunctionPtr(appropriateGetByIdFunction(kind), GetPropertyPtrTag));
+        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), appropriateGetByIdFunction(kind), GetPropertyPtrTag);
     }
 }
@@ -461 +464 @@
                     if (generatedCodeInline) {
                         LOG_IC((ICEvent::PutByIdSelfPatch, structure->classInfo(), ident));
-                        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), FunctionPtr(appropriateOptimizingPutByIdFunction(slot, putKind), PutPropertyPtrTag));
+                        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), appropriateOptimizingPutByIdFunction(slot, putKind), PutPropertyPtrTag);
                         stubInfo.initPutByIdReplace(codeBlock, structure, slot.cachedOffset());
                         return RetryCacheLater;
@@ -595 +598 @@
     if (tryCachePutByID(exec, baseValue, structure, propertyName, slot, stubInfo, putKind) == GiveUpOnCache) {
         CodeBlock* codeBlock = exec->codeBlock();
-        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), FunctionPtr(appropriateGenericPutByIdFunction(slot, putKind), PutPropertyPtrTag));
+        ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), appropriateGenericPutByIdFunction(slot, putKind), PutPropertyPtrTag);
     }
 }
@@ -684 +687 @@
     SuperSamplerScope superSamplerScope(false);
     if (tryCacheIn(exec, base, ident, wasFound, slot, stubInfo) == GiveUpOnCache)
-        ftlThunkAwareRepatchCall(exec->codeBlock(), stubInfo.slowPathCallLocation(), operationIn);
+        ftlThunkAwareRepatchCall(exec->codeBlock(), stubInfo.slowPathCallLocation(), operationIn, CFunctionPtrTag);
 }
 
@@ -1137 +1140 @@
 void resetGetByID(CodeBlock* codeBlock, StructureStubInfo& stubInfo, GetByIDKind kind)
 {
-    ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), FunctionPtr(appropriateOptimizingGetByIdFunction(kind), GetPropertyPtrTag));
+    ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), appropriateOptimizingGetByIdFunction(kind), GetPropertyPtrTag);
     InlineAccess::rewireStubAsJump(stubInfo, stubInfo.slowPathStartLocation());
 }
@@ -1143 +1146 @@
 void resetPutByID(CodeBlock* codeBlock, StructureStubInfo& stubInfo)
 {
-    V_JITOperation_ESsiJJI unoptimizedFunction = untagCFunctionPtr<V_JITOperation_ESsiJJI>(readCallTarget(codeBlock, stubInfo.slowPathCallLocation()).executableAddress(), PutPropertyPtrTag);
+    V_JITOperation_ESsiJJI unoptimizedFunction = reinterpret_cast<V_JITOperation_ESsiJJI>(readPutICCallTarget(codeBlock, stubInfo.slowPathCallLocation()).executableAddress());
     V_JITOperation_ESsiJJI optimizedFunction;
     if (unoptimizedFunction == operationPutByIdStrict || unoptimizedFunction == operationPutByIdStrictOptimize)
@@ -1156 +1159 @@
     }
 
-    ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), FunctionPtr(optimizedFunction, PutPropertyPtrTag));
+    ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), optimizedFunction, PutPropertyPtrTag);
     InlineAccess::rewireStubAsJump(stubInfo, stubInfo.slowPathStartLocation());
 }

trunk/Source/JavaScriptCore/jit/Repatch.h

@@ -55 +55 @@
 void resetPutByID(CodeBlock*, StructureStubInfo&);
 void resetIn(CodeBlock*, StructureStubInfo&);
-void ftlThunkAwareRepatchCall(CodeBlock*, CodeLocationCall, FunctionPtr newCalleeFunction);
+void ftlThunkAwareRepatchCall(CodeBlock*, CodeLocationCall, FunctionPtr newCalleeFunction, PtrTag callTag);
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/PtrTag.h

@@ -46 +46 @@
     v(DFGOperationPtrTag) \
     v(ExceptionHandlerPtrTag) \
+    v(FTLCodePtrTag) \
+    v(FTLLazySlowPathPtrTag) \
+    v(FTLOSRExitPtrTag) \
+    v(FTLOperationPtrTag) \
+    v(FTLSlowPathPtrTag) \
     v(GetPropertyPtrTag) \
     v(GetterSetterPtrTag) \
@@ -67 +72 @@
     v(SwitchTablePtrTag) \
     v(ThrowExceptionPtrTag) \
-    \
     v(Yarr8BitPtrTag) \
     v(Yarr16BitPtrTag) \
@@ -73 +77 @@
     v(YarrMatchOnly16BitPtrTag) \
     v(YarrBacktrackPtrTag) \
-    \
     v(WasmCallPtrTag) \
     v(WasmHelperPtrTag) \